Firms advised to upgrade structure and security for new law

Firms should adapt organizational structure and enhance risk control and data security levels to prepare for the enactment of a new Chinese privacy law, industry experts said.

Last Friday, China passed its first Personal Information Protection Law, which will take effect in November. The law, similar to Europe's General Data Protection Regulation, requires firms to justify their data collection and gives consumers the right to access or delete their information.

Companies should upgrade their business structures to comply with the new regulation, which is their social responsibility based on the new law, said Wang Jianxia, a risk control expert from Deloitte.

Firms are advised to set up independent organizations to review personal information processes, covering the scope and necessity for data usage and definition of sensitive data. They are also encouraged to publish regular reports on data protection, Wang said.

Under the law, individuals and organizations handling personal information will be required to minimize data collection and obtain prior consent, especially for sensitive personal data covering biometrics, medical health, financial accounts and travel history.

All data of minors under the age 18 are considered sensitive data, which should be checked and processed carefully, experts said.

Firms are encouraged to establish a "security brain" to deal with criminals stealing personal information, cyber attacks and data leakage risks. The data leaked has boosted a black market, according to 360, China's biggest cybersecurity firm.

In the first quarter, 360 received 606 smartphone crime reports, with each victim losing 14,611 yuan on average. They experienced fraudulent activity related to finance, dating, online shopping and job-seeking services through the use of leaked personal information.

"The new law provides a clear legal basis for the network security industry, and also puts forward new market demands. It will greatly promote the healthy development of the industry," said experts from 360.

The law offers a clear and operational standard for online security firms, bringing benefits to the entire industry, said Liu Haiyang, a Tencent security expert.

Currently, 360 has products with privacy bodyguard functions, capable of preventing software from collecting excessive information and enabling users to find out about privacy leaks. It's developing a "security brain," covering infrastructures with passwords, certificates, identity management and high-level security expert operation systems.