The China Personal Information Protection Act requires performing a Data Protection Impact Assessment (DPIA) to be performed on data processing activities. DPIAs are an effective technique for risk prevention and mitigation and can be used in the event of lawsuit or regulatory investigation.
While some businesses have been doing DPIAs since the statute was enacted in 2021, many businesses are not doing DPIAs because of lack of familiarity, capability, or awareness of its value. Businesses are usually averse to investing in unfamiliar compliance techniques. Nonetheless, the DPIA is a cornerstone of data law enforcement and is becoming increasingly important in the legal environment. This article will help businesses make informed decisions by introducing the basics of DPIAs, current trends, and how it can create value.
Contents
Language Barriers: What’s a PIPEA?
China Requires Both DPIA and Compliance Audits
When a DPIA is Required
Not all data processing activities require a DPIA, rather only high-risk processing activities are covered, in particular processing contexts that are at risk of impacting personal data rights. China Personal Information Protection Act § 55(b) has five different contexts each of which can trigger a DPIA requirement:
- Processing sensitive personal information
- Automated decision making involving personal data
- Contracting a party to process data on your behalf, providing data to another party, or publishing it
- Data export
- Other data processing activities that significantly impact individual rights
Businesses involved in high-risk activities such as cross-border export, compliance auditing, or facial recognition, must obtain a DPIA prior to commencing data processing and retain the report and logs for a minimum of three years. A new DPIA must be promptly obtained whenever the purpose, scope, type, or retention period for the processed data changes, or upon encountering a new risk to data subjects. Cross-border transfers of personal information always trigger the assessment requirement, even when the statute provides an exemption for cross-border transfers. There is no waiver available for DPIAs.
The CAC Personal Information Protection Auditing Procedures make “whether a full DPIA was done” a central requirement in contexts involving contracting a data processor, automated decision making, and publication of sensitive information.
Merely doing a perfunctory DPIA constitutes a material compliance deficiency under China law, because the DPIA serves a risk management role that ensures processing activity is preceded by the appropriate risk identification and mitigation whereas compliance audits verify that these activities are being done correctly. Taken together, regulators see it was a way to tell if you are running a lawful business.
Technically, all facial recognition systems must do a DPIA and retain logs, and a repeat assessment is required after every update, and also in the event of a cybersecurity incident. The same standards also are required under industry specific regulations such as for shipping, banking, and education. Shipping companies that contract a third party to process shipping label data must have their own security assessment and also contractor’s security assessment, otherwise lose their safe harbor from liability.
Banks and insurance companies must have assessments done for processing risks if they transfer or share Chinese individuals’ financial information with third parties to determine whether they are compliant. An online platform that processes records for over one million users must regularly verify their data protection practices using DPIA or equivalent method. Executives should observe that the DPIA is a shield against litigation risk, reputational damage, and regulatory penalties; it’s not merely a compliance requirement.
The only way to ensure data operations are efficient is to integrate DPIAs into product design, supply chain, and cross-border operations. Moreover, it can convince customers, business partners, and capital markets that your data processing activities are trustworthy and reliable.
Language Barriers: What’s a PIPEA?
Before we continue, let’s briefly clear up a language barrier between Mandarin Chinese and English. Some attorneys in China have invented a novel English phrase, “Personal Information Protection Impact Assessment” (PIPIA), owing to limited ability with English. There is a lot of made-up China-specific legalese and acronyms about this law such as PIPIA, PI Processor, PIPL, and Entrusted Processor, making otherwise familiar concepts seem mysterious.
However, the legislative history itself says this process is actually a Data Protection Impact Assessment building on European concepts, and the Chinese word xinxi in the Mandarin phrase is officially defined as “the symbols on which operations are performed by a computer,” which closely matches the definition of the English word “data.” The reason for making up region-specific legalese that’s misleading and misleading, is aimed at getting existing clients to pay more money for professional advice even if it’s basic information that is not genuinely adding value.
China Requires Both DPIA and Compliance Audits
The China Personal Information Protection Act has different process requirements for DPIA than for legal compliance audits. Audits for compliance with the Act are either a § 54 internal audit which must be performed regularly or are a § 64 regulator audits which are performed by a third-party firm and are mandated for high-risk operations or in response to a security incident. The Draft Rules require an internal audit every two years in general but for controllers with data on over one million persons be done every year; it can be performed by an external firm or company staff. A regulatory audit must be done by an independent professional services firm and their audit opinion with corrective recommendations are reported to the regulatory agency.
These kinds of compliance audits look at past operations and help businesses identify unlawful practices that need to be fixed. You must retain all copies of all audit and corrective action documentation sufficient to demonstrate adequate internal control, to be made available within China for randomized regulatory agency inspections The DPIA is a preventative obligation mandatory for activities subject to § 55 of the Act, which must be performed by personal information processors to identify high risk problems and implement measures to prevent risks before they occur. You must retain records covering the assessment itself and data processing activities. In sum, a personal information protection audit reviews existing practices, whereas a DPIA assesses possible future occurrences.
While a DPIA is technically mandatory, they can actually be consolidated to some extent with compliance audits despite some procedural differences because they both achieve the same aim of improving the business’s compliance capability.
The Personal Information Protection Compliance Audits Administrative Procedures § 25 address whether a DIPIA should be used to audit for data processing, transfer, automated decision making, and disclosures and consider whether a DPIA is being used. DPIA practices focus on the compliance capability of data processors in the specific use case that triggers a DPIA, and in theory that capability can be an assessment factor for whether auditing activities are needed at all; in the future, the law may explicitly link these two kinds of audits.
Functions of a DPIA
The DPIA is a central compliance technique in the China Personal Information Protection Act and has also been separately incorporated in regulations for specific industries. They are effective for reducing the risk of data law violations and are an effective preventative auditing technique that compares processing activities with the expectations expressed by the law and industry standards.
A DPIA finds potential data protection noncompliance problems so that the organization has a better understanding of what staff needs to improve upon, and this can reduce the risk of regulatory action and protect the business’s reputation. Aside from its value in China Personal Information Protection Act compliance, the DPIA technique has value in reducing risks associated with personal data compliance. A DPIA can enhance transparency into how it processes personal data.
An assessment within your China business entity can effectively integrate the executive team, operations, and legal to develop a shared understanding of the operations, thus proactively mitigating risks, especially when new technologies are being deployed by the business. Involving a highly recognized third-party firm to perform a DPIA can improve the business’s reputation among the public in China and lower the risk of litigation over allegations of poor data protection. A DPIA can also lower the risk the business is sued for privacy torts, because the Act § 69 provisions on civil dispute resolution establishes a presumption that the business is liable for damages if it cannot show they were not at fault.
The Act § 66 provides a basis for issuing a regulatory penalty where “personal information is processed in violation of this Act, or personal information is processed without performing the personal information protection obligations of this Act.”
Under the Act § 63, the governmental data protection agency is empowered to enforce the law and provide oversight by performing interviews, reviewing, and copying documents, and site inspections. Here, a DPIA and the processing logs are important items of evidence that prove the organization is lawfully processing data. In the event of a dispute, these records will show an effective DPIA was one, action was taken to mitigate risks and thus show that a reduction or exemption of liability is warranted.
How the DPIA Should Be Done
The China DPIA process examines the lawfulness, necessity, and risks of the processes and purposes of personal data processing, its impacts on data subjects, and the adequacy of data security protections. The DPIA should start by identifying the relevant processing contexts and identifying any statutory contexts, then identify the purpose and processing method, and whether the processing purpose and method is compatible with the context.
Next, the overall impact on data subject rights should be assessed, not merely within the processing context, but in consideration of the overall impact of the organization’s overall data protection environment, business governance, and compliance capabilities. Finally, examine whether the technical controls are adequate. The security protections must be assessed as two different layers. First is the organizational layer which looks at the internal management policy, business processes, staff training, and emergency response capability, and secondly the data protection layer, looking at the data classifications, technical security measures, deidentification, and user permission configurations.
The process for performing a DPIA is detailed by a 2020 China national standard titled the Personal Information Security Impact Assessment Guidelines (GB/T39335-2020). The Guidelines contemplate two types of DPIA, an internal assessment and a regulatory assessment. An internal assessment is a DPIA that is done by auditors on its own staff or engaged by a professional services firm. A regulatory assessment is always provided by an outside professional services firm. (See Guidelines § 4.6.3)
In the legal theory espoused under the Act, all data controllers and processors must do a mandatory preventative assessment of their own accord. The statute does not have any rules providing that the Chinese government data protection agency can compel a controller or processor to complete a DPIA, because the DPIA is exclusively an internal compliance process done at the sole discretion of the business. Thus, the regulatory assessment described in the Guidelines should not be read as a procedure where a regulatory agency initiates and conducts a DPIA of a business, because the DPIA has a different role to play than personal information protection compliance audits. A DPIA is meant to be a preventative measure, whereas a compliance audit judges whether a business is in compliance.
The role of regulatory oversight is to investigate the facts and correct violations through the investigatory process, whereas a DPIA is done at the behest of the business. Thus, the regulatory assessment described by the Guidelines is fundamentally an internal business process, ordered by the business entity, or in the case of a corporation, where a subsidiary entity is directed to do a DPIA.
Assessment Action Items
The first action item for a China DPIA according to the Guidelines is to designate a responsible person or responsible department, which is responsible for the quality of the DPIA, and therefore must be independent, insulated from pressure by who is being assessed. The business’s legal, compliance, or cybersecurity department can be the responsible department for the DPIA. A third-party firm may be engaged to perform the DPIA, but if the department has sufficient capabilities, it may do the work in-house. (See Guidelines §§ 4.4 and 5.2.1)
The subject of the assessment for the responsible department can be a product, business operation, or a business partnership. The second action item is for the China DPIA’s responsible department to perform a data mapping analysis of the subject in preparation of the assessment and prepare two deliverables: a data inventory and data mapping diagram. This will enable the team to identify data processing activities related to the subject of the assessment. The Guidelines see this as a due diligence risk assessment, recommending organizations protect their brand by doing assessments of any high-risk personal data processing activities. (See Guidelines §§ 4.5 and 5.1.3)
The third action item is for the assessment team to develop an assessment plan that describes how the data protection impact assessment report will be done, assigning responsibilities to each member of the team; the plan should account for the possibility that the use case being assessed may be terminated or canceled. (See Guidelines § 5.2.2)
A China DPIA primarily involved mapping data fields, identifying sources of risk, and looking for impact on personal rights. The data mapping analysis involves considering the full data life cycle and identifying the types of data involved, processing purpose, specific technical implementation, resources devoted to data processing, the physical systems involved, and associates such as vendors. The assessment can be kicked off once the data flows have been mapped. (See Guidelines § 5.3)
The assessment includes identifying sources of risk in order to determine whether the data processing has vulnerabilities that could cause a security incident. The Guidelines looks at risks in terms of the network environment, technical measures, third parties involved, business model and scale, and security practices. (See Guidelines § 5.4.) The personal impact assessment examines whether there is a risk posed by processing activities to personal legal rights, and if so, what is the nature of the risk. The Guidelines divide individual impact into several dimensions: restraint on personal autonomy, disparate impact, loss of reputation, psychological harm. and injury to person or property.
The assessment must look at the context of the organization’s security objectives and consider how the processing activity shown in the data mapping analysis may harm personal legal rights and also consider what the impact of if Chinese individuals’ data is breached, lost, or abused. The assessment considers harm to personal legal rights at the four stages described in the guidelines, considering the data’s sensitivity, how processing is done, what the activities are, and what problems exist. Then, an overall security risk analysis should be performed; it looks at whether the assessed data processing activity implicates a possibility of violation of personal legal rights as a result of a security incident.
Compliance correction and assessment reports. Under the Guidelines, a DPIA focused on meeting the minimum legal compliance requirements should do a gap analysis on the existing security controls to see if there is a shortfall against the legal requirements. There are two approaches, one being a 360-degree compliance assessment, the other a targeted assessment. A 360-degree DPIA is a large-scale exercise involving in-depth review and a deep inquiry into all parts of the business enterprise, finding points of vulnerability and mitigation measures.
Following the China Personal Information Protection Act, an alternative approach is to do a targeted assessment with a smaller scope that focused on the organization’s high risk use cases. As noted above, the DPIA is closely linked to the data protection audit process, thus one process can be adjusted based on the corresponding one. Thus, the Guidelines divide compliance gap analysis between overall compliance analysis and targeted compliance analysis.
Impact assessments are needed in the following contexts:
- Routine annual risk assessment
- Developing and launching new products
- Major changes in regulations or your business model
- Major cybersecurity incidents
- Mergers and acquisitions
Collecting new kinds of data, local regulations changes, or a change in how your system works may require doing a targeted assessment. The assessment results should be documented in compliance files and retained for future randomized inspection by regulators.
Conclusion
In China, DPIA is an important data protection compliance process, and strongly influences how an organization will protect personal information. It’s the primary compliance strategy for online businesses that are under regulatory scrutiny. The DPIA provides a technical means to create transparency that earns trust from outside parties and thus be more competitive in markets.
FURTHER READING
Data Processing Notice and Consent Regulation in China
Data Protection Compliance Audit Requirements in China