On August 21, 2023, the National Information Security Standardization Technical Committee (TC260) requested public comments on the draft National Standard Information Security Technology Data Security Risk Assessment Method (the draft Standard).

Scope

The draft Standard outlines its function as a guide applicable to data processors and third-party assessment agencies carrying out data security risk assessments, and may also be used by regulatory authorities when implementing data security checks.

Assessment

In particular, the draft Standard divides a data security risk assessment into three stages. Firstly, the draft Standard outlines that personal information processors identify data processors, data assets, data processing activities, security measures, and other relevant elements of information collection. Secondly, the draft Standard provides that personal information processors must identify potential risks from data security management and data processing activities. Finally, after having identified the risks, the draft Standard establishes that personal information processors must evaluate risks based on the context and give rectification suggestions accordingly.

Notably, the draft Standard provides three circumstances under which a security risk assessment should be conducted, including:

• important data processors, who must conduct a security risk assessment every year;
• data processors who share, trade, or provide personal data overseas must also conduct a security risk assessment before embarking on such activities; and
• data processors who carry out high-risk data processing activities.

The draft Standard outlines what is considered a high-risk data processing activity.

In addition, the draft Standard clarifies what objectives a security risk assessment should include, alongside the scope of such objectives. More specifically, the draft Standard also details what information should be requested of third-party data processors. Similarly, in researching data assets, the draft Standard notes that personal information processors should assess, among other things, the data classification, whether important and/or core data is used, and the types and sensitivity of personal information.

Public comments can be submitted to [email protected] until October 15, 2023.

You can read the press release here and the draft Standard here, both only available in Chinese.