How To Comply With China's New Data Security Law: PIPL

In 2021, China brought in the country's first national-level data security law, marking a big shake up for local businesses as well as international ones looking to expand into China. The Personal Information Protection Law (PIPL) prohibits the collection of personal or sensitive information by law and follows other country's tightening up of data protection laws, such as European GDPR and California Consumer Privacy Act (CCPA). As with any new legislation, expanding businesses have no choice but to get up to speed, and quickly. So, here's a brief guide on who the PIPL affects, what happens if you don't comply and how you can comply with China's new data security law.

Who does the PIPL affect?

As China's first country-wide data protection law, the PIPL will essentially affect everyone. But, it will have a significant impact on businesses who reside in China as well as businesses who are looking to expand into China. All of these businesses and their relevant HR teams will have to be extra cautious when it comes to handling their employee's data. That's if they can get to grips with the intricacies of China's new data security law. The PIPL, as you might expect, comes with a heavy dose of legislation and information all compiled into 74 articles in 8 chapters. Complying with China's new data security law will therefore take ample time and resources for businesses operating in China. 

What are the consequences of not complying with PIPL?

Since its introduction in November 2021, Chinese authorities have been clamping down pretty hard on non-compliance with the PIPL. Firstly, any income that is associated with non-compliant data processing will be confiscated. If businesses refuse, it can result in fines of up to £5.7 million or 5% of your turnover, whichever is higher. In extreme cases, employees may even suspend your business operations. Those who are liable on an individual basis for data processing may also face penalty charges or may be suspended from their duties. 

How do I comply with China's new data security law?

With such critical consequences, it is vital that businesses comply with China's new data security law, a fact that's easier said than done. The 8 chapters in the PIPL essentially focus on:

  • General Provisions
  • Personal Information Processing Rules
  • Rules for Cross-Border Provision of Personal Information
  • Individuals’ Rights in Personal Information Processing Activities
  • Obligations of Personal Information Processors
  • Departments Performing Personal Information Protection Functions
  • Legal Liabilities
  • Miscellaneous Provisions

As with any data protection law, whether it be GDPR, CCPA, or now PIPL, understanding the terms, applying them to your specific circumstances and then complying can be challenging to say the least. Not to mention the immense resource and time complying can take. It is therefore vital that businesses have a dedicated team that have extensive experience in data protection, Chinese business practices and knowledge of the new PIPL to ensure compliance and avoid strict penalties. However, such an internal resource is hard to come by; especially at such short notice from when China's data protection law was introduced in August 2021 and if you are dealing with other legislative hurdles in global expansion. This is where a PEO comes in. 

A global PEO, otherwise known as an EOR, has the resource, knowledge and experience to comply with China's data protection laws on your behalf. At Leap29, as your global recruitment and PEO partner we can ensure complete compliance when handling employee's data, leaving you to focus on business expansion and the day-to-day running of your company.