Thales banner

Personal information security specification –
Cybersecurity Law of the People’s Republic of China
Data privacy mandates in China

Thales helps organisations address the requirements on the Personal Information Protection Law.

Personal Information Security Specification – Cybersecurity Law of the People’s Republic of China

Test

The Standardisation Administration of China (SAC) joined with the State Administration for Market Regulation (SAMR) to issue GB/T 35273-2020 《信息安全技术 个人信息安全规范》, or “Information Security Technology – Personal Information Security Specification,” which came into effect on October 1, 2020. This 2020 specification replaced GB/T 35273-2017, which had been in effect since 2017.

The 2020 specification updates and refines the guidelines outlined in the 2017 Personal Information Security Specification. The 2020 specification is not mandatory but is recommended guidelines that reinforce the law, which explains and reinforces China’s 2017 Cybersecurity Law. Though the 2020 specification is not enforceable by law, the Chinese government uses these standards to evaluate an entity’s compliance with China’s legal guidelines and regulations.

Thales enables organisations to align Personal Information Security Specification (PISS) while reducing risk, complexity and cost in part through:

  • Access control
  • Encryption, tokenisation and cryptographic key management
  • Security intelligence logs
  • Regulation
  • Compliance

Regulation summary

Personal Information Security Specification (PISS) – Cybersecurity Law of the People’s Republic of China focuses on the security issues of personal information and standardises information controllers’ behaviours at various stages of information processing, including the collection, storage, use, sharing, transfer and public disclosure.

Objective

To stem the illegal collection, abuse and leakage of personal information and protect the legitimate rights and interests of individuals and public interests to the greatest extent possible.

Thales CPL helps organisations comply with The Personal Information Security Specification (PISS) – Cybersecurity Law of the People’s Republic of China through:

  • Access control to ensure only authenticated users have access to your systems and data
  • Encryption, tokenisation and cryptographic key management to ensure that if data is stolen, it will be meaningless and useless to cybercriminals
  • Security intelligence logs to identify irregular access patterns and breaches in progress

Strong access management and authentication

Thales Access Management and Authentication Solutions provide both the security mechanisms and reporting capabilities organisations need to comply with data security regulations. Our solutions protect sensitive data by enforcing the appropriate access controls when users log into applications that store sensitive data.

Protection of sensitive data at rest

  • Granular privileged access controls
  • Separation of privileged access users and sensitive user data
  • Separation of administrative duties
  • Centralised administration and access controls

Protecting sensitive data in motion

Thales High-Speed Encryptors (HSEs) provide network-independent data-in-motion encryption (Layers 2, 3 and 4) ensuring data is secure as it moves from site-to-site, or from on-premises to the cloud and back.

Recommended resources

Addressing of Requirements Personal Information Protection

Addressing Requirements of Personal Information Security Specification - Cybersecurity Law of the People's Republic of China – eBook

This eBook details how an organization addresses compliance requirements with Thales, it covers the following: What is it? What are the details? How can organizations prepare for it?

Thales CipherTrust Data Discovery and Classification

Thales CipherTrust Data Discovery and Classification - Product Brief

The crucial first step in privacy and data protection regulatory compliance is to understand what constitutes sensitive data, where it is stored, and how it is used. If you don't know what sensitive data you have, where it is, and why you have it, you cannot apply effective...

Top reasons for using CipherTrust Data Discovery and Classification - Data Sheet

Top reasons for using CipherTrust Data Discovery and Classification - Data Sheet

Complying with the constant evolution of data privacy laws and regulations is very challenging. Knowing where all your sensitive data resides is a timely and costly ongoing task when you are relying solely on manual methods. Minimizing your risks due to the inevitable data...

Other key data protection and security regulations

GDPR

Regulation
Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organisation that processes the personal data of EU citizens - regardless of where the organisation is headquartered.

PCI DSS

Mandate
Active Now

Any organisation that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Regulation
Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbour” clause.