Data classification and grading is an obligation that each data handler must comply with under the Chinese data protection laws. Data handlers have been waiting for clear requirements and standards on how to carry out the relevant work. The newly published national standard GB/T 43697-2024 Data Security Technology – Rules for Data Classification and Grading sheds light in this area.
Basic rules
As a general principle, sectoral authorities shall publish categories and guidelines to set out the sector-specific data classification and grading frameworks. Data handlers’ internal data classification and grading work shall be conducted under the relevant sectoral framework.
To be specific, a data handler shall first conduct data classification by identifying the sectors in which the data is processed, and classifying data as industrial data, telecom data, financial data, energy data, traffic and transportation data, natural resources data, health data, education data, science data, etc.
The data handler shall further classify the data in each sector by considering factors such as the objects described (e.g. user data, business data, operation data and system maintenance data, etc.), the business processes concerned (e.g. R&D, manufacturing, distribution, after-sales services, etc.), and the processing purposes (e.g. interna management, supplier management, marketing, etc.). Where personal data is involved, the existing personal data classification requirements (which is summarized in Schedule B of the new standard) must be reflected.
Under the new standard, data is graded as core data, important data and regular data. The grading should be based on the significance of the data to economic and social development, as well as its impact on national security, public interests and the legitimate rights and interests of individuals and organizations that could result from tampering, destruction, leakage, unauthorized access, or illegal use of the data.
The following factors may affect the grading: business contexts in which the data is processed; the business objects or personal data subjects that the data describes; the geographic areas the data concerns; the data accuracy; coverage scale and level of details etc. Schedules 3 and 4 of the new standard provide further guidance on how each factor shall be assessed when determining the grading.
Important data
Important data refers to data specific to certain sectors, groups, regions, or has reached a certain level of precision and scale that, once leaked, tampered with, or destroyed, may directly jeopardize national security, economic operations, social stability, public health, and safety. Data that only affect the data handler itself or individual citizens are usually not considered as important data.
The new standard also sets out the factors and standards that sectoral authorities must consider when formulating the important data catalogues. Once such catalogues are published, data handlers must follow the catalogues, identify the important data within their own organizations and prepare their own important data catalogue accordingly.
If a data handler believes that it also processes other important data after considering all the factors provided in the new standard, it can identify such data as important data voluntarily. This is so, even though the data is not included in the sectoral authorities’ important data catalogues. However, only the important data included in sectoral catalogues (rather than the voluntarily identified important data) must go through the special approval processes before it can be transferred overseas.
After finalizing the important data catalogue internally, data handlers shall record their important data catalogues to the sectoral authorities in accordance with the requirements specified in sector-specific guidance. For example, according to the Measures for the Management of Data Security in the Field of Industry and Information Technology (for Trial Implementation), data handlers in the industry and information technology sector shall record their important data catalogues with local sectoral authorities and provide information on: the source; classification; grade; scale; carrier; purpose and method of processing; scope of use; responsible party; external sharing; cross-border transfer; and security protection measures etc. of the important data. The specific data items in the important data catalogue are not required to be provided.
Practical Next Steps
Since the standard has already set out a relatively clear framework and includes reasonable details, sectoral authorities are expected to publish sector-specific guidance and catalogues soon. While following such developments closely, data handlers are recommended to conduct thorough data mapping internally and initiate preliminary data classification and grading work in parallel.
Please contact Carolyn Bigg (Carolyn.Bigg@dlapiper.com), Amanda Ge (Amanda.Ge@dlapiper.com), or Venus Cheung (Venus.Cheung@dlapiper.com) if you would like to discuss what these latest developments mean for your organisation.