China
Data Backup and Disaster Recovery: Implement the 3-2-1 backup strategy—maintain at least three copies of data, stored on two different media, with one copy offsite. Conduct regular drills to test recovery procedures. Data Loss Prevention (DLP) and Log Auditing: Monitor and block unauthorized transmission of sensitive data. Maintain comprehensive audit logs of access, modification, and deletion activities. Secure Development and Configuration Management: Implement source code obfuscation and hardening techniques. Ensure database access rights are properly separated and managed. 5.5. Disclosure, sharing, and transfer of data If a Personal Data Processor intends to share, disclose, or transfer an individual’s personal data to a third party (including its affiliated companies), the Processor must: Inform the data subject in advance about the purpose of the transfer, the types of personal data involved, and the recipient’s name and contact details, and obtain the data subject’s explicit prior consent when the third party acts as a separate Personal Data Processor;
(4) Security incident response plan Personal Data Processors should establish and maintain an emergency response plan for personal data security incidents. The plan should define clear procedures for detecting, logging, assessing, containing, notifying, and reporting incidents. Annual drills are required to ensure the effectiveness of the plan. 5.4.2. Technical measures Referencing the “Guidelines for Personal Information Security Protection on the Internet”, organizations must implement technical safeguards across the entire data lifecycle—collection, storage, transmission, usage, and deletion. Key requirements include: Data Encryption: Use secure protocols such as SSL/TLS (e.g., HTTPS) for data transmission, and store sensitive personal data using robust encryption algorithms such as AES, ensuring that leaked data cannot be read in plaintext. Data Desensitization and Anonymization: Apply masking or replacement for sensitive data. Techniques such as k-anonymity or differential privacy should be used to prevent data from being traced back to identifiable individuals. Access Control and Access Management: Enforce minimum necessary access authorization. Strengthen authentication using passwords, SMS verification codes, or biometric methods.
www.llinkslaw.com
Made with FlippingBook - PDF hosting