China Personal Information Protection Law (PIPL): A New Take on GDPR?


Many people have heard of the GDPR (General Data Protection Regulation), legislation that became law across the EU in May 2018.  It was designed to regulate how businesses protect personal data, notably how personal data is processed, and granted rights to individuals to exercise more control over their personal data.

GDPR is a framework which requires businesses to implement processes to enable them to understand where data is held, how it is used, how long it is kept for, how this can be reported to individuals, and how they may request its correction or deletion.

A critical – and often misunderstood – aspect of GDPR is that it doesn’t just apply to EU businesses.  Any company in the world that stores information on EU citizens must adhere to the regulations; serious breaches can result in significant fines.  Even just the top five companies that were penalized since GDPR’s introduction run into the hundreds of millions of US dollars!  These regulations have teeth, so people pay attention to them.

Beyond GDPR’s own impact in protecting the rights of EU residents, perhaps its greatest legacy has been to increase expectations for how organizations handle personal data the world over. GDPR has set a new global standard, and we are seeing it serve as the model for a number of similar laws being mooted or passed by governments all over the world. With that in mind, how many businesses have heard of the PIPL (Personal Information Protection Law)?  In August 2021, the Standing Committee of the National People’s Congress, the top legislative body in the People’s Republic of China, voted for this law to take effect on Nov. 1, 2021.  It has many similarities to GDPR, a key one being that it also applies world-wide with respect to data held on Chinese citizens.  If your company is a multi-national corporation that deals with Chinese individuals then it applies to you, no matter where your business is incorporated or headquartered.

Likely many of the processes you have in place for GDPR can be repurposed for PIPL, however you will be looking for different data.  McAfee’s Data Protection products (MVISION Unified Cloud Edge, MVISION Cloud, Endpoint DLP, and Network DLP) will help you identify where PIPL-relevant data is held and how it is being used.  Data classifications/data identifiers for the Chinese Resident Identity Card, passport numbers, mobile phones etc can be identified in data stored in the cloud and on premise.  McAfee’s unique multi-vector data exfiltration protection (more on that here) can also assist in ensuring that sensitive PII data doesn’t end up somewhere it shouldn’t.  Here’s a view of our management console showing how we can identify Chinese PII:

No individual product can claim to make a business “PIPL compliant”, but products such as McAfee’s Data Protection suites should be considered a key part of a toolbox to aid in this goal. The fact that we’ve had this capability within our products for an extended time, well before the introduction of PIPL, is yet another datapoint as to why Gartner named MVISION Cloud THE market leader in the CASB Magic Quadrant and why Forrester named us a leader in their Forrester Wave ™ Unstructured Data Security Platforms.

November is barely a month away and if you’re not already considering how to handle PIPL, you now need to make this a priority.  Consider testing and enabling our Chinese PII classifications.  If you’re running another vendor’s product that doesn’t offer such capability then take a look at how our MVISION Unified Cloud Edge solution can help solve this along with the digital transformation to cloud first that most companies have already undertaken.





Source link