China: New data classification standard – data security

 

China has introduced a new data classification standard aimed at supporting forthcoming data security legislation. Released by the Standardization Administration of China (SAC) on March 15, 2024, the standard is titled “GB/T 43697-2024 Data security technology — Rules for data classification and grading.”

In accordance with China’s “Data Security Law,” which mandates the establishment of a state-led data classification and grading protection system, the standard aims to implement classified protection for data based on its significance in economic and social development, as well as its potential impact on national security, public interests, or the legitimate rights and interests of individuals and organizations in the event of data alteration, damage, leakage, illegal acquisition, or unlawful use. Similarly, the “Personal Information Protection Law” also advocates for the classified management of personal information.

To effectively carry out data classification and grading protection measures, it is imperative to initially categorize and grade data, identify key data and core data, and subsequently establish corresponding data security protection protocols.

This standard serves as a foundational support for identifying various types of data relevant to laws and regulations such as the “Data Security Law” and the “Personal Information Protection Law.” It outlines principles, frameworks, methods, and processes for data classification and grading, providing guidance on identifying key data. Furthermore, the standard is designed for industry regulators to develop standards and norms for data classification and grading within their respective sectors, as well as for regions and departments to implement data classification and grading practices, offering guidance for data processors in their classification and grading efforts.

Moreover, this standard will complement existing national standards like “GB/T 35273-2020 Information security technology—Personal information security specification,” forming a crucial part of China’s data security management system implementation framework.