Introduction: China's Data and Cyber Trinity
China governs data and cybersecurity through a tightly interlocked trinity of national laws: the Cybersecurity Law (CSL, effective 1 June 2017), the Data Security Law (DSL, effective 1 September 2021) and the Personal Information Protection Law (PIPL, effective 1 November 2021). Sitting beneath these statutes is the Multi-Level Protection Scheme (MLPS 2.0), the mandatory technical grading and certification regime for network operators codified in GB/T 22239-2019. Together these instruments create one of the most demanding, extraterritorial and enforcement-active data governance environments in the world. For any organisation that markets to, processes the data of, or operates infrastructure serving individuals in the People's Republic of China, compliance is not optional and the penalties are severe.
This guide is written for two audiences at once: the auditor or assessor who must test conformity and gather evidence, and the CISO, DPO or China-market implementer who must build and operate the control environment. It maps the specific obligations, thresholds, filing deadlines, control families and lifecycle requirements unique to the CSL/DSL/PIPL/MLPS stack. Article numbers, grading levels and regulatory bodies are cited to the operative Chinese-language instruments; all explanatory text is original and no copyrighted statutory text is reproduced.
Standards and Copyright Note
MLPS technical baselines are published as GB/T national standards (notably GB/T 22239-2019 Baseline for Classified Protection of Cybersecurity and GB/T 22240-2020 for grading) by SAC/TC260 and are subject to Chinese copyright. Cross-border transfer standards such as GB/T 35273-2020 (PI Security Specification) and the CAC Standard Contract are likewise controlled documents. This guide paraphrases requirements for assessment purposes and does not reproduce standard text. Licensed copies must be obtained from official Chinese sources (SAMR/SAC). Verify the current version before certification, as GB/T 22239 and CAC measures are periodically revised.
What is China PIPL/CSL
The framework is a layered regulatory system rather than a single act. Each layer addresses a distinct object of protection and is enforced by overlapping regulators.
The Cybersecurity Law (CSL)
The CSL is the foundational statute establishing network security obligations for all 'network operators' and heightened duties for operators of Critical Information Infrastructure (CII). It introduces MLPS as a legal mandate (Article 21), CII protection (Articles 31-39), data localisation for CII (Article 37), real-name registration, network product and service security review, and incident response and reporting duties. Enforcement sits primarily with the Ministry of Public Security (MPS) and the Cyberspace Administration of China (CAC).
The Data Security Law (DSL)
The DSL governs all data processing activities (not just personal data) and introduces a national data classification and hierarchical protection system, distinguishing ordinary data, 'important data' and 'core data' (national security relevant). It imposes risk assessment, incident reporting, and a controversial blocking provision (Article 36) prohibiting the transfer of data stored in China to foreign judicial or enforcement authorities without Chinese approval.
The Personal Information Protection Law (PIPL)
PIPL is China's comprehensive personal data statute, frequently compared to the EU GDPR but stricter in several respects. It defines lawful bases for processing (consent-centric, no legitimate-interest ground), sensitive personal information, individual rights, cross-border transfer mechanisms (Articles 38-43), separate consent requirements, and extraterritorial reach (Article 3). It appoints CAC as lead regulator and imposes fines up to RMB 50 million or 5% of prior-year turnover.
The Multi-Level Protection Scheme (MLPS 2.0)
MLPS is the technical certification backbone. Every network/system must be self-graded from Level 1 to Level 5 based on the harm its compromise would cause to citizens, legal persons, social order or national security. Grade 2 and above require filing with the local Public Security Bureau (PSB) and, for Grade 3+, periodic expert testing (dengbao) by an accredited assessment organisation.
Who Must Comply / Scope of Applicability
Scope is broad and expressly extraterritorial. The following table summarises who is captured and under which instrument.
| Entity / Trigger | Instrument | Obligation summary |
|---|
| Any 'network operator' (owner/administrator of a network) in China | CSL / MLPS | MLPS grading, filing, technical baseline controls, incident reporting |
| Operators of Critical Information Infrastructure (finance, energy, transport, telecom, e-gov, public utilities, etc.) | CSL Arts 31-39 | Enhanced protection, data localisation, annual review, CAC security review for procurement |
| Any organisation processing personal information of individuals located in China | PIPL Art 3(1) | Full PIPL obligations regardless of where processing occurs |
| Foreign entities processing PI to provide products/services to, or analyse behaviour of, China-based individuals | PIPL Art 3(2) | PIPL applies extraterritorially; must appoint a local representative (Art 53) |
| Processors handling 'important data' or 'core data' | DSL | Classification, risk assessment, designated data security officer, reporting |
| Large-volume PI handlers (per CAC thresholds) | PIPL Art 52 / CAC rules | Appoint DPO, annual compliance audit, possible security assessment for transfers |
| Any entity transferring PI or important data out of China | PIPL Arts 38-43 / DSL | CAC security assessment, SCC filing, or certification |
| Providers of algorithmic recommendation / generative AI services | Algorithm & Gen-AI regulations | Algorithm filing, labelling, security assessment |
- Data localisation is mandatory for CII operators and for PI handlers reaching CAC volume thresholds; other data may in principle leave China only via an approved transfer mechanism.
- There is no small-business blanket exemption; SMEs processing China PI are in scope, though audit and DPO thresholds scale with volume.
- State organs and public bodies have a dedicated PIPL chapter (Chapter 2, Section 3) with additional constraints.
Structure of China PIPL/CSL
The framework can be decomposed into statutory pillars, each with its operative article ranges and implementing rules. The table below is the structural map an assessor uses to build a coverage matrix.
| Pillar / Domain | Primary instrument & articles | Core requirements | Lead regulator |
|---|
| Network security baseline (MLPS) | CSL Art 21; GB/T 22239-2019 | Self-grade, PSB filing, tiered technical & management controls, dengbao testing | MPS / PSB |
| Critical Information Infrastructure | CSL Arts 31-39; CII Security Protection Regulations 2021 | Identification, localisation, procurement security review, annual assessment | CAC / competent departments |
| Data classification & security | DSL Arts 21-30 | Ordinary/important/core tiers, risk assessment, catalogues, DSO | CAC / MIIT / sector regulators |
| Personal information processing | PIPL Arts 13-27 | Lawful basis, notice, separate consent, minimisation, automated decision rules | CAC |
| Sensitive personal information | PIPL Arts 28-32 | Specific purpose + necessity, separate consent, impact assessment | CAC |
| Individual rights | PIPL Arts 44-50 | Access, copy, correction, deletion, portability, explanation, complaint | CAC |
| Cross-border transfer | PIPL Arts 38-43; DSL Art 36 | Security assessment / SCC / certification; export blocking; PIPIA | CAC |
| Accountability & governance | PIPL Arts 51-58 | DPO, compliance audit, PIPIA, records, local representative, incident duty | CAC |
| Breach & incident response | CSL Art 25; DSL Art 29; PIPL Art 57 | Emergency plan, notification to authority and individuals, remediation | CAC / MPS / sector |
| Algorithm & generative AI | Algorithm Rec. Provisions 2022; Gen-AI Measures 2023 | Filing, transparency, labelling, security & data-source assessment | CAC |
Master Assessment Checklist
This is the operative core of the guide. Each control group below carries a table of what the auditor must verify and the typical evidence that proves conformity. No control area is skipped; groups follow the statutory pillars above.
Group 1 — MLPS Grading and Filing (CSL Art 21)
| What to verify | Typical evidence |
|---|
| Every in-scope system has been graded 1-5 per GB/T 22240-2020 with documented rationale | Grading report, expert review minutes, harm-analysis worksheet |
| Grade 2+ systems are filed with the local Public Security Bureau | PSB filing certificate (beian) with record number |
| Grade 3+ systems undergo periodic (at least annual) expert testing (dengbao) | Testing report from accredited assessment institution, remediation log |
| Grading is reassessed after major architecture or business change | Change records linking to re-grading decisions |
| Selected level matches actual harm potential (no under-grading) | Independent reviewer assessment, sector guidance mapping |
Group 2 — MLPS Technical Controls (GB/T 22239-2019, secure computing environment)
| What to verify | Typical evidence |
|---|
| Physical and environmental security proportionate to grade (access, power, fire, monitoring) | Data-centre access logs, environmental monitoring reports |
| Network zoning, boundary protection and secure communication (encryption in transit) | Network diagrams, firewall rulesets, TLS/SM cipher configuration |
| Identity authentication, least-privilege access and dual-factor for privileged users | IAM policy, MFA configuration, privileged account inventory |
| Malware defence, intrusion prevention and centralised log collection | EDR/IPS console, SIEM log retention (>=6 months) proof |
| Data integrity, confidentiality and secure backup/restore | Backup schedule, restore-test records, encryption key management |
| Use of commercial cryptography (SM2/SM3/SM4) where mandated | OSCCA-approved crypto product certificates, algorithm inventory |
| Security management centre for Grade 3+ (centralised control, audit, monitoring) | SMC architecture, operator roster, monitoring dashboards |
Group 3 — MLPS Management Controls (GB/T 22239-2019, management dimension)
| What to verify | Typical evidence |
|---|
| Security policy framework and defined organisational structure | Approved policy set, org chart, role appointment letters |
| Personnel security (screening, training, on/offboarding) | Training records, NDAs, access-revocation tickets |
| Construction/build security management (design, testing, delivery acceptance) | SDLC gates, acceptance test reports, vendor security clauses |
| Operations and maintenance management (change, patch, vulnerability, media) | Change-management records, patch cadence evidence, media handling log |
| Security incident and emergency response procedures | Emergency plan, drill records, incident register |
Group 4 — Critical Information Infrastructure (CSL Arts 31-39)
| What to verify | Typical evidence |
|---|
| CII identification confirmed with the competent sector authority | CII designation notice, sector identification correspondence |
| Dedicated security management body and responsible person appointed | Appointment records, budget allocation, headcount |
| Data and PI generated/collected in China are stored within China | Data-residency map, hosting contracts, storage location attestations |
| Network products/services procurement passed CAC security review where required | Security review filing/approval, procurement risk assessments |
| Annual security inspection and risk assessment performed | Annual assessment report submitted to competent department |
| Background review of key personnel and supply-chain risk management | Personnel vetting records, supplier security assessments |
Group 5 — Data Classification and Security (DSL Arts 21-30)
| What to verify | Typical evidence |
|---|
| Data inventory classified into ordinary / important / core categories | Data catalogue with classification tags, sector important-data list mapping |
| Important data identified against national and sector catalogues | Important-data register, classification methodology |
| Data security officer and management body designated for important-data handlers | Appointment letter, responsibilities matrix |
| Regular risk assessments of important-data processing conducted and reported | Risk assessment reports filed with competent authority |
| Article 36 blocking control: no data provided to foreign authorities without approval | Legal-request handling procedure, approval records |
| Data lifecycle security (collection, storage, use, transfer, deletion) documented | Data flow maps, retention schedule, secure deletion evidence |
Group 6 — Lawful Basis and Processing Principles (PIPL Arts 5-13)
| What to verify | Typical evidence |
|---|
| A valid Art 13 lawful basis exists for each processing activity | RoPA with basis column, consent capture records or contract references |
| Principles of legality, legitimacy, necessity, good faith and minimisation applied | Data-minimisation assessment, purpose-limitation policy |
| Processing is limited to the stated purpose and least data necessary | Field-level justification, collection scoping review |
| Openness/transparency: accurate, up-to-date, complete data | Data quality controls, correction workflow |
| Retention limited to the shortest period necessary | Retention matrix, automated purge job logs |
Group 7 — Notice and Consent (PIPL Arts 14-18)
| What to verify | Typical evidence |
|---|
| Privacy notice discloses identity, purpose, method, categories, retention and rights before processing | Published privacy notice, versioned notice archive |
| Consent is freely given, informed and specific; obtained before processing | Consent logs with timestamp, UI screenshots |
| Separate consent obtained for sensitive PI, transfers, third-party sharing, public disclosure | Distinct consent records per scenario |
| Consent withdrawal is as easy as giving it, with no service denial for optional processing | Withdrawal mechanism, opt-out logs |
| Notice re-issued and consent refreshed when purpose/method/category changes | Change-triggered re-consent records |
Group 8 — Sensitive Personal Information (PIPL Arts 28-32)
| What to verify | Typical evidence |
|---|
| Sensitive PI (biometrics, religion, health, financial accounts, location, minors under 14) is inventoried | Sensitive-PI register with categories |
| Specific purpose and demonstrated necessity documented for each sensitive category | Necessity justification, DPIA/PIPIA excerpts |
| Separate, explicit consent obtained for sensitive PI | Dedicated consent records |
| Minors under 14 handled with guardian consent and a dedicated rules document | Guardian consent records, children's data policy |
| Enhanced protection measures (encryption, restricted access) applied | Access-control lists, encryption configuration |
Group 9 — Automated Decision-Making (PIPL Art 24)
| What to verify | Typical evidence |
|---|
| Automated decisions are transparent, fair and non-discriminatory in pricing/terms | Algorithm fairness assessment, price-consistency testing |
| Individuals can opt out of profiling-based marketing / receive non-targeted options | Opt-out toggle evidence, alternative-content path |
| Right to explanation and to refuse decisions with significant effect is honoured | Explanation request handling, human-review workflow |
| Algorithmic recommendation services filed and assessed where applicable | Algorithm filing record, security self-assessment |
Group 10 — Individual Rights (PIPL Arts 44-50)
| What to verify | Typical evidence |
|---|
| Access and copy requests fulfilled promptly | Request register with response timestamps |
| Correction and completion of inaccurate data supported | Correction tickets, audit trail |
| Deletion honoured on withdrawal, purpose fulfilment, illegality or breach | Deletion logs, downstream propagation records |
| Data portability to another handler enabled where conditions met | Export/transfer request records, format specification |
| Explanation of processing rules provided on request | Explanation responses, plain-language rule descriptions |
| Rights of deceased persons' next-of-kin recognised (Art 49) | Procedure and handled-request evidence |
| Complaint/refusal handling procedure with reasons for any denial | Complaints log, refusal justification records |
Group 11 — Cross-Border Data Transfer (PIPL Arts 38-43)
| What to verify | Typical evidence |
|---|
| A valid transfer mechanism is in place: CAC security assessment, SCC filing, or certification | CAC assessment approval, filed Standard Contract, or certification proof |
| Threshold analysis performed against CAC volume rules (important data, CIIO, PI volumes) | Threshold worksheet, export-volume tracking |
| A cross-border PIPIA (transfer impact assessment) completed and retained (>=3 years) | PIPIA report with recipient risk analysis |
| Separate consent for transfer obtained with recipient identity, purpose and rights disclosed | Transfer-specific consent records |
| Overseas recipient bound to equivalent protection by contract | Executed data processing/transfer agreement |
| Foreign recipient's obligations to Chinese individuals are enforceable | Recipient attestations, liability clauses |
Group 12 — Entrusted Processing and Sharing (PIPL Arts 20-23)
| What to verify | Typical evidence |
|---|
| Processor (entrusted) agreements define purpose, scope, method and protection | Executed processing agreements, DPA clauses |
| Handler supervises processors and prohibits sub-processing without consent | Vendor audit records, sub-processor approval log |
| Joint processing arrangements allocate responsibility and joint liability | Joint-controller agreement |
| Third-party sharing carries recipient identity, purpose, method disclosure + separate consent | Sharing register, consent evidence |
| On processor termination, data is returned or deleted | Return/deletion certificates |
Group 13 — Governance, DPO and Compliance Audit (PIPL Arts 51-54)
| What to verify | Typical evidence |
|---|
| Internal management systems, operating procedures and classified management implemented | Policy suite, procedure library |
| DPO appointed where processing volume meets CAC threshold; contact published | DPO appointment, published contact details |
| Local representative appointed for extraterritorial (Art 3(2)) processors; details filed with CAC | Representative appointment, CAC filing |
| Regular compliance audits of PI processing conducted (self or third-party per CAC audit measures) | Audit reports, audit schedule |
| Technical measures (encryption, de-identification, access control) commensurate with risk | Control inventory, encryption/de-identification evidence |
| Security training and drills conducted | Training attendance, drill after-action reports |
Group 14 — PIPIA / Impact Assessment (PIPL Art 55-56)
| What to verify | Typical evidence |
|---|
| PIPIA performed before sensitive PI, automated decisions, entrusting, sharing, disclosure and transfer | PIPIA reports for each trigger scenario |
| PIPIA evaluates legality, necessity, impact on rights and adequacy of protection | Completed PIPIA template with risk scoring |
| PIPIA reports and processing records retained at least three years | Document retention register |
Group 15 — Breach and Incident Response (CSL Art 25; DSL Art 29; PIPL Art 57)
| What to verify | Typical evidence |
|---|
| Emergency response plan for network security and data incidents maintained | Approved incident response plan, RACI |
| On a breach, remedial measures taken and CAC/relevant authority notified promptly | Incident report to authority, timeline log |
| Affected individuals notified unless effective mitigation removes harm | Individual notification records, mitigation justification |
| Incident reporting to sector regulators (e.g. finance/telecom) meets sector timelines | Sector filing acknowledgements |
| Post-incident review and control improvement performed | Root-cause analysis, corrective action tracker |
Group 16 — Algorithm and Generative AI Governance
| What to verify | Typical evidence |
|---|
| Algorithmic recommendation services filed in the CAC algorithm registry | Filing record / registry number |
| Generative AI services meet content, data-source and labelling requirements | Security self-assessment, synthetic-content labelling evidence |
| Training data lawfully sourced and free of infringing/illegal content controls | Data provenance records, filtering configuration |
| User-facing transparency about algorithmic mechanisms provided | Published algorithm description, opt-out options |
Scoping and Materiality / Tiering
Effort must be proportioned to the harm potential and data sensitivity. The framework provides several native tiering axes that drive scope.
- MLPS grade (1-5): the higher the grade, the more control objectives, the mandatory security management centre (Grade 3+) and more frequent dengbao testing.
- DSL data tier (ordinary / important / core): 'core data' attracts the strictest controls and is largely un-exportable; 'important data' triggers risk assessment and possible CAC security assessment for transfer.
- PI volume thresholds: CAC volume bands (e.g. handling PI of large numbers of individuals, or cumulative export volumes) trigger DPO appointment, security assessment for export, and mandatory compliance audits.
- CII designation: being named a CII operator escalates every obligation, adds localisation and procurement security review.
- Sensitive PI presence: any sensitive-PI processing raises the assessment to PIPIA-mandatory and separate-consent-mandatory.
| Materiality driver | Low scope | High scope |
|---|
| MLPS grade | Grade 1-2, filing only | Grade 3-5, SMC + annual dengbao |
| Data tier | Ordinary data | Important / core data |
| PI volume | Below CAC thresholds | Above thresholds: DPO + audit + assessment |
| CII status | Not designated | Designated CII operator |
| Cross-border | No PI/important-data export | Regular export requiring CAC route |
Implementation Approach
A phased programme lets organisations reach defensible compliance while sequencing filings and testing windows correctly.
Phase 1 — Discovery and Grading (Weeks 1-4)
- Activities: system inventory, data mapping, MLPS self-grading per GB/T 22240, DSL data classification, applicability analysis (CII, extraterritorial, thresholds).
- Deliverables: system register with MLPS grades, data catalogue with tiers, applicability memo, gap-analysis baseline.
Phase 2 — Filing and Legal Foundations (Weeks 3-8)
- Activities: PSB filing for Grade 2+ systems, appoint DPO and (if extraterritorial) local representative, draft PIPL notices and consent flows, establish RoPA.
- Deliverables: PSB filing certificates, appointment records, published privacy notices, consent architecture, records of processing.
Phase 3 — Control Build and Remediation (Weeks 6-16)
- Activities: implement MLPS technical/management controls, deploy SM cryptography, build security management centre (Grade 3+), stand up incident response, deploy rights-fulfilment workflows.
- Deliverables: hardened control environment, IR plan and drills, DSAR/rights portal, encryption and access-control evidence.
Phase 4 — Assessments and Transfers (Weeks 12-20)
- Activities: conduct PIPIAs, select and execute cross-border transfer mechanism (CAC assessment / SCC filing / certification), commission dengbao testing for Grade 3+.
- Deliverables: PIPIA reports, filed Standard Contract or CAC approval, dengbao test report and remediation log.
Phase 5 — Sustain and Improve (Ongoing)
- Activities: annual compliance audit, annual CII assessment, re-grading on change, algorithm/AI filings, continuous monitoring and metric reporting.
- Deliverables: annual audit report, updated filings, KPI dashboard, management review minutes.
Maturity / Tiering Model
Beyond the statutory MLPS grades, organisations should track programme maturity to prioritise investment. The model below combines an operational maturity ladder with the corresponding MLPS/DSL posture.
| Level | Name | Characteristics | Typical MLPS/DSL posture |
|---|
| 1 | Initial | Ad-hoc, no grading, no filing, consent gaps | Ungraded or under-graded; high exposure |
| 2 | Developing | Systems graded and filed; basic PIPL notices; partial controls | Grade 1-2 filed; core controls emerging |
| 3 | Defined | Documented policies, RoPA, PIPIA process, IR plan, DPO appointed | Grade 2-3 with dengbao passed once |
| 4 | Managed | Metrics-driven, transfers via approved mechanism, annual audits, SMC operating | Grade 3 sustained; important-data risk assessments |
| 5 | Optimised | Continuous monitoring, automated rights, mature AI governance, board oversight | Grade 3-4 with proactive re-grading and testing |
Assessment and Audit Approach
- Confirm applicability: establish which instruments bind the entity (network operator, CII, extraterritorial PIPL, important-data handler) and record the legal basis for scope.
- Verify grading and classification: test MLPS grades against GB/T 22240 and DSL tiers against sector catalogues; challenge any under-grading.
- Validate filings: confirm PSB beian for Grade 2+, DPO/representative appointments and CAC transfer filings exist and are current.
- Test technical controls: sample MLPS baseline controls per grade, verify SM cryptography, access control, logging and the security management centre where required.
- Examine PI processing: trace lawful basis, notice, consent (including separate consent), minimisation and retention across representative data flows.
- Assess transfers: verify the transfer mechanism, PIPIA and consent for each cross-border flow; confirm no unlawful data provision to foreign authorities (DSL Art 36).
- Review rights and incidents: test DSAR fulfilment timeliness and incident-response readiness, including notification records and drill evidence.
- Evaluate governance: assess DPO effectiveness, compliance-audit cadence, training and management oversight.
- Report and remediate: produce a findings register scored by severity, with corrective actions, owners and deadlines aligned to filing/testing windows.
Evidence Request List
The following categorised list is issued to the auditee ahead of fieldwork.
- Governance: security and privacy policy suite, org chart, DPO and local-representative appointments, compliance-audit reports, training records.
- Grading & filing: MLPS grading reports, PSB filing certificates, dengbao test reports and remediation logs.
- Data mapping: system inventory, data catalogue with DSL tiers, RoPA, data-flow diagrams, important-data register.
- PI processing: privacy notices (versioned), consent logs, separate-consent records, retention schedule, deletion logs.
- Sensitive PI & minors: sensitive-PI register, children's data policy, guardian-consent records.
- Cross-border: PIPIAs, CAC security assessment approvals, filed Standard Contracts, certifications, transfer consent records.
- Technical: IAM/MFA configuration, encryption and SM-crypto certificates, SIEM/log retention proof, backup/restore test records, network diagrams.
- CII (if applicable): CII designation notice, localisation attestations, procurement security-review approvals, annual assessment reports.
- Incident: IR plan, drill records, incident register, authority and individual notification evidence.
- Vendors & AI: processor agreements, sub-processor approvals, algorithm filings, generative-AI self-assessments and labelling evidence.
Roles and Responsibilities
| Role | Primary responsibilities |
|---|
| Legal representative / senior management | Ultimate accountability; approves policies; resourcing; personal liability exposure under PIPL Art 66 |
| Data Protection Officer (Art 52) | Oversees PI processing and protection; point of contact for CAC and individuals |
| Data Security Officer (DSL) | Manages important-data classification, risk assessment and reporting |
| CII security responsible person | Runs the dedicated CII security body; localisation and procurement review |
| Network security / MLPS owner | Maintains grading, filing, technical baseline and dengbao readiness |
| Local representative (Art 53) | Represents extraterritorial processor to Chinese regulators; details filed with CAC |
| IT / SecOps | Implements and operates technical controls, SIEM, IR execution |
| Business / product owners | Define lawful basis, notices and consent at collection points |
| Internal audit / compliance | Runs the mandatory compliance audits and tracks remediation |
KPIs / Metrics to Track
- Percentage of in-scope systems correctly graded and filed (target 100%).
- Grade 3+ systems with a current, passed dengbao test.
- DSAR/rights requests fulfilled within committed timelines.
- Percentage of cross-border flows covered by a valid transfer mechanism and current PIPIA.
- Consent capture rate and separate-consent coverage for sensitive PI/transfers.
- Time to notify authority and individuals after a confirmed breach.
- Number of important-data risk assessments completed on schedule.
- Open high-severity findings age and remediation burn-down.
- Security-training completion and incident-drill frequency.
- Algorithm/AI services with current CAC filings and self-assessments.
Readiness Checklist
- All in-scope systems graded under MLPS and Grade 2+ filed with the PSB.
- Grade 3+ systems have a passed dengbao test and a security management centre.
- Data classified into DSL tiers with an important-data register maintained.
- CII applicability determined and, if designated, localisation and procurement review in place.
- PIPL lawful basis, notices and consent (including separate consent) implemented at every collection point.
- Sensitive PI and minors' data controls, with PIPIAs, in place.
- DPO appointed and, for extraterritorial processing, a local representative filed with CAC.
- Every cross-border flow uses an approved mechanism (CAC assessment / SCC / certification) with a retained PIPIA.
- Individual rights workflows (access, correction, deletion, portability, explanation) operating.
- Incident response plan tested, with authority and individual notification procedures.
- Mandatory compliance audit scheduled and vendor/AI filings current.
- Records (RoPA, PIPIA, incidents) retained for at least three years.
Common Gaps and Findings
- Under-grading MLPS systems to avoid dengbao testing and management-centre obligations.
- Treating GDPR compliance as sufficient, missing PIPL's separate-consent and no-legitimate-interest requirements.
- Cross-border transfers running without a completed PIPIA or an approved transfer mechanism.
- Missing or generic consent that fails the 'separate consent' standard for sensitive PI, sharing and export.
- No appointed local representative despite extraterritorial (Art 3(2)) processing.
- Data localisation not enforced for CII or above-threshold PI handlers.
- Sensitive-PI and minors' data processed without PIPIA or guardian consent.
- Retention periods undefined or excessive, breaching the minimisation principle.
- Incident-response plans untested and unclear authority-notification timelines.
- DSL Article 36 exposure: responding to foreign legal requests without Chinese approval.
- Algorithmic recommendation and generative-AI services unfiled with the CAC registry.
China PIPL/CSL Mapped to Other Frameworks
The mapping below helps organisations reuse existing controls, while flagging where China-specific obligations have no direct equivalent.
| China obligation | GDPR (EU) | ISO/IEC 27001 & 27701 | India DPDP Act 2023 | NIST CSF |
|---|
| MLPS grading & baseline (GB/T 22239) | No direct equivalent | 27001 Annex A controls | No direct equivalent | Protect / Detect functions |
| PIPL lawful basis & consent | Art 6 lawful bases / Art 7 consent | 27701 PIMS | Consent + legitimate uses | Govern (privacy) |
| Separate consent (sensitive/transfer) | Explicit consent (Art 9) | 27701 controls | Consent for sensitive processing | Govern |
| Cross-border transfer (Arts 38-43) | Chapter V (SCCs/adequacy) | 27701 transfer controls | Restricted-country transfer rules | Govern / Protect |
| PIPIA (Arts 55-56) | DPIA (Art 35) | 27701 privacy risk assessment | DPIA for significant fiduciaries | Identify (risk assessment) |
| Breach notification (Art 57) | Arts 33-34 (72h) | 27001 incident mgmt / 27035 | Board notification duty | Respond |
| DPO (Art 52) | DPO (Arts 37-39) | 27701 accountability role | Data Protection Officer (SDF) | Govern |
| CII protection (CSL 31-39) | NIS2 (analogous) | 27001 for critical assets | No direct equivalent | Identify / Protect |
| Data classification (DSL) | No direct equivalent | 27001 A.5.12 classification | No direct equivalent | Identify (asset mgmt) |
| Algorithm/Gen-AI rules | EU AI Act (analogous) | 42001 AI mgmt | Under sectoral rules | Govern (AI) |
How CyberSigma Helps
CyberSigma brings CERT-In empanelled auditors and privacy specialists who operationalise the full CSL/DSL/PIPL/MLPS stack end to end. We run MLPS self-grading and prepare Grade 2+ PSB filings, coordinate accredited dengbao testing, build the security management centre for Grade 3+ systems, and deploy SM-cryptography and baseline controls. On the data side we deliver DSL classification, PIPL notice and consent architecture, PIPIAs, DPO and local-representative arrangements, and the correct cross-border transfer route (CAC security assessment, Standard Contract filing or certification). Our SigmaGRC platform tracks every control, filing deadline and KPI in a single evidence-linked dashboard, and our advisory team runs the mandatory compliance audits and incident-response drills. The result is defensible, board-ready China compliance that unlocks the market while containing regulatory and personal-liability risk.