In July, 2023, the People’s Bank of China (“PBOC”) issued the Measures for Management of Data Security in the Business Areas of the PBOC (Draft for Public Comments) (“Draft Measures”) and Drafting Notes.
In this article, we highlight the key provisions of the Draft Measures and set out our observations.
The financial industry, as one of the pillars of the national economy, is engaged in a large amount of data and complex data processing activities. The Draft Measure is the first specialized regulation on data security in the financial industry and is intended to guide data processors in PBOC business area to ensure they comply with their data security obligations.
The Draft Measures implement the data classification and grading requirements set by the Data Security Law and the Opinions of the Central Committee of the Communist Party of China on Constructing a Data Base System to Better Utilize the Role of Data Elements. The Draft Measures propose corresponding data protection measures for different categories, levels and grading of data. Please see below for further details.
The raft Measures repeat the requirements of the superior law that "important data should be stored within the country" and that "security assessment should be conducted under specific data transfer scenario” but does not put forward additional cross-border data compliance requirements.
The Drafting Notes point out that the Draft Measures bridge certain existing standards, including the Financial Data Security Data Security Grading Guidelines (JR/T 01976-2020), the Financial Data Security Data Lifecycle Security Specification (JR/T0223-2021) and other financial industry data security standards.
The PBOC will expedite the revision of the above standards to ensure that they are compatible with the contents and definitions of the Draft Measures.
The Draft Measures define the scope of application in terms of "types of data", "data processing activities" and "data processors".
i. Types of data. The data involved is network data that does not involve state secrets, generated and collected in the course of carrying out various business activities for which the PBOC has supervisory and management responsibilities. State secrets and non-network data are not within the scope of the Draft Measures.
ii. Data processing activities. According to the Drafting Notes, the data processing activities subject to the Draft Measures mainly include data processing activities in the areas of monetary policy, cross-border RMB business, inter-bank trading, comprehensive statistics in the financial industry, payment clearance, currency management and digital RMB business, manager treasury business, credit collection and anti-money laundering.
The Draft Measures do not list the data processing activities mentioned above, which is likely to leave room for interpretation for future adjustments to the PBOC’s terms of reference.
iii. Data processors. The Draft Measures apply to "financial institutions" and "other institutions". Financial institutions regulated by the PBOC include banks, licensed credit institutions, clearing institutions, etc. The scope of the "other institutions" mentioned in the Draft Measures is still unclear, and may refer to non-financial institutions involved in the PBOC business, such as non-licensed technology companies.
Financial institutions that are not supervised by the PBOC, such as securities and futures companies and fund companies, will not be subject to the Draft Measures. However, other financial regulators may refer to the Draft Measures to have the corresponding specialized legislation on data security protection. Financial institutions may face multiple enforcement processes due to the business intersections, for which coordination between the PBOC, the State Administration of Financial Supervision, the State Administration of Foreign Exchange and the China Securities Regulatory Commission on how to fulfil their data security regulatory responsibilities will be considered.
The Draft Measures provide data classification and grading requirements, with three levels, five layers, and usability. The data processor should form a data catalogue to manage data of different levels, layers and usability. Data classification and grading is a continuous and dynamic adjustment mechanism, and data processors should update and report data catalogues on a regular basis.
i. Three Levels: Division of data into three levels, general, important, and core, based on data accuracy, scale, and the degree of impact on national security in accordance with the Data Security Law, Cyber Security Law, Measures on Data Export Security Assessment.
ii. Five Layers: Division of the sensitivity of data into five layers from one to five from low to high, based on the degree of harm that might be caused to individuals, organizations, and public interests when risk events occur with reference to Financial Data Security Data Security Grading Guidelines (JR/T 01976-2020)
Structured data items should be identified on a level-by-level basis; unstructured data items should be identified on a priority basis according to the highest level corresponding to each structured data item that can be split.
iii. Usability: Data usability stratification during the construction of the information system business continuity assurance system with reference to Information Technology Services Data Centre Business Continuity Registration Grading Guidelines (GB/T 42581-2023). The Draft Measures do not provide specific requirements for usability stratification, which is subject to further clarification.
III. General requirements for data security protection
The Draft Measures set out the following general requirements for data security protection:
i. Implementing internal data security protection responsibilities. Article 12 requires data processors to clarify the division of responsibilities of internal data security management departments and personnel, implement accountability mechanisms, and require important data processors to identify in writing the person responsible for data security and the management of the department.
ii. Establishing a sound internal data security management system. Article 13 requires data processors to formulate an internal data security management system and formulate differentiated requirements for security protection management and technical measures, as well as operating, approval and authorisation protocols, on the basis of the results of data classification and grading.
iii. Emphasising the importance of data security training. Article 14 requires data processors to formulate an annual training plan and organise training. The training content should be designed in accordance with the requirements of applicable laws and regulations, according to the roles and functions of different data-processing positions, the measures and operational procedures for data security protection, and the requirements for responding to security incidents, etc., and the results of the training should be evaluated and summarised.
IV. Governance measures and technical measures for each stage of the data lifecycle
Chapters 4 and 5 of the Draft Measures propose management and technical measures for each processing step of the data life cycle, including collection, storage, use, processing, transmission, provision, disclosure and deletion, for example:
i. in the process of data collection, the Draft Measures proposes "cross-checking of related information" to identify and avoid problems such as the unreasonable mapping of the same content of a data item to multiple individuals or organisations, and the conflicting information of different data items, to enhance the accuracy of data collection.
ii. in the process of data storage, the New Regulation proposes new encryption strategies for structured data encouraging it to be a finer granularity, while unstructured data should be encrypted only at the higher level of the structured data after disassembling.
iii. when automated decision-making services are provided to individuals on the basis of data items generated by processing, data processors should explain the purpose of the processing, the basic information about the data on which the processing relies and the basic logic of the processing in an appropriate manner, so as to enhance the transparency of decision-making.
The Draft Measures provide the security protection measures for special scenarios of data processing activities and guidance on key matters such as risk monitoring, assessment and audit and incident handling measures.
i. Internal data-processing authority control (Article 16, Article 30)
ii. Innovative applications of data fusion (Article 25)
iii. Data Export (Article 26)
iv. Data access by international organisations and foreign financial administrations (Article 27)
v. Log management (Article 31)
vi. Risk monitoring of processing activities (Article 40)
vii. Security risk intelligence monitoring (Article 41)
viii. Early warning monitoring of security briefings (Article 42)
ix. Data security risk assessment (Article 43, Article 45)
x. Data security audits (Article 44, Article 45)
xi. Security incident classification assessment (Article 46)
xii. Security incident response and disposal (Article 47)
The Draft measures is a significant piece of legislation on data security management in the financial industry, providing a series of specific data security measures for relevant organisations' data processing activities involving the PBOC business areas. It is likely that the financial data processing activities in non-PBOC business areas will also be regulated along the lines of the Draft Measures, as well as a series of updated data protection standards for the financial industry, resulting in a systematic financial data regulatory regime.
For more information please contact: James Gong or Ying Zhong.