NFRA’s first data privacy and security regulations issued

Who is regulated?

The NFRA Data Rules apply to designated banking and insurance institutions (the Regulated Institutions) regulated by NFRA, such as commercial banks, trust companies, banking wealth management companies, insurance companies, insurance asset management companies and insurance group (holding) companies established in China.

These NFRA Data Rules also apply to such other financial institutions in banking or insurance sectors, NFRA regulated financial holding companies, and financial organisations regulated by local financial regulatory administrations (e.g. financial leasing companies and commercial factoring companies) by reference.

New categories of data

The NFRA Data Rules classify data into four categories including customer data, business data, operational and management data, and system operation and security management data. Depending on the importance and sensitivity of the data, all data is further graded into four levels i.e. core data, important data, sensitive data and other general data.

Under the Existing Data Regime, “important data” is subject to more stringent requirements (including the requirement on a security assessment before important data may be transferred outside of China).

According to the NFRA Data Rules, “important data” refers to the data of specific fields, specific groups or specific regions or data reaching certain level of accuracy and scale, which, once disclosed, tampered with or destroyed, may directly endanger national security, economic operation, social stability and public health and security. “Core data” further refers to those important data with more sensitivity and importance. Accordingly, both core data and important data defined under the NFRA Data Rules now fall within the “important data” category and thus are simultaneously regulated under the Existing Data Regime.

The NFRA Data Rules also provide that NFRA shall formulate a catalogue of important data and propose a catalogue of core data. Meanwhile, Regulated Institutions shall also prepare and submit their respective catalogue of important data (and its significant changes) to the NFRA or its local offices.

It is worth noting that the draft Administrative Measures on Data Security in the Business Areas supervised by the People’s Bank of China (the PBOC Data Draft Rules) requires data handlers to classify data into five sensitivity levels, which are different from the classification under the NFRA Data Rules. If the PBOC Data Draft Rules will be formally issued as is, considering that some Regulated Institutions’ data (e.g. anti-money laundering data) will ultimately fall within the scope of the PBOC Data Draft Rules, this inconsistency may potentially increase the regulatory and compliance burden of Regulated Institutions.

Major requirements

• Corporate governance - the NFRA Data Rules require each Regulated Institution to establish an internal governance structure to manage data security, which shall include board of directors to bear the ultimate responsibility, senior management team to bear the direct responsibility, data security management department to be responsible for the main data security works, and IT department to provide technical protection.

• Risk management - the NFRA Data Rules also require the risk management department, internal control and compliance department and audit department to include the data security into the overall risk management system of a Regulated Institution and carry out internal audit and assessment on data security on regular basis.

• Data assets - Regulated Institutions are required to register enterprise-wide data assets and establish their internal data assets map.

• Outsourcing - data processing outsourcing is now expressly included as one of the IT outsourcing services, which is therefore subject to statutory requirements (such as fulfilling regulatory procedures, selecting a qualified third party supplier, and entering into agreements containing statutorily required provisions etc.).

• Data security protection baseline - a new concept of a data security protection baseline has been introduced, which has actually established the minimum standards for protecting the security of core data, important data and sensitive data. These minimum standards include requirements on information system protection, data accessing, data transmission, data storage and data destruction (such as taking effective measures to manage and control access during the whole data lifecycle, logging the operations involving sensitive or above level data, using secure methods to transmit data, taking secure measures to prevent attacks like ransomware, trojans and backdoors, and taking technical measures to timely delete or destroy the designated data to ensure that such data are unrecoverable).

• Data security and risk assessment - Regulated Institutions are required to carry out prior data security assessment work when processing data with sensitivity level or above or carrying out designated data related activities which may have material impact on data subjects. Regulated Institutions are also required to conduct data security risk assessment work on annual basis (with the reports being submitted to NFRA).

• Response to data security emergency incident – Regulated Institutions are required to effectively monitor threats to data security, and establish various mechanisms on emergency management, coordination and reporting. For example, within 2 hours after the occurrence of a data security incident, the concerned Regulated Institution shall report to the NFRA or its local office and submit an official written report within 24 hours after the occurrence of the incident. Regulated Institutions must report the progress of the incident disposal every 2 hours until it is finished, and, within five working days, submit a report to the NFRA or its local office. In case of an extremely serious security incident, more stringent requirements will apply (e.g. timely notifying the customers and reporting to the local public security authorities).

• Data security audit - each Regulated Institution’s internal audit department is also required to conduct a comprehensive audit of data security at least once every three years and a special audit upon the occurrence of a material data security event.

The NFRA Data Rules try to create a data security governance structure to be applied to Regulated Institutions and impose detailed and stringent obligations on the Regulated Institutions. It is advised that the Regulated institutions should study and review the provisions under the NFRA Data Rules, establish a compliance obligations checklist based on the relevant provisions, aiming to improve the data security management system, establish internal standards for data classification, strengthen data security and personal information protection, and implement a data security risk emergency response mechanism.