On 9 October 2023, China’s Cybersecurity Administration Bureau of the Ministry of Industry and Information Technology (the “MIIT”) released the Implementation Rules for Data Security Risk Assessment in the Industry and Information Technology Sectors (Draft for Comments) (the “Rules”). The Rules aim to provide guidance to local industry regulators and data processors in the field of industry and information technology on conducting risk assessment (the “Risk Assessment”). In this article, we will delve into the key aspects of this document and shed light on the compliance implications.
BACKGROUND
Data security risk assessment has emerged as a critical step in ensuring data security. To address this need, the MIIT released the Rules, which clarify the key concepts and mechanisms within the data security assessment system in the industry and information technology sector.
Prior to the introduction of the Rules, Article 30 of the PRC Data Protection Law (the “DSL”) requires important data processors to conduct regular Risk Assessments of their data processing activities in accordance with regulations and submit the Risk Assessment reports to the relevant…
