Before we jump into the implications of this new rule, let’s first understand the agencies, laws and deadlines you should be aware of.
Cyberspace Administration of China (CAC)
The CAC is the national internet regulator of the People’s Republic of China, established in 2011 and responsible for enforcing the new rules around the handling or transferring of Chinese personal information. Similar in some degree to the Securities and Exchange Commission (SEC) in the US, or Data Protection Authorities (DPA) in the Europe.
Personal Information Protection Law (PIPL)
The China Personal Information Protection Law represents the latest data privacy legislation in China, with a primary focus on safeguarding personal information and mitigating issues related to personal data breaches. The PIPL applies not only to entities and individuals processing personally identifiable information (PII) within China but also extends its jurisdiction to those handling the PII of Chinese citizens outside the borders of China.
When should companies begin thinking about compliance?
Today. The PIPL was first introduced in 2021, and organizations were given until 2023 to formally submit a security assessment to the CAC. This assessment must outline the measures being implemented to assure compliance with the new regulations. To date, few organizations have fully completed this first step, and with Chinese authorities increasingly seeking to enforce these rules, companies must quickly understand the implications of the PIPL on their ERP data.
What does this mean for companies running SAP ERP?
It depends. This is why undergoing a rigorous self-assessment is a critical first step. As with all Data Privacy Regulations (see Europe’s GDPR) this will be a moving target for years to come. It is important for your organization to understand what personal information is being collected, who needs access to the information, where it is being stored, and where it’s being accessed from. If your organization has a legal entity in China, schedule a meeting with them tomorrow to get aligned and better understand these questions. It is possible they have already taken steps towards becoming compliant.
With all these changes, it’s no surprise that some companies are rethinking their approach to the largest consumer market in the world.
- The PIPL, Data Security Law (DSL), and Cyber Security Law (CSL) and their related regulations indicate a trend toward more, not fewer, requirements.
- More restrictions mean more difficulty processing Chinese data outside the country.
- Bringing data and related business processes inside China often involves costs in the millions of dollars for large multinationals, and it may require new approaches to application architecture, suppliers, facilities and staffing. Executive leadership teams are asking strategic questions in light of the PIPL developments.
- Should we double down on the market, leave it or choose a middle path such as a joint venture with a local company? Can we reduce our offerings to what can be localized?
- Should we change our legal-entity structure and operating model to a “China for China” approach, or do we keep an APAC operating entity?
- How does PIPL affect our tax, deals, cloud and supply chain strategies?
These are just some of the questions that should be considered. In the digital age of interconnected systems, no company’s solution will be the same.
What are the penalties for non-compliance?
China is already cracking down on cyber and privacy law offenders, starting with its own companies. Recently, the CAC imposed the largest fine outside the US, amounting to nearly 5% of the company’s revenue. It found the China-based company to be in violation of three major Chinese cybersecurity and privacy laws, saying the company had mishandled personal information. It comes on the heels of three years of escalating enforcement of the Cyber Security Law.
Chinese regulators have conducted several sweeps of mobile-app stores and websites, including more than a million mobile apps and hundreds of sites in its scope. Regulators have also contacted hundreds of companies — including large, widely known US brands — requesting evidence of their CSL compliance.
Fines and penalties are not the only enforcement risk for companies falling short of their CSL or PIPL obligations. Companies could lose points in their social credit score, which they would need to report in their cross-border data transfer filings (CBDT). The government could seize their computer equipment, block digital access to their services and, in the worst cases, arrest their company officers.
A path toward PIPL compliance
We recommend building an overall plan for compliance with the Cyber Security Law, Data Security Law and Personal Information Protection Law. Then proceed with your CBDT, CSL and DSL assessments as well as plans, designs and options for localization. It is important to work closely with local teams in China who may better understand the laws and how they apply to your specific organization.
Steps we suggest include:
- Know your data thoroughly. Which comes from China? Do you need it to do business? Try to reduce or anonymize your data transfers as much as possible to help reduce your likelihood of being tagged for inspection.
If you think you’ll likely need to localize your Chinese data processing and/or handling, establish a risk-based, accelerated plan. - Prioritize getting approval for your existing data transfers. Prepare to submit your requests by the end of the year.
- Devise a backup plan in the event that your data transfer requests are refused. Add these transfers to your localization list.
- Identify the “tripwires” in China’s political and business environment that might cause a review of your company’s strategy for the market.
Conclusion
Until you have fully undergone the security assessment, there is no way of knowing whether you are in compliance of the law based on the type of data your organization is collecting. Doing nothing could be an option in the near-term, but as the laws continue to evolve, this may no longer be an advisable approach. Considering a system separation may be the costliest in the short-term, but will surely come with the lowest possible risk.
If you want to learn how cbs is supporting customers through the assessment and execution of the de-coupling of their SAP environment to ensure compliance with PIPL, schedule a call with one of our experts today.