China Cybersecurity Law vs GDPR
Doing business in a global marketplace means complying with a myriad of regulations across different jurisdictions. It’s a challenge, especially in the digital economy where data and transactions flow cross national borders. The large trading blocs — United States, Europe and China – strive to tackle the latest issues and implement far-reaching policies. For the US, EU and China, cybersecurity has been a top priority.
Whether you’re conducting business in China, The European Union, Hong Kong or other jurisdictions, you should understand their emerging cybersecurity laws and how they could impact your operations.
Let’s have a look at the China Internet Security Law, or “Cybersecurity Law,” and the EU’s General Data Protection Regulation (GDPR).
China Internet Security Law
In recent years, the People’s Republic of China set out to enact cyberspace sovereignty by ensuring it has control of the networks, data and activities held within its territory. The result is the China Internet Security Law, commonly called “the Cybersecurity Law,” a broad framework of nearly 300 national standards ranging from information and communications technology (ICT) services to software, routers, switches and firewalls.
Yes, many of the standards are called “recommendations,” but international lawyers are already advising companies to treat them as legal requirements while cautioning that where the Chinese authorities have used vague language, they’re careful about leaving themselves the flexibility to strictly enforce these standards when they want.
Here are three key points growing businesses should know about this law.
1. The Cybersecurity Law applies to more than IT companies
The law refers to “network providers,” but that’s not just the IT industry. The law captures any organization that runs a network. If you have a presence in China, you are probably captured by the law.
2. The Cybersecurity Law requires network operators to maintain data within China
Data on your China operations must be held within the country. Some companies are complying: Apple is transferring its China data from iCloud to a government-sponsored data company named Guizhou-Cloud Big Data. Others are not so quick to get onside: Skype and WhatsApp have refused to store their data locally and are either banned from operating in China or restrained from expanding further.
3. The Cybersecurity Law permits audits or spot-checks
A lot of the talk about China’s security law focused on the potential for government audits or “spot checks.” Yes, it’s true. Under the security law, China can require companies to undergo invasive product reviews and even disclose sensitive IP or source code.
The Chinese market is obviously expanding, but standards like these make China an increasingly difficult place for foreign firms to operate.
Let’s look at another cyber security law you should be aware of.
European Union GDPR
The European Union also introduced a new data privacy law in 2018: the General Data Privacy Regulation, or “GDPR.” Enacted in May 2018, GDPR aims to protect the personal information of EU individuals.
There is a key difference between GDPR and China Cybersecurity Law: while the Chinese law applies to network operators operating within China, the GDPR aims to protect the data of EU individuals, wherever that data may be held.
In other words, you needn’t be located in the EU to be captured by the law. If you’re holding personal data on an EU individual, including a customer, prospect, employee or partner, then you must comply with the regulation.
While the regulation has 22 chapters and 91 articles, here are some of the key requirements that could impact your business.
1. Breach notification
Admitting you made a mistake – especially a breach of personal information – is hard to do. But it’s the law. If you experience a data breach, GDPR requires you to report it to the regulatory authorities within 72 hours.
2. Individual Rights and Consent
EU individuals now have the right to demand their data be erased or kept up-to-date. Updating, revising or deleting data across many interconnected systems can be demanding.
3. Meeting Third-Party Arrangements
There may be times when you’re holding information for a third-party. For example, let’s say your client is a bank with international customers, some of them are EU individuals. Under the law, you’re responsible for holding that data to the GDPR standard. That’s a challenge. The third-party requirement has the potential to draw your company into long, drawn-out contracted processes.
The GDPR requires each organisation to designate a Data Protection Officer or “DPO.” It needn’t be a new position; existing employees can become a DPO. Of course, if you’re a large firm, your CIO or network administrator will easily accommodate this new role. If you’re small: allocating this role requires more creativity when internal resources are stretched.
Ceterna Can Help
Each day the team at Ceterna works with companies operating in multiple jurisdictions and holding customer information from even more. Ceterna can help you navigate this myriad of regulatory requirements and the challenges that come from moving forward into new jurisdictions by expertly leveraging the highly adaptable Salesforce Platform.
Ceterna’s global reach allows us to provide sound advice on how to use Salesforce as a CRM alongside Chinese Law, and GDPR. Contact our Hong Kong Office for a free consultation session today. Email firstname.lastname@example.org or call us on +85 260 885 152