“Personal information security specification” will be implemented from 1st May 2018

The Standardization Administration of China has released the “Personal information security specification” (GB/T 35273-2017), which will be implemented from 1st May 2018.

Although GB/T 35273-2017 is a recommended national standard, in July 2017, CAC, MIIT, MPS and several other departments had conducted a joint action on the personal privacy, this action took the draft of GB/T 35273-2017 as the guideline. In addition, in view of the recent administration enforcement on individual enterprises, GB/T 35273-2017 was used to be the guideline practically. So, enterprises shall take GB/T 35273-2017 seriously and strengthen the management on personal information accordingly. The main highlights of GB/T 35273-2017 include:

1.GB/T 35273-2017 has given definition for some legal terms related to personal information for the first time.

For example, “Explicit consent” refers to the personal data subject has made written statement or taken affirmative action to authorize the personal data controller to use the personal information. The affirmative action includes the personal data subject has actively made a statement (in electronic or paper form), actively selected, actively clicked the button named “agree”, “register”, “send”, “dial” and so on. Enterprises could establish such practical regulations, and such regulations could be used to defend itself for the relevant disputes.

2.GB/T 35273-2017 has specified the detailed requirements on the collection, store, use, consign, transfer, public disclosure, and the procedures in handling the personal information security cases. Enterprises could take GB/T 35273-2017 for reference while drafting the regulations on the collection of personal information, which is very practical.

3.GB/T 35273-2017 has provided some template for reference, such as “Personal Information Example”, “Personal Sensitive Information Verification”, “Method of Protecting Personal Information Subjects’ Right to Select and Approve,” and “Privacy Policy Template”.