People’s Bank of China Strengthens Data Security Management Measures
On July 24, the People’s Bank of China issued the “Measures for Data Security Management in the Business Field of the People’s Bank of China (Draft for Comment)” in order to enhance data security management in the business sector. The central bank has also opened the draft for public opinions.
The “Measures” consist of eight chapters and 57 articles, covering general principles, data classification and grading, data security protection requirements, management and technical measures, risk monitoring and assessment, legal responsibilities, and supplementary provisions. The “Measures” apply to data processing activities within the territory of China, with the People’s Bank of China responsible for supervising and managing these activities.
The regulated data processing activities include monetary policy business, cross-border RMB business, inter-bank market transactions, financial industry statistics, payment and settlement business, currency management, digital RMB business, credit investigation, anti-money laundering, and other related fields.
Key points of the “Measures” include the division of data into three levels: general, important, and core, based on accuracy, scale, and impact on national security. Data processors must accurately identify and determine the level of sensitivity of data stored in their information systems. The sensitivity of data items is further classified into five levels based on the potential harm to individuals, organizations, or public interests if the data is leaked or used illegally.
Additionally, the “Measures” require that data collected and generated within China must be stored within the country if there are domestic storage requirements. Data processors are also prohibited from providing data stored in China to international organizations and foreign financial management departments without approval.
To promote the development and utilization of data, the “Measures” encourage data processors to reduce the sensitivity level of data that no longer identifies specific individuals or organizations after processing. Data processors of important data must conduct an annual comprehensive data security risk assessment.
The central bank states that the “Measures” fill in the gaps in data security management systems in the business field of the People’s Bank of China, providing institutional guarantees and promoting the high-quality development of the data factor market. The provisions in the “Measures” align with existing regulations, aim to promote the development and utilization of data, and refine the requirements for normative measures.
The “Measures” also emphasize the establishment of data classification and grading systems, as well as accountability and punishment systems for data security. Processors of important data must specify the person in charge of data security. The “Measures” consolidate the bottom line of security compliance throughout the entire data processing process.
Overall, the “Measures for Data Security Management in the Business Field of the People’s Bank of China” will strengthen data security in the financial industry and ensure the protection of consumer and corporate rights and interests.