China’s guidance on privacy of personal data is set to change in the near future, following the publication of a draft guideline in late 2016. Though a date has not yet been set for the guideline to be finalised, companies should take the opportunity to assess whether they will need to make changes to their systems and processes to bring them in line with the guidance as currently set out.

The draft guideline document, “Information Security Technology – Personal Data Security Specification” (“Guideline”), issued by the National Information Security Standardisation Technical Committee, is the most comprehensive statement on the protection of personal data issued by the Chinese government to date.

Although the guideline will not be mandatory or legally binding, once finalised and adopted it may serve as best practice in relation to the protection of personal data in China, and is likely to become a major reference document for Chinese authorities wishing to implement cyber security laws and regulations. It may also indicate the future direction of China’s legislation in this area.

In this briefing, we outline the key aspects of the draft Guideline and discuss the implications for businesses in China.