On November 19, 2024, 17 Chinese sector associations jointly released the Data Security Compliance Guidelines for the Industrial and Information Technology Sectors (hereinafter referred to as the Compliance Guideline, please check the original link here). This announcement was a highlight of the Light of Internet Expo, a key segment of the World Internet Conference 2024 Wuzhen Summit. The guideline emphasizes security measures throughout the entire data lifecycle, from data collection and storage to processing, sharing, and disposal.

Since 2021, several critical laws and regulations have been enacted, including the Data Security Law (here), Cybersecurity Law (here), and Personal Information Protection Law (here). Within this context, the industrial and information technology sectors have emerged as critical areas of focus due to their close ties to essential infrastructure and national security. To ensure compliance, recent regulations, such as the Administrative Measures for Data Security in the Field of Industry and Information Technology (Trial) (here) and the Detailed Rules for the Implementation of Data Security Risk Assessments in the Field of Industry and Information Technology (Trial) (here), have outlined detailed procedures for legal and compliant data processing in these fields.

The Compliance Guideline aims to address the challenges faced by data processors in meeting data security obligations. It provides:

  • A clear basis for compliance.
  • Practical steps for comprehensive, accurate, and standardized data security management.
  • Strategies to enhance data protection capabilities.

The document’s legal basis draws from existing regulations, including the laws mentioned above, ensuring alignment with China’s broader data governance framework. The guideline applies to data processors in the industrial and IT sectors, defined as entities that independently determine the purposes and methods of data processing. These entities include:

  • Industrial enterprises.
  • Software and IT service companies.
  • Telecommunications and Internet providers.
  • Radio frequency and station users.

The Compliance Guideline is structured into nine chapters, covering application scope, terms and definitions, a full list of legal documents that it is drafted upon. More details are laid out on how to categorize data, how to establish and carry out security management system, full lifecycle protection, risk monitor precautions/report/processing, security incident dealing, risk evaluation, cross-border management, and data trade.