Going into effect on November 1st, China introduces its new data privacy law: the Personal Information Protection Law (PIPL). Similar to the GDPR in Europe, the PIPL encompasses the protection of personal information inside and outside of China. In this context, handling sensitive conversations within your organization will be heavily affected by the characteristics of this new legislation. 

 

If your organization is already compliant with the GDPR, most of your data privacy compliance systems will work in China. However, certain frequirements are unique to the PIPL:

 

Data localisation

The concept of data localisation refers to keeping the data of businesses within the borders of a country. The new Chinese laws make it nearly impossible to store and process data outside of China. Simply put, the data from your Chinese employees collected through your Whistleblowing Program must now be stored and processed on a server in China.

 

Local Case Managers

Since the personal information generated, collected and processed must stay within Chinese borders, your organization will have to appoint a local representative to handle personal data collected in China. This Case Manager, or Critical Information Infrastructure Operator (CIIO), must be designated by the HQ/Parent company and will be in charge of collecting and processing the personal information of the employees based in China.

 

Standalone consent of data subjects

The law requires a controller to obtain standalone consent of data subjects when processing sensitive personal data and cross-border transfer of personal data. This can be done by adding a specific checkbox to gather consent during the Report completion for someone reporting a matter in China.

 

Data Protection Impact Assessment

Similarly to the GDPR, a DPIA is required by the PIPL under certain circumstances: cross-border transfer of personal data, contracting a third-party data processor, providing data to another controller and making personal data publicly available. Companies must designate a data controller, as the DPO in Europe, and conduct regular audits to verify the strength of the systems designed to ensure confidentiality.

 

 
To know how the PIPL will affect your business in detail, check out the first part of our series on the subject:
China PILP Whispli
 
 
If you have identified that your organization and Whistleblowing Program might be affected by this new legislation or will be in the future, taking the step to quickly be compliant with the PIPL becomes a priority. Get in touch  with our team to learn how we can help.
 
Want to see Whispli in action? Schedule a live demo