Companies should adapt their organizational structure and improve risk control and data security levels to prepare for the enactment of a new Chinese privacy law, industry experts said.
China passed its first personal information protection law last Friday, which will come into effect in November. The law, similar to the European General Data Protection Regulation, requires businesses to justify their data collection and gives consumers the right to access or delete their information.
Companies need to upgrade their business structures to comply with the new regulations, which is their social responsibility based on the new law, said Wang Jianxia, risk control expert at Deloitte.
Companies are advised to set up independent organizations to review personal information processes, covering the scope and necessity of data use and definition of sensitive data. They are also encouraged to publish regular data protection reports, Wang said.
By law, individuals and organizations handling personal information will be required to minimize data collection and obtain prior consent, especially for sensitive personal data covering biometrics, medical health, financial accounts and travel history.
All data of minors under the age of 18 is considered sensitive data, which should be checked and handled with care, experts said.
Businesses are encouraged to establish a “security brain” to deal with criminals who steal personal information, cyber attacks and the risk of data breaches. The leaked data spurred a black market, according to 360, China’s largest cybersecurity company.
In the first quarter, 360 received 606 smartphone crime reports, with each victim losing an average of 14,611 yuan. They were victims of fraudulent activities related to finance, dating, online shopping and job search services using disclosed personal information.
“The new law provides a clear legal basis for the network security industry and also highlights new market demands. It will greatly promote the healthy development of the sector, ”360 experts said.
The law provides a clear and operational standard for online security companies, bringing benefits to the entire industry, said Liu Haiyang, a security expert at Tencent.
Currently, 360 offers products with privacy protection features capable of preventing software from collecting excessive information and allowing users to discover privacy leaks. It is developing a “security brain”, spanning infrastructures with passwords, certificates, identity management and high-level security expert operating systems.