Going into effect on November 1st, China introduces its new data privacy law: the Personal Information Protection Law (PIPL). Similar to the GDPR in Europe, the PIPL encompasses the protection of personal information inside and outside of China. In this context, handling sensitive conversations within your organisation will be heavily affected by the characteristics of this new legislation.
If your organisation is already compliant with the GDPR, most of your data privacy compliance systems will work in China. However, certain frequirements are unique to the PIPL:
Data localisation
The concept of data localisation refers to keeping the data of businesses within the borders of a country. The new Chinese laws make it nearly impossible to store and process data outside of China. Simply put, the data from your Chinese employees collected through your Whistleblowing Program must now be stored and processed on a server in China.
Local Case Managers
Since the personal information generated, collected and processed must stay within Chinese borders, your organisation will have to appoint a local representative to handle personal data collected in China. This Case Manager, or Critical Information Infrastructure Operator (CIIO), must be designated by the HQ/Parent company and will be in charge of collecting and processing the personal information of the employees based in China.
Standalone consent of data subjects
The law requires a controller to obtain standalone consent of data subjects when processing sensitive personal data and cross-border transfer of personal data. This can be done by adding a specific checkbox to gather consent during the Report completion for someone reporting a matter in China.
Data Protection Impact Assessment
Similarly to the GDPR, a DPIA is required by the PIPL under certain circumstances: cross-border transfer of personal data, contracting a third-party data processor, providing data to another controller and making personal data publicly available. Companies must designate a data controller, as the DPO in Europe, and conduct regular audits to verify the strength of the systems designed to ensure confidentiality.
To know how the PIPL will affect your business in detail, check out the first part of our series on the subject.
If you have identified that your organisation and Whistleblowing Program might be affected by this new legislation or will be in the future, taking the step to quickly be compliant with the PIPL becomes a priority. Get in touch with our team to learn how we can help.
%201.avif)
%201%20(2).avif)
%201%20(1).avif)
