PIPL Compliance Check List

Checklist: PIPL data compliance in 5 Steps

China’s recent legislation presents new risks, challenges and increased costs to all companies handling the personal information of Chinese residents. With a little extra diligence, and an expert partner such as Nuna Network, it is possible to overcome the hurdles, mitigate the risks and reduces the new cost burden.

1. Verify exposure
   Firstly you'll want to make sure the new law applies to your business. Are you making use of the personal information and data of Chinese residents? Create a list of all of the times and ways that you do, and be sure to keep track of the full data-use life cycle from first opt-in to deletion from the database. Did you offer an opt-out at any point? Jot down any and all legal basis, privacy policy links and any other opt-in/out related databases and documents for these activities. If you handle large volumes of data, you may be considered a CIIO (a critical information infrastructure operator) and therefor face even greater compliance requirements to the above.
   
   
2. Determine what is missing
   After you review all relevant compliance protocols, you'll want to figure out what is missing within your current system and database technology stack. You might then go an extra step to calculate what penalties your company faces with your current system, in order to help make a clear cost/benefit analysis around proper remediation. What additional third party partners will you need to engage to get PIPL compliance up and running, and will the system require additional ongoing support or data science employees?
   
   
3. Upgrade your compliance platform
   Close compliance gaps to align with PIPL rules and regs, and document each of your changes for easy reference in the future. Wherever it comes to how your company handles personal information, you'll need to update best practices, vendors and staff skillsets in your company management, workforce and technology stack.
   
   
4. Conduct impact assessments
   Under PIPL you will be required to perform and document personal information protection impact assessments on an ongoing basis for any high-risk cross border data transfers and other high risk events or potential security lapses. Given the high penalties and vague language used in the regulations, it is important to make sure you keep records of all assessment and meta-data reviews in the event your company's data handling practices come under scrutiny.
   
   
5. Upgrade your technology and SOP
   In order to ensure ongoing compliance with the new PIPL regulations, you'll need to make sure the SOPs utilized by management, vendors and staff all align with proper data collection and handling practices. The most efficient way to achieve this (and protect your ROI and overall margins) is to make use of a dynamic database solution that automates many of the assessment and documentation requirements. Once setup, they can run in the background and ensure ongoing compliance is met.
   

Need help properly vetting your suppliers? Nuna Network is here to help. We’re the partner of choice and go-to resource for businesses or individuals seeking guidance in researching, developing, and establishing relationships with companies in China.

Nuna Network offers more than a one-time report, but a range of validation, verification, and diligence services that help you determine the authenticity of a Chinese company. Check out our valuable guides, helpful tips, and other practical information to help you navigate the complex landscape of Chinese Businesses.