IAC 2024 - IA Fast Track to Search Focused AI Solutions
Becoming PIPL Compliant In No Time
1. 1
1
Thank You for Joining “Becoming PIPL Compliant In No Time”
● We will be starting a couple minutes after the hour
● This webinar will be recorded and the recording and slides sent out later today
● Please use the GoToWebinar control panel on the right hand side to submit any
questions for the speakers
3. 3
3
Speakers
Paul Breitbarth
Director
Global Policy & EU Strategy
TrustArc
K Royal
Associate General Counsel -
Privacy Intelligence
TrustArc
ShanShan Pa
Head of Compliance & Privacy
(Americas & EMEA)
Alibaba Cloud
4. 4
4
Today, we will address:
● Introduction to PIPL
● Frequently asked questions
● Enforcement mechanisms and potential fines
● How to comply with PIPL
● Leveraging your current privacy compliance work
Resources: https://trustarc.com/china-pipl/
5. 5
5
Overview of PIPL - The Basics
Definitions - personal information, handling, handlers, sensitive personal information
Individual rights
Privacy notice
Specific Activities
● Consent
● Automated Decision-making
● Cookies
● Surveillance
● Data breach notification
Passed August 20, 2021 - Effective November 1, 2021
6. 6
6
Legal Bases
Article 13
Consent
(freely given, informed,
active & distinct)
Necessary
for a Contract with
the Individual
(incl. HR)
To Fulfill Statutory
Duties and
Obligations
Public Health, Life
and Death or
Protection Property
in Emergency
Situations
News Reporting,
Opinion
Formulating, etc.
Information
Disclosed by the
Individual or in a
Lawful Manner
As Provided by
other Laws
7. 7
7
Overview of PIPL - More Details
Responsibilities of Data Handlers
Personal Information Protection Officers (DPOs)
Representatives for Handlers outside China
Impact Assessments
Cross-border transfers
Enforcement
8. 8
8
Cross-Border Data Transfers
CAC Draft Guidance issued 29 October 2021
Contract Negotiations
Contract with foreign receiving
party will need be to aligned with
all PIPL requirements.
Maintain in draft.
Security Self-Assessment
In Accordance with Art. 5 CAC
Guidelines
Government Assessment
Verification if cross-border data
transfer has an impact on
national security of China.
Comparable to DTIA
An approved Cross-Border Data Transfer Security Assessment is
valid for two years, or until the situation in the third country
drastically changes.
9. 9
9
Enforcement (Chapter VII)
Companies
• Correct
violation
• Relinquish
income
• Suspend
activities
• Refusal = $$$
(¥1M)
Individuals
• Fines
between
¥10,000-
¥100,000 /
up to
¥100,000
-¥1M
• Prohibited
from positions
Extra
• Credit files
Publicized
• Severe
violations =
$$$
• May face
lawsuit for
denying rights
• May face
criminal
charges
11. 11
11
Leveraging Current Compliance Activities
Framework Element GDPR LGPD CCPA PIPL HIPAA Security Virginia CDPA
Integrated Governance
Risk Assessment
Resource Allocation
Policies and Standards
Processes
Awareness and Training
Data Necessity
Use, Retention, and Disposal
Disclosures to 3rd Parties & Onward Transfer
Choice and Consent
Access and Individual Rights
Data Integrity and Quality
Security
Transparency
Monitoring and Assurance
Reporting and Certification
12. 12
12
Leveraging Current Compliance Activities
An unclear picture of how multiple
requirements align
Law Citation 1
Mapped to Control 1
Law Citation 2
Mapped to Control 1
Law Citation 1
Law Citation 2 Law Citation 3
Law Citation 5
Law Citation 4
Law Citation 3
Mapped to Control 1
Law Citation 5
Mapped to Control 1
Law Citation 4
Mapped to Control 1
A Single Framework
Common Control
Organized, but requires
repeated efforts
A streamlined requirement
14. 14
14
Thank You!
See http://www.trustarc.com/insightseries for the
2021 Privacy Insight Series and past webinar
recordings.
If you would like to learn more about how TrustArc can support you with
compliance, please reach out to sales@trustarc.com for a free demo.