Why Chinese cybersecurity and data protection laws are becoming increasingly important for Swiss and EU/EEA companies
For companies headquartered in Switzerland or the EU/EEA with business activities in China, Chinese cybersecurity and data protection laws are becoming increasingly relevant. The Chinese government has declared cybersecurity and data protection to be key political priorities, which has led to a large number of new laws and regulations. These developments require not only a deep understanding of local legislation, but also the ability to harmonise it with existing compliance standards in Switzerland and the EU/EEA.
Challenges in the implementation of Chinese regulations
Companies face several challenges in complying with China’s cybersecurity and data protection laws:
- Legislative complexity and dynamics: Chinese data protection laws consist of several overlapping laws, including the Cybersecurity Law (CSL), the Personal Information Protection Law (PIPL) and the Data Security Law (DSL). These laws are regularly updated and expanded, resulting in a complex and constantly changing regulatory environment.
- Strict enforcement and high penalties: Since the Cybersecurity Law came into force in June 2017, the Chinese authorities have tightened enforcement considerably. Companies that violate data protection regulations are increasingly facing heavy fines. In addition, managers can be held personally liable and even face administrative penalties or criminal prosecution.
- Data localisation: Foreign companies that process data of citizens in China or offer services in China are subject to Chinese regulations. The laws also require certain data to be stored within China, which makes cross-border data transfer considerably more difficult.
- Technical restrictions: Data synchronisation is difficult because data traffic can be blocked by the “Great Firewall of China”.
- Information protection: Information/trade secrets such as technology, product developments, customer data, etc. can be viewed by Chinese state authorities.
Why specialised consulting services are crucial
Given these complex requirements, specialised advice is essential to minimise risks, avoid penalties and maintain competitiveness in the Chinese market. By working with specialised consultants, companies can ensure that they comply with Chinese cybersecurity and data protection laws while achieving their global business goals.
Our consulting services at a glance
- China cybersecurity and data protection compliance
- Compliance gap analysis: comparison between PIPL and GDPR/FADP with strategic recommendations.
- Checklist for audit and authority requirements: Preparation for official inspections and audits.
- Data protection impact assessment (DPIA) for China: Identification and evaluation of risks in data processing related to China. Preparation of the corresponding data protection impact assessment.
- Advice on the requirement for a security assessment by the Cyberspace Administration of China (CAC)
- Advice on information protection/trade secrets
- Secure IT and data architecture for China
- Strategy paper: Development of an IT architecture that complies with both Chinese regulations and Western security standards.
- Advice on zero trust and encryption concepts: implementation of modern security approaches.
- Assessment of the security risks of IT partners: analysis and minimisation of risks in connection with third-party providers. third-party providers.
- Secure data transmission and risk minimisation
- Data flow analysis and strategy for compliant data transfers: Optimisation of data flows and implementation of pseudonymisation techniques.
- Advice on/implementation of the European/Chinese standard contractual clauses (SCC) and data transfer impact assessments (TIA): Support in the legally compliant organisation of international data transfers.
- Encryption concepts for cross-border data flows: Ensuring data integrity and security.
- Incident response and crisis management
- China-specific emergency plan: Preparation for incidents such as cyberattacks, data leaks and requests from authorities.
- Training for management and data protection officers on crisis communication: Effective communication in the event of a crisis.
- Checklist for the legally compliant reporting of data protection incidents in accordance with PIPL and GDPR: Ensuring compliance with legal reporting obligations.
- Audit and risk assessment of Chinese IT partners
- Audit framework for evaluating Chinese IT service providers: Systematic review of service providers for compliance and security.
- IT contract review for GDPR/PIPL risks: Identification and minimisation of contractual risks.
Swiss Infosec AG has experience in advising companies on Chinese cybersecurity and data protection laws such as the PIPL, DSL and CSL. We are happy to share specific insights from previous projects upon request. Our goal is to help companies navigate the complex regulatory environment in China in a secure and compliant manner. Contact us to learn more about our services.