On 21 August 2023, the National Information Security Standardization Technical Committee of China (SAC/TC260) issued a notice seeking public input on the draft of the Risk Assessment Method for Data Security in Information Security Technology (referred to as the “Draft” hereafter). This national standard aligns with the Data Security Law and aims to establish a methodology framework for stakeholders to conduct data security risk assessments and implement necessary preventive measures.
The Draft draws upon the Cybersecurity Standard Practice Guide—Guidelines for the Implementation of Network Data Security Risk Assessment (hereinafter referred to as the Practice Guide), which provides specific and practical recommendations for implementation. Notably, Article 8.4 of the Draft focuses on the security of data processing activities and outlines seven key areas for conducting risk assessments in data collection, storage, transfer, usage and processing, supply, disclosure, deletion, and other related activities. The Draft explicitly instructs stakeholders to consult the Practice Guide for detailed action plans, as it provides concrete guidelines rather than abstract requirements.
Foreign stakeholders are advised to pay close attention to the supplementary relationship between the Draft and the Practice Guide, especially as the latter contains specific requirements in terms of risk assessment for cross-border data transfer.
