China adopts its own GDPR: What impact for your Whistleblowing Program?
If your organization is already compliant with the GDPR, most of your data privacy compliance systems will work in China. However, certain frequirements are unique to the PIPL:
The concept of data localisation refers to keeping the data of businesses within the borders of a country. The new Chinese laws make it nearly impossible to store and process data outside of China. Simply put, the data from your Chinese employees collected through your Whistleblowing Program must now be stored and processed on a server in China.
Local Case Managers
Since the personal information generated, collected and processed must stay within Chinese borders, your organization will have to appoint a local representative to handle personal data collected in China. This Case Manager, or Critical Information Infrastructure Operator (CIIO), must be designated by the HQ/Parent company and will be in charge of collecting and processing the personal information of the employees based in China.
Standalone consent of data subjects
The law requires a controller to obtain standalone consent of data subjects when processing sensitive personal data and cross-border transfer of personal data. This can be done by adding a specific checkbox to gather consent during the Report completion for someone reporting a matter in China.
Data Protection Impact Assessment
Similarly to the GDPR, a DPIA is required by the PIPL under certain circumstances: cross-border transfer of personal data, contracting a third-party data processor, providing data to another controller and making personal data publicly available. Companies must designate a data controller, as the DPO in Europe, and conduct regular audits to verify the strength of the systems designed to ensure confidentiality.