Recently, China’s Ministry of Industry and Information Technology (MIIT) rolled out the Implementation Rules for Data Security Risk Assessment in the Industry and Information Technology Sectors (Trial) (referred to as the Rules), effective from June 1, 2024. The document aims to standardize mandatory data security risk assessments concerning key and core data within these sectors. The following is takeaways of the Rules worthy of attention:

  • The terms of reference.MIIT will oversee and guide data security risk assessments, and develop relevant assessment standards.
  • Scope of the assessment. Entities handling key and core data must assess data security risks annually, addressing processing purposes, methods, business scenarios, security measures, and risk impacts as per national laws, industry regulations, and assessment standards.
  • Potential choices of assessors. Assessments can be conducted by the entities themselves or by accredited third-party agencies.
  • Report submission. Entities must mitigate identified risks promptly and submit assessment reports to local industry regulators within 10 working days post-assessment.

The MIIT is constructing the data security policy mechanism system in its competent field based on the Administrative Measures for Data Security in the Field of Industry and Information Technology (Trial). Built on that, a serious documents are released or under development. The Rules are parts of this policy system. The rest policy documents under this policy system include the identification guidelines of key data and core data, risk information reporting and sharing guidelines, preparation of emergency response to security incidents, and administrative penalty guidelines. It is expected that the with the roll out of those policy documents, MIIT will provide better and clearer support for the data protection in the filed of industry and information technology sectors.