Data privacy is quickly becoming a top priority for governments around the world. So far, the European Union, Brazil, and several U.S. states have all passed some form of data privacy regulation. The latest is China’s Personal Information Protection Law (PIPL), China’s new data privacy law, which went into effect on 1 November 2021. The law shares much in common with the European Union’s General Data Protection Regulation (GDPR), which has become a model for governments seeking to protect the data privacy of their citizens. However, there are some differences to note.
What Do The GDPR And PIPL Have In Common?
Both the GDPR and PIPL hand more rights to consumers to obtain, correct, and delete their personal data. They also impact foreign organizations that deal with data in their respective regions. As such, many of these organizations will need to change their data collection and privacy policies to become compliant with the rules.
According to ZDNet and various experts who spoke with the publication, other similarities between PIPL and GDPR include requirements to:
- Include standard clauses in service contracts or agreements between the party that provides the data and the one collecting it
- Provide “clear and reasonable” purposes for processing data collected
- Establish methods for protecting data, including the use of data security tools and performing risk reduction, such as firewall and online privacy notices
How Are the GDPR and PIPL Different?
Given all the two regulations have in common, GDPR-compliant organizations will likely have an easier time adjusting to the PIPL. However, there are some key differences that organizations still need to prepare for, ZDNet reports. Some of these include:
- Unlike the GDPR, the PIPL does “not include legitimate interests or purposes as a condition for data processing.” For example, GDPR would allow for an organization’s Human Resources department to process their employees’ personal data if it was deemed of legitimate reason. Under the PIPL, organizations cannot do the same.” This would likely mean that multinational corporations will have to obtain the consent of all employees in China before their HR departments can process personal information from staff.
- When it comes to cross-border data transfers, organizations must consider the need for a government security assessment, and obtain approval if the processed data exceeds what’s allowed under the PIPL.
Has Your Organization Established Comprehensive Enterprise-Wide Data Security and Privacy Measures?
Unprecedented growth in the volume of data, the rising concerns of privacy breaches, and new legislation like the GDPR and PIPL, all contribute to the need for organizations to create comprehensive enterprise-wide data security and privacy measures. Those that take steps now to understand and comply with new and emerging regulations will find themselves well prepared for the future.
Data Privacy Engineering
In addition to protecting your own network, your organization needs to ensure that the products and systems it develops take data privacy into account. This means limiting the data they collect, determining how your organization retains and uses that data, and ensuring you are applying all relevant regulations— which can all help build consumer trust.
IEEE has partnered with the International Association of Privacy Professionals (IAPP) to provide the IEEE | IAPP Data Privacy Engineering Collection to organizations. This unique training is designed to further educate technical professionals tasked with developing products so they understand, maintain, and protect data privacy throughout the R&D process. The program provides access to tools that allow the technical workforce to implement policies and processes for designing products that take ethical personal data use into consideration right from the start.
Learners will understand how to:
- recognize the benefits and challenges of emerging technologies and how to use them while respecting customer privacy
- establish organizational privacy practices for data security and control
- learn practical knowledge and insights to address corporate privacy challenges
- leverage the knowledge gained to develop products that take data privacy into account
Yu, Eileen. (25 December 2021). Data assessment, user consent key to compliance with China law. ZDNet.