Four strategies for preparing for China's data outbound security assessment

The Measures for Security Assessment of Data Transfer Abroad (hereinafter referred to as the Measures) promulgated by the Cyberspace Administration of the People's Republic of China (hereinafter referred to as the "CAC") came into effect on September 1, 2022. The Measures provide a framework for security assessment and approval of data transfer abroad, which applies not only to personal information but also to important data that is broader than personal data.

The implementation of this measure means a lot of compliance risks for multinational companies operating in China, and has a significant impact on their ongoing or upcoming data transfer activities. This is because for multinational companies that are subject to data outbound security assessments, they can only continue data transfer activities if they pass the government-led security assessment.

Organizations doing business in China may need to conduct a local government-led security assessment of business and personal data going abroad. Security and risk management (SRM) leaders at multinational companies must plan ahead to avoid disruptions to data transmission or business operations (see Figure 1).

Figure 1: Basic framework of the data outbound security assessment method

Government-led security assessments are only triggered when data reaches a certain level of sensitivity or size

Nowadays, companies engaged in international trade in China, regardless of industry and size, rely more or less on cross-border data flows for their daily operations. The ability to transfer data across borders has become an important component and key driver of productivity, innovation and business growth. Restricting or losing data outbound transmission will lead to increased management and operating costs; weaken product innovation, making it impossible for products to enter the market in a timely manner; or make product prices unattractive.

However, not all data transfer activities regulated by the Measures need to apply for a government-led security assessment. Only when Chinese data processors meet certain conditions do they need to apply for a government-led security assessment.

Figure 2: Decision tree for triggering a government-led security assessment

In March 2024, the Cyberspace Administration of China issued the "Regulations on Promoting and Regulating Cross-Border Data Flows", which proposed to relax the compliance requirements for cross-border data transmission. The "Regulations" stipulate that if specific conditions are met, enterprises and institutions that export data abroad can be exempted from declaring data export security assessments, signing standard contracts for the export of personal information, or obtaining personal information protection certification, thereby promoting the flow of data outside mainland China.

Lengthy application and assessment processes may delay planned projects

According to information released by the Cyberspace Administration of China and customer feedback received, it will take about three months to complete a security assessment. Enterprises and organizations need to plan ahead and adjust to the new requirements as early as possible to prevent data transmission interruptions or delays in the launch of new projects.

Necessary materials need to be submitted to the local cybersecurity and informatization department for assessment. SRM leaders should communicate with key stakeholders in security, privacy, legal, compliance and business departments to prepare the necessary materials. Incomplete materials or inaccurate information may result in the cancellation or failure of the security assessment.

Security assessments move from periodic actions to ongoing compliance efforts

The validity period of the data outbound security assessment result is 3 years. The data processor shall apply for an extension of the assessment result or re-submit the assessment 60 working days before the expiration of the validity period.

As a multinational company, if its fast-growing new business relies on cross-border data flow, it should be expected that the preparation and filing of security assessments will become an ongoing operation. This will increase the cost of management and compliance, which may be negligible for large companies, but is still a major issue for small and medium-sized enterprises.

If a multinational company needs to centrally store and process customer data collected from different jurisdictions (such as China, Europe, and the United States) in one region, it needs to have the ability to process the data differently.

Security assessment results prompt organizations to rethink localization strategies

Gartner's client inquiries indicate that most multinational companies in China that are subject to the Measures have begun preparing for filing or are conducting security assessments, but the number of filings that have been formally approved is limited. As the Cyberspace Administration of China may require rectification and the resulting additional management and operating costs, companies and organizations should re-examine their data localization and IT isolation strategies in China.

• Data localization: Organizations need to clarify which legal and regulatory requirements apply to their existing operations and future expansion plans in China, and when choosing a localization route, they need to consider both the organization’s risk appetite and the business value generated by the Chinese market.

  
  

• IT Isolation in China: When considering whether it is necessary to build an independent IT environment specifically for the Chinese market, in addition to legal and compliance considerations (such as data localization, Information Security Protection 2.0), other business and technical aspects should also be considered, such as business ecosystem and synergy, and the availability of service and technology providers.