Data Security Law and Personal Information Protection Law are the two most important regulations that took effect in 2021. Together, they are shaping the foundations for data privacy and security in the Chinese regulatory landscape.
However, few details were given regarding how the regulations would be enforced and what concrete steps multinational companies needed to take for their cross-border data transfer activities to be compliant.
On July 7 2022, the Cyberspace Administration of China (CAC) promulgated the Measures for Security Assessment of Data Exports, which officially took effect on September 1, 2022. The measures gave guidelines on the steps of applying a CAC data export assessment for data processors who met certain criteria (more on the criteria below). A six month grace period was given according to the Measures.
That puts March 1, 2023 as the deadline for applying the CAC data export risk assessment.
In a nutshell, CAC mandates all data controllers who meet one of the following criteria to apply for a data export security assessment through the provincial offices of CAC:
From the above broadly defined criteria, our assumption is that most multinational companies – ones with business operations in China and are sharing the same global SaaS platforms with their headquarters or other regional offices – will be required to hand in the CAC assessment application by March 1, 2023.
Since the measures came into effect, major global law firms have published their opinion papers and guidance to help their clients navigate through the new requirements. You can find some examples here: The CAC assessment collection Part 1, 2, and 3.
Two things worth noting here:
Given the uncertainties both in how the guidelines are going to be interpreted and how the authorities will enforce them on the multinational companies, our recommendation is to take the double-secured route – by all means you should be preparing all the documents to apply for the assessment (if you have not started yet); at the same time, you could “hedge” the risk by implementing data residency rules for the sensitive data in your global SaaS environment.
Odaseva’s Data Residency for Salesforce will isolate the sensitive data (such as Personal Information data) in your CRM system and make sure they will not be stored, processed, or even viewed outside of the territory of China.
By implementing such tools, you can make sure that the data localization rule is executed to the highest degree in your global IT environment. You will be showing the authority that you are taking serious measures to make sure that the data export rules are respected and honored.
Another option is to leverage Salesforce Core on Ali Cloud that will be available by the end of this year. This means an Org split that needs to be prepared at all levels: business, architecture, data and technology. Odaseva can also help on this matter.
We at Odaseva can help you navigate through this critical phase. Contact us today for more information.