What Your Business Needs to Know
China’s National Standards on Information Security Technology – Personal Information Security Specification has drawn comparisons to GDPR, but how closely are the two really linked? Here, Relentless Privacy & Compliance outline the key differences and similarities between Chinese and EU privacy laws, and explain the impact that this comparison could have on your business.
In May 2018, new data protection law came into force which changed the way many businesses manage, collect, and store data. Before you roll your eyes and turn away, convinced that you’ve heard it all before, there’s something you should know:
The law we’re talking about here isn’t the General Data Protection Regulation (GDPR). You see, while the eyes of the world were on the European Union and the far-reaching impact its privacy laws were having on the world at large, China quietly ushered in its own National Standards on Information Security Technology – Personal Information Security Specification.
Better known simply as The Standard, this law actually came into force several weeks before GDPR on the 1rst may 2018 though by all accounts it was indeed modelled after its European counterpart.
Naturally then, experts have been quick to look for parallels between the two. Meanwhile, businesses with interests in both China and the EU have been eager to explore how similarities between the two laws present can help them avoid unnecessarily duplicating their efforts in order to comply with both.
For example, since both GDPR and The Standard require certain organisations to appoint a designated data protection official, it simply makes sense for businesses to look at the duties of a Data Protection Officer (DPO) as required by GDPR and the duties required by a DPO as outlined by The Standard and combine them into one role.
But what other ways can international businesses reduce the operational impact of complying with both EU and Chinese data protection laws? More importantly, what are the major differences between the two that your organisation needs to be mindful of?
That’s what we’re going took at today.
At Relentless Privacy and Compliance, we help businesses across the globe to minimise the costs and complications involved in meeting the requirements of international privacy law. Today, we draw on our experience in supporting organisations within both China and the EU to explain everything you need to know to enjoy frictionless compliance with The Standard and GDPR.
First and foremost, while both GDPR and The Standard concern themselves with personal data, they ultimately have different ideas as to what that actually is. The Standard uses the term “personal information.” This term covers a broader range of data types and categories of data than its GDPR equivalent, “personal data.” For example, The Standard’s definition of personal information includes all of the things covered by “personal data” but also includes things like website tracking records, IP addresses and serial codes on hardware devices. Then, of course, there’s the concept of “sensitive personal information.”
Under GDPR, this type of information is typically known as “special category data” and includes types of data which go beyond the usual Personally Identifiable Information (PII). According to the Information Commissioner’s Office which oversees GDPR in the UK, special category data can include information such as:
- Health conditions
- Political affiliations
- Sexual orientation
- Trade union membership.
However, The Standard defines its equivalent, sensitive personal information, as being anything which could put a person in physical or mental harm should it be leaked out, or anything which, should it be revealed, could result in a person being discriminated against. This includes data such as:
- Any information about children under 14 years-old
- Bank details
- Information about properties the person owns
- National ID card numbers
- Usernames and passwords
Data Collection and Consent
Under The Standard, organisations who wish to collect, process and store this sensitive personal information must gain explicit consent from users in order to do so. They must also inform users of both the core business purposes for collecting this information, as well as any ancillary purposes. Explicit consent must be given for each of these ancillary purposes. For example, a user may consent to handing over sensitive information in order to access a particular service or product from a business. If that company then also wants to process that person’s data for marketing, to sell them additional services, or even to use that person’s IP address to help compile a report about web traffic, then the user must give consent three additional times, one for each of these additional purposes. Should the user decide to give this consent for the ancillary purposes, the business can refuse to provide ancillary purposes but can’t refuse to carry out the core business purpose that consent was given for.
Those already familiar with GDPR will, of course, have heard the term “explicit consent” before. It is one of six lawful bases for collecting personally identifiable information as outlined in GDPR Article Six. The other five bases include:
- Contract: Processing data is necessary to fulfil contractual obligations.
- Legal obligation: Processing is necessary in order to comply with the law.
- Vital interests: Processing is necessary to protect someone’s life.
- Public task: Processing is necessary in order to perform a task that is in the public interest or to carry out an official function, providing that task or function has a clear basis in law.
- Legitimate interest Processing is required to carry out the legitimate interests of your organisation or a third-party organisation.
This means that if any organisation doesn’t use explicit consent to process someone’s data, it can use one of the other five legal bases in order to justify that processing. The Standard, however, has its own exceptions to the consent rule. Some of these are similar to GDPR Article 6 while others are different. For example, under The Standard, an organisation doesn’t need to gain consent if it can prove that processing data is necessary to perform a contract. This is the same as the ‘Contract’ legal basis under Article 6. Meanwhile, The Standard also lists other exceptions to the consent rule such as the necessity for troubleshooting products or services or even necessity for news reporting, neither of which are listed under Article 6. The Standard also leaves out some Article 6 legal basis such as legitimate interests.
Both GDPR and The Standard make use of privacy notices which outline exactly what an organisation intends to do with an individual’s data, as well as reminding users of their data rights. For example, notices must disclose:
- Why data is being collected
- What legal grounds the organisation has for collecting is
- Where the data is being sent and who will be using it.
- The Standard also requires organisations to disclose what security measures are in place and what risks there may be after providing information.
One significant difference between the two is that GDPR allows organisations to omit certain details from their privacy notices if the user has access to those details from other sources, such as website pop-ups or simply being in regular contact with the organisation. The Standard allows for no such omissions and insists that privacy notices must be delivered on a one-to-one basis unless costs become too high or significant difficulties emerge, in which case a public announcement is allowed.
Data Subject Rights
The Standard outlines data rights for individuals which are very similar to those outlined by GDPR. However, once again, there are some notable differences. These include: Data subject requests With regards to users asking for copies of their data or to have their data deleted, The Standard decrees that such data subject requests need to be complied within less than 30 days. Under certain circumstances, GDPR usually allows extensions for request compliance whereas The Standard does not.
- Right to be forgotten
- The Standard allows individuals more power to exercise their ‘Right to Be Forgotten.’ It does this by omitting some of the exceptions listed in GDPR which allow businesses the option to refuse a request from an individual to delete data held about them.
Other Key Differences Between GDPR and The Standard
Data Protection Impact Assessments (DPIAA)
Both GDPR and The Standard require organisations to carry out DPIAAs, however, The Standard is much more strict on how frequently these must be done. It states that a Data Protection Impact Assessment must be repeated at least once a year, as well as at the following key times:
- When new legislation comes into effect
- When business models, information systems or operational environments change significantly
- When a major personal information security incident occurs.
GDPR, on the other hand, is far less specific about when DPIAAs are carried out.
GDPR does not expressly require consent specifically for data sharing whereas The Standard does unless the information in question can be de-identified. That said, both regulations recommend carrying out risk assessments prior to sharing as a means of best practice.
What Does This Mean For Your Business?
If you’ve read through all the similarities and differences listed above, one thing should be clear: While GDPR and The Standard have a lot in common, there are enough differences between them to mean that, if your business is operating in both China and the EU, then you’ll have to pay attention to both.This isn’t just a case of complying with GDPR and using that compliance model as-is to comply with The Standard In other words, a one-size-fits-all approach to privacy and data protection just isn’t going to cut it. Take the aforementioned privacy notices for example. If you already have a privacy notice for GDPR, this in itself may not be enough to ensure compliance with China’s data protection standard. The latter requires extra details which you will need to incorporate. However, this doesn’t necessarily mean that you have to double your efforts and have two separate policies. As with all the aspects of privacy laws, elements of both The Standard and GDPR can be merged together to create a fully comprehensive notice which serves both.
As we mentioned earlier in this article, the role of Data Protection Officers does vary somewhat between The Standard and GDPR. Again, this may not mean that your existing GDPR DPO will cover you for The Standard, but it does mean that the job specification of your current DPO can be modified to ensure that it covers you for both. Likewise, you’ll need to consider how your existing consent policies need to be added to or otherwise revised to ensure frictionless compliance with both regulations. If all of this sounds like a headache, you’ll be relieved to know that help is at hand.
At Relentless Privacy & Compliance, we specialise in working with businesses like yours to help you identify the systems, processes and policies you can use to comply with all international privacy regulations in a way that adds long-term value to your organisation.
From serving as your outsourced DPO to providing ongoing consultancy and training to help you minimise the cost of compliance, our experienced privacy experts are only ever a phone call away. To find out more about how we can help you, call us now on +44 0121 5820192 or contact us online today. Or