Twelve major responses to the Personal Information Protection Law

againstPersonal protectionWith the new management and compliance requirements brought about, we have summarized the "Twelve Major Response Measures" for reference by various industries and enterprises. We will also provide recommendations on how different industries can implement these responses based on specific industry circumstances and needs. The “Twelve Major Response Measures” are as follows:

Establish a classification and hierarchical management system for personal information
Establish a personal information protection organization and designate a person in charge of personal information protection if the requirements are met.
Establish a full life cycle management system for personal information
Establish a personal information subject authorization management platform and connect it with the enterprise access rights management system
build personalinformation securityimpact assessment system
Establish an emergency response system for personal information security incidents and a process for cooperating with regulatory authorities to investigate and collect evidence.
Establish a personal information trustee management system
Establish an application acceptance and processing mechanism for personal information subjects to exercise their rights
Establish a personal information protection compliance audit system
Establish a personal information security education and training system
Establish a security assessment system for cross-border transmission of personal information
Establish a privacy design system to review the use of high-tech technologies such as user profiling, big data analysis, and artificial intelligence by applications (APPs), and make full use of privacy computing technologies such as encryption and de-identification.
The figure below maps these “twelve major response measures” to the needs in the individual legal protection framework.

The following is our elaboration on the specific application of the "Twelve Major Countermeasures" in the financial industry.

1. Establish a classification and hierarchical management system for personal information
   Article 51 of the Personal Protection Law stipulates that personal information processors need to "implement classified management of personal information." Many financial institutions have classified metal data in data governance projects in previous years, but there is generally a lack of input from a security perspective.

GB/T 35273-2020 "Personal Information Security Specification" 3.1 and 3.2, which took effect on October 1, 2020, defines personal information and personal sensitive information and provides the determination methods and types in Appendix A and B.

3.2 and 3.3 of JR/T 0171-2020 "Technical Specifications for the Protection of Personal Financial Information" promulgated by the Central Bank and effective on February 13, 2020 provide the definitions of personal financial information and payment sensitive information, and give them in 4.1 and 4.2. Detailed explanation and classification:

C3: User identification information

C2: User identification information, financial status information and key product and service information

C1: Internal use of personal financial information by financial institutions

The central bank promulgated JR/T 0197-2020 "Financial Regulations" that came into effect on September 23, 2020.Data SecurityThe Grading Guide further standardizes the hierarchical security protection of financial data in a broad sense and is the most detailed guide for classified and hierarchical management of financial data security. Among them, 3.10 defines financial data. The definition of personal financial information in 3.11 is completely consistent with the definition in 3.2 of the "Technical Specifications for the Protection of Personal Financial Information"; .2 and 4.3 further clarify the principles and scope of grading; Section 5 describes in detail Elements, rules and processes of financial data security grading, dynamic level change management and identification of important data:

Appendix A lists the reference table of typical financial data grading rules in great detail. The listing of personal financial data is more complete and detailed, and can completely correspond to C3, C2, and C1 in the "Technical Specifications for the Protection of Personal Financial Information". As well as personal information and personal sensitive information in the "Personal Information Security Specifications", as shown in the table below. It is recommended that financial institutions carry out classification and grading work based on the granularity of the reference table and the actual situation of the unit:

JR/T 0197	JR/T 0171	GB/T 35273
Level 4: Information that seriously affects personal privacytraditional authentication information(Bank card track data (or chip equivalent information), card verification code (CVN and CVN2), card validity period, bank card password, online payment transaction password, account login password, transaction password, query password, etc.)Weakly private biometric information(Face, voiceprint, gait, earprint, eyeprint, handwriting, etc.)Strong privacy biometric information(fingerprint, iris, etc.)	C3	sensitive personal information
Level 3: Information that seriously affects personal privacyBasic personal profile information(name, gender, nationality, ethnicity, marriage, certificate, address, etc.)personal property information(Income, real estate, vehicles, taxes, provident fund, social security, medical insurance, etc.)Personal contact information(Mobile phone, landline, email, WeChat ID, etc.)Personal health and physiological information(Symptoms, hospitalization records, medical orders, test reports, surgical anesthesia records, nursing records, medication records, allergy information, fertility information, medical history, diagnosis and treatment, family medical history, current medical history, infectious disease history, etc.)Personal location information(Country, city, region, street, longitude and latitude, etc.)Personal identification information(Dynamic password, SMS verification code, answers to password prompt questions, dynamic voiceprint password, etc.)personal credit information(Loan information, repayment information, arrears information)personal relationship information(parents, children, siblings, spouse, social relationships)Basic label information(Personal tags based on basic attributes such as education, occupation, etc.)Relationship tag information(Personal tags constructed based on associated attributes such as family relationships, professional relationships, and business relationships)	C2	sensitive personal information
Level 2: Information that moderately or slightly affects personal privacyPersonal education information(school, department, academic qualifications, degree, subject, admission date, graduation date, etc.)Personal and professional information(Unit, position, work location, income, start time, end time, etc.)Personal qualification certificate information(Certificate number, issuing authority, effective date, expiration date, etc.)Personal party and government information(Party, joining time)public-private relationship information(job information)personal behavior information(Online and offline consultation, purchase, usage records; browsing records, driving habits, etc.)Other tags(Signing label, transaction label, behavior label, marketing service label, risk label, value label)	C1	personal information

2. Establish a personal information protection organization and designate a person in charge of personal information protection if the requirements are met.
   Article 52 of the Personal Protection Law stipulates that personal information processors need to “process personal information to the amount specified by the national cyberspace department. Personal information processors shall designate a person in charge of personal information protection who shall be responsible for supervising personal information processing activities and protective measures taken.” "Article 66 Legal Responsibilities stipulates that "if personal information is processed in violation of the provisions of this Law, or personal information is processed without fulfilling the personal information protection obligations stipulated in this Law... the directly responsible person in charge and other directly responsible personnel shall be fined more than 10,000 yuan. A fine of not more than RMB 100,000. In serious cases... the directly responsible person in charge and other directly responsible personnel shall be fined not less than RMB 100,000 but not more than RMB 1,000,000, and a decision may be made to prohibit them from serving as directors or supervisors of relevant enterprises within a certain period of time. , senior managers and persons in charge of personal information protection”

The person in charge of personal information protection is similar to the DPO stipulated in the GDPR. For its job responsibilities, please refer to the recommendations in 7.2.2.B in JR/T 0171-2020 "Technical Specifications for the Protection of Personal Financial Information":

Responsible for formulating and managing the institution’s personal financial information security management system;
Develop, implement, and regularly update privacy policies and related procedures;
Supervise the security management of personal financial information within the organization, as well as between the organization and external partners;
Conduct internal audits of information security management, analyze and handle information security-related incidents;
Organize and carry out personal financial information security impact assessments and propose countermeasures and suggestions for personal financial information protection;
Organize technical testing before financial products or services are released online to avoid unknown (inconsistent with financial product or service functions and privacy policies) collection, use, sharing and other processing of personal financial information;
Publish information on complaints and appeal methods and promptly accept complaints and appeals related to personal financial information.
For a more comprehensive personal financial information protection organizational structure, you can refer to Section 8 "Data Security Organizational Guarantees" of JR/T0223-2021 "Financial Data Life Cycle Security Specification" promulgated and effective by the Central Bank on April 8, 2021:

Financial institutions should set up a data security management committee, establish a top-down data security management system covering the four levels of decision-making, management, execution, and supervision (see the figure above), clarify the organizational structure and position settings, and ensure the security of the data life cycle. Effective implementation of protection requirements.

3. Establish a full life cycle management system for personal financial information
   Article 4 of the Personal Protection Law clearly defines personal information processing to include "the collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. of personal information", covering the entire life cycle of personal information, while Article 5-32 Article stipulates various corresponding detailed requirements. Financial institutions must establish a management system that covers the entire life cycle of personal financial information in order to dynamically meet the requirements of personal protection laws in every link.

Sections 6 and 7 of JR/T 0171-2020 "Technical Specifications for the Protection of Personal Financial Information" respectively put forward technical requirements and management requirements for the life cycle of personal financial information. The JR/T0223-2021 "Financial Data Life Cycle Security Specification" puts forward more complete and systematic security requirements for overall financial data from a life cycle perspective.

according tocyber securityJR/T0071.2-2020 "Implementation Guidelines for Cybersecurity Level Protection in the Financial Industry" updated by Level Protection 2.0 and effective on November 11, 2020, also puts forward enhanced requirements for the protection of personal information for the financial industry (7.1.4.11, 8.1 .4.11 and 9.1.4.11), the requirements for the protection of personal information in General Classification Protection 2.0 have been expanded from 2 to 6, especially the requirements for the management, control, inspection and evaluation of the overall life cycle, as well as the requirements for display and development. Requirements for testing, sharing and transfer links.

Several specifications can be mapped together relatively well, and combined together they can basically meet the corresponding requirements in individual legal protection (as shown below)

4. Establish a personal information subject authorization management platform and connect it with the enterprise access rights management system
   Article 13 of the Personal Protection Law stipulates that the authorization and consent of the personal information subject is the primary legal basis for the collection and processing of personal information. Articles 23, 25, 26, 29, and 39 also respectively stipulate that when providing and publicly processing to third parties, The separate consent of the personal information subject is required under five circumstances, including using personal information collected in public places for other purposes, collecting and processing sensitive personal information, and providing it overseas. Article 15 gives personal information subjects the right to withdraw consent. Therefore, financial institutions must establish a platform that can dynamically link the authorization of personal information subjects with the enterprise access control system to cover the entire life cycle of personal financial information to meet the requirements of the personal protection law.

As shown in the figure below, the unified authorization management platform assigns "authorization attributes" to the collected data through explicit authorization of personal information subjects (customers) through tags, etc., and establishes access control based on authorization attributes (Attribute Base Access Control - ABAC) for these data. ), and then combined with the role-based access control (Role Base Access Control – RBAC) commonly used in enterprise-level identity authentication and access control systems, and applied to various application systems and business process links involving the personal information life cycle, and Achieve dynamic adjustment.

5. Establish a personal information security impact assessment system
   Article 55 of the Personal Protection Law requires that personal information security impact assessment be conducted under the following circumstances:

(1) Processing of sensitive personal information;

(2) Use personal information for automated decision-making;

(3) Entrust the processing of personal information, provide personal information to other personal information processors, and disclose personal information;

(4) Providing personal information overseas;

(5) Other personal information processing activities that have a significant impact on personal rights and interests.

Article 56 stipulates what personal information protection impact assessment should include:

(1) Whether the purpose and method of processing personal information are legal, legitimate and necessary;

(2) Impact on personal rights and security risks;

(3) Whether the protective measures taken are legal, effective and commensurate with the level of risk.

Personal information protection impact assessment reports and processing records should be kept for at least three years.

GB/T 39335-2020 "Guidelines for Personal Information Security Impact Assessment" provides the basic principles and implementation process of personal information security impact assessment, and lists the key points of the assessment, examples of high-risk personal information processing activities, and a list of commonly used tools in the appendix. and reference method, which is a very practical national standard. Financial institutions can use this to establish their own personal financial information security assessment system based on their actual conditions. The following figure shows the specific evaluation steps recommended by this national standard:

According to its Appendix B "Examples of High-Risk Personal Information Processing Activities", financial institutions need to pay attention to the following:

Data processing involves the evaluation or scoring of the personal data subject, in particular the evaluation or prediction of the personal data subject's work performance, economic situation, health status, preferences or interests (such as pre-loan credit analysis based on lifestyle, health status) premium setting decisions, etc.)
Use personal information for automatic analysis to provide judicial rulings or other decisions that have a significant impact on individuals (such as setting up marketing plans based on user-specific preferences through user profiling)
The amount and proportion of personal sensitive information collected is large, the frequency of collection is high, and it is closely related to personal experience, thoughts, opinions, health, financial status, etc.
Match and merge data sets from different processing activities and apply them to business (fraud prevention, risk control, etc.)
Data processing involves vulnerable groups, such as minors, patients, the elderly, low-income people, etc.
Application of innovative technologies or solutions, such as biometric identification, Internet of Things, artificial intelligence, etc. (such as artificial intelligence customer service)
The processing of personal information may result in the personal information subject being unable to exercise rights, use services, or obtain contractual protection (such as making credit decisions for potential customers).
Appendix D "Personal Information Security Impact Assessment Reference Method" also provides a risk level determination table for comprehensive assessment in the two dimensions of "impact level" and "possibility level":

6. Establish an emergency response system for personal information security incidents and a process for cooperating with regulatory authorities to investigate and collect evidence.
   Article 51 of the Personal Protection Law stipulates that personal information processors must “formulate and organize the implementation of emergency plans for personal information security incidents.” Article 57 stipulates that “if personal information leakage, tampering, or loss occurs or is likely to occur, personal information processors must immediately Take remedial measures and notify the departments and individuals who perform personal information protection responsibilities, as well as the specific content that needs to be notified." Article 63 gives the personal information protection department the right to investigate and collect evidence. Financial institutions should comply with the requirements of this Law and refer to the "Measures for the Administration of Financial Services for Banking and Insurance Institutions in Response to Emergencies", GB/T 38645 "Guidelines for Emergency Drills for Cybersecurity Incidents", and "Shanghai Cybersecurity Incident Emergency Plan (2019 Edition)" etc. Develop emergency plans for personal information leakage, tampering, and loss.

7. Establish a personal information trustee management system
   Article 22 of the Personal Protection Law stipulates that “the entrusted party shall process personal information in accordance with the agreement and shall not process personal information beyond the agreed processing purposes, processing methods, etc.; if the entrustment contract is not effective, invalid, revoked or terminated, the entrusted party shall process the personal information The personal information shall be returned to the processor or deleted and shall not be retained. Without the consent of the personal information processor, the trustee shall not entrust others to process the personal information." Article 55 stipulates that "the trustee shall comply with the provisions of this Law and relevant laws and administrative regulations. , take necessary measures to ensure the security of the personal information processed, and assist personal information processors in fulfilling their obligations under this law." Financial institutions can combine the original series of regulations on information technology outsourcing risks of the China Banking Regulatory Commission and JR/T0223-2021 "Financial Manage according to the requirements of 8.4 in "Data Life Cycle Security Specification".

8. Establish an application acceptance and processing mechanism for personal information subjects to exercise their rights
   Articles 44 to 49 of Chapter 4 of the Personal Protection Law give personal information subjects a series of rights, and require in Article 50 that “personal information processors should establish a convenient application acceptance and processing mechanism for individuals to exercise their rights.”, and give them a series of rights. Personal information subjects have the right to sue if their application is rejected. Article 70 further stipulates the mechanism for relevant departments and organizations to initiate public prosecutions.

From the perspective of the requirement of "convenience", financial institutions should try their best to establish an omni-channel acceptance platform, especially considering various online channels such as APPs, public accounts, etc.

9. Establish a personal information protection compliance audit system
   Article 54 of the Personal Protection Law requires that “personal information processors shall regularly conduct compliance audits on their compliance with laws and administrative regulations when handling personal information.” Article 64 empowers relevant departments to require “personal information processors to entrust professional institutions to Compliance audit of personal information processing activities”. Article 58 requires “personal information processors with important Internet platform services, a large number of users, and complex business types” to “establish an independent agency composed mainly of external members to supervise the protection of personal information” and “regularly publish personal information protection Social responsibility report and accept social supervision”

Financial institutions can clarify security audits according to 8.1.d of JR/T0223-2021 "Financial Data Life Cycle Security Specification"

Compliance audit, risk management and other related positions, as the supervisory layer of data security management, should perform the following job responsibilities:

1) Based on the actual situation of the organization's data-related business, determine the corresponding audit strategies and specifications, including but not limited to audit cycles, audit methods, audit forms, etc.

2) Supervise the implementation of data security policies and guidelines.

3) Publish information such as complaints and reporting methods, and promptly accept complaints and reports related to data security and privacy protection.

4) Carry out internal data security audits and analysis, identify and provide feedback on problems and risks, and supervise the organization's subsequent rectification work.

5) Cooperate with the organization and coordination work related to external audit.

10. Establish a personal information security education and training system
    Article 51 of the Personal Protection Law requires “regular safety education and training for employees.” You can refer to the requirements of 8.3.b of the "Financial Data Life Cycle Security Specification" to develop a training plan:

1) Regularly carry out data security awareness education and training in accordance with the training plan. The training content includes but is not limited to relevant national laws and regulations, industry rules and regulations, technical standards, and internal data security related systems and management procedures of financial industry institutions, etc., and the training Results are evaluated, recorded and archived.

2) Regularly carry out data security awareness education and training for personnel who have close contact with high-security level data, cultivate awareness of regular deletion of office data, and regularly conduct self-examination of data deletion.

3) Conduct special data security training at least once a year for full-time and key personnel in data security management.

4) At least once a year or when there are major changes in the privacy policy, conduct professional training and assessment for personnel in key positions of data security to ensure that personnel are proficient in the privacy policy and related procedures.

The construction of personal information security awareness for all employees usually includes four parts: training content, evaluation and tracking, communication plan, and awareness culture.

11. Establish a security assessment system for cross-border transmission of personal information
    Articles 38 to 43 of the Personal Protection Law regulate the cross-border transfer of personal information. The following summarizes the laws, regulations and national and industry standard provisions applicable to financial institutions regarding the localization and cross-border transmission of personal financial information:

a. "Cybersecurity Law》Article 37:

Personal information and important data collected and generated by operators of critical information infrastructure during operations within the territory of the People's Republic of China shall be stored within the territory of the People's Republic of China. If it is indeed necessary to provide information overseas due to business needs, a security assessment shall be conducted in accordance with the methods formulated by the national cybersecurity and informatization department in conjunction with relevant departments of the State Council.

b.data security law》Article 26:

If any country or region adopts discriminatory prohibitions, restrictions or other similar measures against the People's Republic of China in terms of investment, trade, etc. related to data and data development and utilization technology, the People's Republic of China may impose restrictions on the country or region based on the actual situation. Wait for measures to be taken.

c. Article 31 of the Data Security Law:

The provisions of the Cybersecurity Law of the People's Republic of China apply to the outbound security management of important data collected and generated by operators of critical information infrastructure in their operations within the territory of the People's Republic of China; other data processors collect and generate data in their operations within the territory of the People's Republic of China. Measures for the outbound security management of important data generated shall be formulated by the national cybersecurity and informatization department in conjunction with relevant departments of the State Council.

d. Article 36 of the Data Security Law:

The competent authorities of the People's Republic of China shall handle requests for data from foreign judicial or law enforcement agencies in accordance with relevant laws and international treaties and agreements concluded or acceded to by the People's Republic of China, or in accordance with the principle of equality and reciprocity. Without the approval of the competent authorities of the People's Republic of China, domestic organizations and individuals may not provide data stored in the territory of the People's Republic of China to foreign judicial or law enforcement agencies.

e. "Personal Information Protection Act》Article 40:

Critical information infrastructure operators and personal information processors that handle the amount of personal information specified by the national cybersecurity and informatization department shall store personal information collected and generated within the territory of the People's Republic of China within the territory of the People's Republic of China. If it is really necessary to provide it overseas, it must pass the security assessment organized by the national cybersecurity and informatization department.

f. Article 41 of the "Personal Information Protection Law":

The competent authorities of the People's Republic of China shall handle requests from foreign judicial or law enforcement agencies for the provision of personal information stored within the country in accordance with relevant laws and international treaties and agreements concluded or acceded to by the People's Republic of China, or in accordance with the principle of equality and reciprocity. Without the approval of the competent authorities of the People's Republic of China, personal information processors shall not provide personal information stored in the territory of the People's Republic of China to foreign judicial or law enforcement agencies.

g. Article 42 of the "Personal Information Protection Law":

If overseas organizations or individuals engage in personal information processing activities that infringe upon the personal information rights of citizens of the People's Republic of China, or endanger the national security or public interests of the People's Republic of China, the national cybersecurity and informatization department may include them in a list of restrictions or prohibitions on the provision of personal information. Make an announcement and take measures such as restricting or prohibiting the provision of personal information to them

h. Article 43 of the Personal Information Protection Act:

If any country or region adopts discriminatory prohibitions, restrictions or other similar measures against the People's Republic of China in terms of personal information protection, the People's Republic of China may take reciprocal measures against the country or region based on the actual situation.

i. Article 177 of the Securities Law:

Overseas securities regulatory agencies are not allowed to directly conduct investigation and evidence collection and other activities within the territory of the People's Republic of China. Without the consent of the securities regulatory authority of the State Council and the relevant competent departments of the State Council, no unit or individual may provide documents and information related to securities business activities overseas without authorization.

j. Article 5 of the Anti-Money Laundering Law:

Customer identity information and transaction information obtained by performing anti-money laundering duties or obligations in accordance with the law shall be kept confidential; they shall not be provided to any unit or individual except in accordance with legal provisions.

k. "Cybersecurity Review Measures - Revised Draft for Comments" Article 6:

Operators that hold the personal information of more than 1 million users and want to list abroad must apply for a cybersecurity review to the Cybersecurity Review Office

l. Article 10 of the "Cybersecurity Review Measures - Revised Draft for Comments":

Risks of illegal control, interference or destruction of critical information infrastructure caused by the use of products and services
Hazards to the business continuity of critical information infrastructure due to interruptions in the supply of products and services
The safety, openness, transparency, diversity of sources of products and services, the reliability of supply channels, and the risk of supply interruption due to political, diplomatic, trade and other factors.
Product and service providers’ compliance with Chinese laws, administrative regulations, and departmental rules.
The risk of core data, important data or large amounts of personal information being stolen, leaked, damaged, illegally utilized or exported abroad.
After being listed abroad, there is a risk that critical information infrastructure, core data, important data or a large amount of personal information will be affected, controlled and maliciously used by foreign governments.
m. Article 20 of the "Trial Measures for the Protection of Personal Financial Information (Data)" and 7.1.3.d of the "Technical Specifications for the Protection of Personal Financial Information" both stipulate:

Personal financial information collected and generated during the provision of financial products or services within the territory of the People's Republic of China shall be stored, processed and analyzed within the territory of the People's Republic of China. . If due to business needs, it is really necessary to provide personal financial information to overseas institutions (including the head office, parent company or branches, subsidiaries and other related institutions necessary to complete the business), the specific requirements are as follows:

Should comply with national laws and regulations and relevant regulations of industry authorities;
Express consent from the subject of personal financial information should be obtained;
Personal financial information export security assessments should be carried out in accordance with the methods and standards formulated by the state and relevant industry departments to ensure that the data security protection capabilities of overseas institutions meet the security requirements of the state, relevant industry departments and financial institutions;
Through signing agreements with overseas institutions, on-site inspections, etc., it is necessary to clarify and supervise the effective performance of the responsibilities and obligations of overseas institutions such as confidentiality of personal financial information, data deletion, and case assistance.
n. Article 2 of "Measures for Security Assessment of Personal Information Transfer Abroad – Draft for Comments":

Network operators that provide personal information collected during operations within the territory of the People's Republic of China to overseas countries (hereinafter referred to as personal information export) shall conduct security assessments in accordance with these Measures. If it is determined through security assessment that the export of personal information may affect national security, harm public interests, or it is difficult to effectively protect the security of personal information, it shall not be allowed to export.

Almost all laws and regulations mention the requirement for security assessment when leaving the country, and the central bank has clarified that local "storage, processing and analysis" of personal financial information requires security assessment and approval for outbound travel. Article 38 of the Personal Protection Law also makes it clear:

If a personal information processor really needs to provide personal information outside the territory of the People's Republic of China due to business needs, it must meet one of the following conditions:

(1) Pass the security assessment organized by the national cybersecurity and informatization department in accordance with the provisions of Article 40 of this Law;

(2) Obtain personal information protection certification from a professional organization in accordance with the regulations of the national cyberspace department;

(3) Enter into a contract with the overseas recipient in accordance with the standard contract formulated by the national cybersecurity and informatization department to stipulate the rights and obligations of both parties;

(4) Other conditions stipulated by laws, administrative regulations or the national cybersecurity and informatization department.

In addition, personal information processors are required to take necessary measures to ensure that the activities of overseas recipients processing personal information meet the personal information protection standards stipulated in this law.

At present, neither the "Measures for Security Assessment of Personal Information Transfers-Draft for Comments" nor the "Guidelines for Security Assessment of Data Transfers-Draft for Comments" have not yet come into effect. However, if the financial institution itself does not have a more comprehensive and complete security assessment system for the outbound transfer of personal information, if it is indeed necessary to transfer personal information overseas due to business needs, it is recommended that the security assessment be carried out in accordance with these two regulations and standards that are not yet in effect and submitted to the supervisory authority. Submit report and get approval.

According to the "Data Transfer Security Assessment Guide - Draft for Comments", we must first conduct a purpose assessment to ensure the legality, legitimacy and necessity of personal information transfer abroad, and then evaluate the impact on the information itself and the security of the data sender and receiver. Management and technical capabilities to conduct security assessments:

Table 3: Determination of the level of impact on personal rights and interests, national security, economic development and social public interests

Table 4: Security assurance capabilities of the sender and receiver

Table 5: Security incident possibility level determination table

Table 6: Reference table for determining security risk levels

According to Guideline 4.2.5 "After evaluation, the data export plan does not meet the legality, legitimacy and necessity requirements in the export purpose assessment or the exit security risk in the data export security risk assessment is high or extremely high, personal information and important Data cannot be exported”

12. Establish a privacy design system to review the use of high-tech technologies such as user profiling, big data analysis, and artificial intelligence by applications (APPs), and make full use of privacy computing technologies such as encryption and de-identification.
    Article 73 of the Personal Protection Law defines automated decision-making: "It refers to activities that automatically analyze and evaluate an individual's behavioral habits, interests, or economic, health, credit status, etc., through computer programs, and make decisions." Article 24 makes specific requirements and draws a red line for big data and algorithms, especially adding that "unreasonable differential treatment of individuals in terms of transaction prices and other transaction conditions" is added to prevent the phenomenon of "big data killing familiarity" , and requires a "convenient way to refuse". In addition, 7.4 of the "Personal Information Security Specifications" also imposes restrictions on the use of user portraits, requiring the use of indirect user portraits when conducting commercial push. Financial institutions should establish a privacy design system and implement the concept of default privacy into all aspects of product development and services.

Article 73 of the Personal Protection Law defines anonymization and de-identification, and Article 51 requires personal information processors to "take appropriate encryption, de-identification and other security technical measures." Financial institutions can follow JR/T 0171- The specific requirements for encryption and de-identification in the 2020 "Technical Specifications for the Protection of Personal Financial Information", and refer to GB/T 37964-2019 "Guidelines for De-identification of Personal Information" to use appropriate encryption and de-identification technologies in required scenarios .

In order to encourage the application of privacy computing technology in the financial industry, the central bank specially issued JR/T 0196-2020 "Technical Specification for Multi-Party Secure Computing Financial Applications" (MPC), and proposed security and performance requirements. The following figure shows the main privacy computing technologies Comparison

If privacy computing technology develops further in the future, it can meet the needs of various financial business scenarios in terms of scope and performance, and will greatly ensure the sharing of data under various needs while maintaining extremely high security, such as joint Scenarios such as credit reporting and cross-border data. All financial institutions should pay close attention to the development of privacy computing technology and actively try it.

Finally, I would like to recommend to you the “Overall Framework of Personal Information Management System” by Deloitte, a consulting agency.

And the financial standards issued by the three major central banks repeatedly recommended in this article can help realize these "twelve major response measures".

Thank you all for reading, we will continue to launch analysis on other highly regulated industries, so stay tuned!

In this digital world, a company's reputation may start or end online. Networks are everywhere, so cybersecurity is a shared responsibility across the entire enterprise. Trust is the cornerstone of every relationship and is the basis for all interactions you have with employees, suppliers, partners and customers.