Compliance Briefing — September 1, 2021
China’s Data Security Law entered into force on 1 September 2021, requiring data classification, critical data inventories, and security assessments for cross-border transfers.
Executive briefing: The Data Security Law of the People’s Republic of China became effective on 1 September 2021. Organisations handling data in China must classify datasets, protect “important” and “core” data, and perform security assessments when providing data abroad.
Key compliance checkpoints
- Data classification. Establish tiered management distinguishing general, important, and core data with corresponding security controls.
- Critical infrastructure obligations. Operators of critical information infrastructure must store important data domestically and undergo security assessments for exports.
- Incident response. Implement reporting workflows for data security incidents and cooperate with state security authorities during investigations.
Operational priorities
- Cross-border governance. Map outbound data flows, confirm legal bases, and prepare for CAC-led security assessments.
- Vendor oversight. Evaluate third parties processing Chinese data to ensure contractual obligations and localization controls align with the law.
- Internal controls. Update policies, access management, and monitoring around data lifecycle operations, including retention and destruction.
Enablement moves
- Deploy data discovery and classification tooling covering China-hosted systems.
- Stand up bilingual incident response playbooks referencing mandatory reporting timelines.
- Create cross-functional committees to track implementing regulations from the Cyberspace Administration of China.
Sources
- Data Security Law of the People’s Republic of China
- CAC notice on implementing the Data Security Law
Zeph Tech supports China-focused compliance programs with data classification frameworks, localization controls, and cross-border assessment tooling aligned to the Data Security Law.