China Releases Technical Standards Guiding the Classification of “Important” Data

Posted by Written by Arendse Huld Reading Time: 10 minutes

China’s standards and market regulator authorities have released technical standards to guide the identification and classification of different types of data. The technical standards provide guidelines for companies and regulators to identify data as “core”, “important”, and “general”, and thereby subject the data to differentiated protection standards as required under China’s data security and personal information protection laws.

The State Administration of Market Regulation (SAMR) and the Standardization Administration of China (SAC) have released a new set of technical standards for data classification. The technical standards, titled Data security technology — Rules for data classification and grading [GB/T 43697-2024], stipulate the rules for classifying three different types of data – provide a general guide for companies and government ministries to identify and classify different types of data to comply with China’s personal information and data protection regulations.

In a significant development, the technical standards provide guidelines for regulators and companies to identify what is considered “important” data. This means they will act as a reference for companies and regulators when assessing the types of data that can be exported, as well as which compliance procedures a company must undergo in order to export data.

They will also be relevant for data protection requirements, as both “core” and “important” data are subject to higher protection standards than other types of data.

The technical standards will be implemented from October 1, 2024.

Below we outline some of the main processes and principles stipulated in the technical standards and discuss their significance for foreign companies.

Background

China’s Data Security Law (DSL) stipulated that companies and government authorities should classify data according to their level of importance in order to implement a hierarchical protection system for different types of data.

Specifically, Article 21 of the DSL states that “the state establishes a data classification and hierarchical protection system, based on the importance of data in economic and social development, and the impact on national security, public interests, or individuals and organizations once it is tampered with, destroyed, leaked, or illegally obtained or used.” Data must then be protected according to their classification and risk level.

However, since the release of the DSL, it has been unclear exactly how data should be classified and therefore protected. The technical standards seek to provide a guide for both authorities and companies to identify different types of data and grade their risk level by clarifying the definitions of various concepts and outlining specific rules and procedures[.

Basic principles of data classification and grading

The technical standards outline the basic principles by which stakeholders should adhere to when carrying out data classification and grading.

Note that the technical standards outline two different types of data classification – classification by data type (分类), whereby a stakeholder classifies data according to its industry and business attributes, and data grading (分级), whereby a stakeholder grades the data by its risk and sensitivity level.

Data from certain sectors or companies may inherently have a higher risk level due to the nature of the industry (such as military, critical infrastructure, and governmental sectors).

Definitions of Data Terms in the Technical Standards
Data Any record of information in electronic or other forms.
Important data Data specific to certain fields, groups, and regions, or reaching a certain level of precision and scale that, once leaked, tampered with, or destroyed, may directly jeopardize national security, economic operation, social stability, public health, and safety.

 

Note: Data that only affects the organization itself or individual citizens is generally not considered important data.
Core data Data with a high degree of coverage, that reaches a high level of precision, is large in scale, and reaches a certain depth in a domain, group, or region that once illegally used or shared, may directly affect political security.

 

Note: Core data mainly includes data related to national security key areas, national economic lifelines, people’s livelihoods, and major public interests, as evaluated and determined by relevant state departments.
General data Other data excluding important and core data.
Personal information Various types of information related to identified or identifiable natural persons recorded in electronic or other forms.

 

Note: personal information is also defined in the Personal Information Protection Law, as well as other regulations.
Sensitive personal information Personal information that, once leaked or unlawfully used, may easily lead to the infringement of the personal dignity of natural persons or endanger their personal and property security.

 

Note: Sensitive personal information is defined in more detail in other regulations and standards.
Industry sector data Data collected and generated in the performance of work duties or business activities within a certain industry sector in accordance with the law.
Public data Data collected and generated by government departments at all levels, organizations with public management and service functions, and their technical support units in the process of lawfully performing public affairs management duties or providing public services.
Organization data Data collected and generated by organizations in their own production and operation activities that do not involve personal information and public interests.
Derived data Data generated through statistical, correlation, mining, aggregation, de-identification, and other processing activities.

Under the technical standards, data is classified and managed according to the industry sectors to which they belong. This classification is based on a number of core principles.

First, under the principle of scientific utility, stakeholders should select common and stable attributes or characteristics as the basis for data classification from the perspective of facilitating data management and utilization and then refine the classification according to the actual needs.

Second, the levels of data classification to have clear boundaries and corresponding protective measures should be taken for different levels of data.

The data level should also be based on the principle of adopting the highest possible standard. This means that when multiple factors may affect data classification, the data level should be determined according to the highest impact level of each potential influencing factor.

Data classification should consider not only individual data classification but also the security impact of the aggregation and integration of data from multiple domains, groups, or regions, thereby comprehensively determining the data level.

Finally, data classification, important data catalogs, and other categorized data should be regularly reviewed and updated based on changes in the business attributes of the data, their level of importance, and the degree of potential harm they may cause.

Data classification

In order to classify data, it must first be classified by industry sector and then by business attribute.

The industry sectors include industrial data, telecommunications data, financial data, energy data, transportation data, natural resources data, healthcare data, education data, scientific data, and so on.

Supervisory or regulatory departments of each industry and sector will further classify the data of their respective sectors based on the business attributes of the given industry and sector. Common business attributes include but are not limited to:

  1. Business domain: Classifying according to the scope, type, or function of the business;
  2. Responsible department: Classifying according to the data management department or responsibilities;
  3. Descriptive targets: Classifying according to the targets described by the data (these include user data, business data, management data, and system operation and maintenance data);
  4. Process stages: Classifying according to business processes and industrial chain stages (energy data is classified according to process stages such as exploration, exploitation, production, processing, sales, and utilization);
  5. Data subjects: Classifying according to data subjects or owners (data subjects are classified into public data, organizational data, and personal information);
  6. Content themes: Classifying according to the content themes described by the data;
  7. Data purposes: Classifying according to the processing purposes and uses of the data;
  8. Data processing: Classifying according to the data processing activities or the degree of data processing;
  9. Data sources: Classifying according to the data sources and collection methods.

Note that certain data categories, such as personal information, have special legal requirements with regard to their management, such as storage and transfer. This type of data should therefore be identified and classified according to relevant regulations and standards.

Methods for classifying data type

The technical standards state that data classification can be flexibly refined based on the requirements of data management and usage, combined with existing data classification foundations and business attributes.

The following steps can be taken to carry out data classification in industry sectors:

  1. Clarify the scope of data: According to the responsibilities of the supervisory or regulatory departments in each industry sector, clarify the scope of data management in this industry and domain.
  2. Refine business classification: Classify the business within this industry and domain in detail, including:
    1. Combining departmental responsibilities, clarify the classification of industry sectors or business lines (in the industrial sector, data is classified into categories such as raw materials, equipment manufacturing, consumer goods, electronics and information manufacturing, software, and information technology services according to departmental responsibilities).
    2. Based on the business scope, operational models, business processes, and so on, refine industry sectors or specify key business categories for each business line (raw materials are divided into categories such as steel, non-ferrous metals, petrochemicals, and so on; equipment manufacturing is divided into categories such as automobiles, ships, aviation, aerospace, industrial machinery, engineering machinery, and so on);
  3. Business attribute classification: Select appropriate business attributes to refine the classification of data for key businesses.
  4. Determine classification rules: Analyze the data classification results of key businesses, and based on the requirements of data management and usage in industry sectors, determine the classification rules for industry sector data, such as:
    1. Classification rules for data can be provided in the form of “business line – key business – business attribute classification”;
  1. Alternatively, classify and analyze the data classification results of key businesses, grouping data subclasses with similar themes.

Data grading

Data grading is conducted in order to identify the degree of harm to national security, economic operation, social order, public interests, organizational rights, and individual rights that data may pose if it is leaked, tampered with, destroyed, illegally acquired, illegally used, or illegally shared. Data is graded based on the importance of the data in economic and social development and classified into three levels from high to low-risk: core data, important data, and general data.

The technical standards outline the following steps for data grading:

  1. Identification of grading targets: Identify the data to be graded, such as data items, datasets, derived data, cross-industry sector data, and so on (data items typically represent fields in a database table. Datasets are collections composed of multiple data records, such as database tables, database rows or sets of rows, data files, and so on. Cross-industry sector data refers to data collected or generated in one industry sector and transferred to another, as well as data produced by the integration and processing of data from two or more industry sectors);
  2. Recognition of data grading factors: Based on the characteristics of their own data, identify the data grading factors described below;
  3. Data impact analysis: Considering the identified grading elements, analyze the potential targets and the extent of impact in case of data leakage, tampering, destruction, illegal acquisition, illegal use, or illegal sharing.
  4. Comprehensive level determination: Determining the data risk level based upon rules set out in the technical standards.

Factors affecting data grading include the domain, group, region, precision, scale, depth, coverage, and importance of the data. Domain, group, region, and importance are usually qualitative grading elements, while precision, scale, and coverage are quantitative grading elements. Depth, which is the extent to which data describes implicit information or multidimensional detailed information about the described targets through processing such as statistics, correlation, mining, or integration, is typically a grading element for derived data.

Conducting a data impact analysis

When conducting a data impact analysis for data grading, the entity carrying out the analysis must consider the impact target and the degree of impact.

The impact target refers to the target that may be affected when data faces security risks, such as data leakage, tampering, destruction, illegal acquisition, illegal use, or illegal sharing. Impact targets typically include national security, economic operation, social order, public interests, organizational rights, and individual rights.

The degree of impact refers to the extent of impact that may occur once data is leaked, tampered with, destroyed, or illegally accessed, used, or shared. The degree of impact can be divided into “particularly severe harm”, “severe harm,” and “general harm”. Different criteria are used when judging the degree of impact on different impact objects. If the impact object is national security, economic operation, social order, or public interests, the overall interests of the country, society, or industry sector are used as the criteria for judging the degree of impact. If the impact object is only organizational or individual rights, the interests of the organization or individual citizens are used as the criteria for judging the degree of impact.

Data classification and grading procedures

The technical standards provide step-by-step procedures for both government departments and companies to carry out data classification and grading. For companies, the procedures are as follows:

  1. Conduct a data asset review: A comprehensive review of data assets to identify the data assets to be classified and graded, along with their respective industry sectors.
  2. Establish internal rules: Establish their own rules for data classification and grading according to the standards and specifications of industry-specific data classification and grading, combined with the characteristics of the company’s own data, with reference to the technical standards. Note that:
    1. If the industry regulatory authority has established rules for industry-specific data classification and grading, the company should refer to the methods outlined in the technical standards and refine the execution according to the rules of data classification and grading in the industry sector.
    2. If there are no industry-specific standards or specifications recognized by the regulatory authority in the relevant industry sector, or if there are data types not covered by industry-specific standards, the classification and grading should be conducted according to the technical standards.
    3. If the business involves multiple industry sectors, the classification and grading should be refined according to the standards and specifications of data classification and grading in each industry sector, based on the guidelines provided in the technical standards.
  3. Implement data classification: Classify the data and identify and classify special categories of data, such as public data and personal information.
  4. Implement data grading: Grade the data to determine the scope of core data, important data, and general data.
  5. Audit and report catalog: Conduct an audit of the results of data classification and grading, form a catalog of data classification and grading, and classify and grade the data according to relevant procedures for submission.
  6. Carry out regular reviews and updates: Based on changes in the importance of data and the potential level of harm, dynamically update the management of data classification and grading rules, catalog of important data and core data, data classification and grading lists, and labels.

Guidelines for the identification of important data

The technical standards include guidelines for stakeholders to identify important data, outlining the factors that should be considered when grading the risk level of the data. These factors are relatively extensive, and include (but are not limited to):

  • Whether the data directly affects territorial security and national unity or reflects the basic situation of national natural resources, such as undisclosed data on land, water, and airspace;
  • Whether the data can be utilized by other countries or organizations to launch military attacks against China or reflect China’s strategic reserves, emergency mobilization, combat capabilities, and so on, such as geographical data that meets certain accuracy indicators or data related to the production capacity and reserves of strategic materials;
  • Whether the data directly affects the order of the market economy, such as data supporting the operation of core businesses in industries or sectors where critical information infrastructure is located or important economic sectors;
  • Whether the data is related to China’s real or potential interests in strategic new regions such as space, deep sea, and polar regions, such as undisclosed data related to scientific exploration and development and utilization of space, deep sea, and polar regions, as well as data affecting the safe entry and exit of personnel in the above areas; and
  • Whether the data reflects the situation of nuclear materials, nuclear facilities, or nuclear activities, or can be used to cause nuclear damage or other nuclear safety incidents, such as data involving design drawings of nuclear power plants and the operation of nuclear power plants.

Companies should closely consider these factors when identifying, classifying, and grading the data that they possess to ensure compliance with the relevant regulations on important data.

Implications for foreign companies

One of the most important uses of the technical standards is to help government regulators and companies assess what is considered “core” and “important” data for matters related to data protection and data export.

Under China’s Personal Information Protection Law (PIPL), companies will be required to undergo a security assessment by the Cyberspace Administration of China (CAC) if they wish to export “important” data overseas. However, important data has not been clearly defined in any government regulations or standards, making it difficult for both companies and regulators to assess which data is subject to these export restrictions.

The CAC has recently made it easier for companies to handle these issues by releasing rules stipulating that any data that hasn’t been explicitly identified as “important” by an industry regulator will not be considered as such, and therefore will be subject to less strict compliance procedures.

However, the technical standards now provide an important tool for companies and regulators in assessing what is considered important data, which will help with more consistent implementation and compliance with data export regulations.

Foreign companies are therefore advised to closely follow the technical standards and carry out the necessary data classification and grading work in order to assess which if any, data they hold is graded “important”.

INVESTING IN CHINA ONLINE BUSINESS GUIDE
Explore economic, geographic & regulatory insights, expert guidance, news, and videos featuring on-the-ground advisors that contribute to the Doing Business in China knowledge for investors, managers, or expats to understand India, and chart their path to a healthy business. Access here

About Us

China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.

Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.