For tech companies, especially, where a strong digital foundation is required, there are not only complex rules and regulations to get to grips with, but also risks around control of sensitive data and commercial information.

Moreover, companies aiming to establish an IT presence in the region could find themselves behind China’s Great Firewall (GFW). The GFW heavily regulates and censors the internet, blocks access to many ubiquitous Western websites like Google and Facebook and slows down cross-border internet traffic. Foreign companies are required to adapt to these regulations if they want to do business in China.

China’s cybersecurity environment

China’s regulatory framework now includes several key pieces of legislation. The Cybersecurity Law (CSL), which took effect in June 2017, provides foundational rules focusing on protecting critical information infrastructure and enforcing data localisation requirements. Building on this foundation, the Data Security Law (DSL), implemented in September 2021, introduces a structured approach to data classification, requiring businesses to adopt varying protection measures depending on the data’s sensitivity and its importance to national security. Additionally, the Personal Information Protection Law (PIPL), effective from November 2021, aligns closely with principles seen in the EU’s General Data Protection Regulation (GDPR), emphasising user consent, data minimisation, and granting individuals specific rights, including data access and deletion.

Cross-border data transfers are subject to stringent controls under these laws. Companies wishing to transfer data out of China must now utilise specific mechanisms authorised by the Cyberspace Administration of China (CAC). These include undergoing security assessments administered by CAC, obtaining certifications from accredited institutions, or entering into standardised contractual agreements with international data recipients. Non-compliance can lead to severe repercussions, including fines, operational suspensions, or business disruptions.

On 9 April 2025, the CAC released the “Q&A on Data Cross-Border Security Management Policies”, giving some more practical insights into how companies can comply with this complex framework.

For example, the Q&A states that “general data that does not involve personal information or important data can flow freely across borders”. This is an important development considering that the handling of general data has not been explicitly stipulated in the CSL, the DSL or the PIPL. Dezan Shira and Associates’s China Briefing has produced a detailed guide to the Q&A, which can be accessed here.

Considerations for UK businesses

For UK businesses, particularly those in the technology sector, this regulatory environment necessitates a comprehensive reassessment of data management strategies. Companies may need to implement local data storage solutions to meet localisation requirements fully. Establishing dedicated compliance programs and appointing responsible personnel to manage data protection matters is now essential. Additionally, engaging legal advisors with expertise in Chinese data regulations can significantly mitigate risks associated with non-compliance.

Moreover, increased regulatory enforcement activity by the CAC highlights the necessity for businesses to adopt proactive compliance measures. Regular compliance audits, training programs, and maintaining clear communication channels with regulatory authorities are critical practices for companies operating in China.

Operating digitally within China brings additional challenges, notably the Great Firewall, which restricts access to numerous Western online services. Businesses must plan for alternative digital infrastructure solutions and adapt to mandatory real-name user registrations required for online services. Furthermore, stringent content monitoring rules mean that companies must rigorously review and tailor their digital content to comply with local regulations to avoid censorship or penalties.

To navigate these complexities effectively, UK businesses are advised to conduct thorough compliance audits regularly, establish strong local partnerships for better market integration, invest in staff training on local data protection obligations, closely monitor regulatory changes, and actively engage with local regulatory bodies.

By proactively addressing cybersecurity and data protection risks and adapting swiftly to China’s evolving legal landscape, UK companies can enhance their prospects for successful and sustainable business operations in this critical global market.

The post How to navigate China’s cybersecurity and data privacy laws appeared first on Focus - China Britain Business Council.

Kay Ng, cybersecurity and data regulations expert and founder of Cyber Analytics, offers a guide to protecting digital data and assets for British companies operating in China

In an era of unprecedented economic volatility and geopolitical tensions, where data and cybersecurity have become the new battlegrounds, UK businesses operating in China face a unique challenge: driving business growth in a complex market while safeguarding their intellectual property and digital assets.

This guide aims to reaffirm cybersecurity and data protection strategies, with the aim of helping companies in China to preserve their competitive advantage during uncertain times.

Why prioritising cybersecurity in China is non-negotiable, even in a downturn

In a slower growth environment, intellectual property becomes even more valuable

Robust cybersecurity measures are critical to protect trade secrets and innovations that drive competitive advantage. It is important to know in what format your IP exists, who has access to it, and whether it can be shared with competitors without your knowledge.

The typical IP a company holds is already in the public domain. However, certain IP, like trade secrets, is reserved for only a subset of inner circle executives. A global Fortune 500 manufacturing company I consulted for defined the following as IP requiring the highest level of protection:

• Manufacturing processes and 3D-drawing: These might include source code, bills of materials, etc., from R&D flow to manufacturing.
• Customer lists: These might contain valuable information about target, existing and potential clients, their preferences and purchasing history.
• Pricing strategies: This could include confidential information about pricing models, discounts, and other commercially sensitive data.

The Fortune 500 company’s assessment was that the above were easily subject to insider exfiltration of data and should warrant a security programme that targeted insider risks.

On the other hand, digital assets such as Internet domain names are easy targets for external attackers. Domain names could be stolen by local companies and competitors to impersonate you, thereby stealing your business.

Securing the company’s online presence and brand identity in the digital space typically forms another strand of a global company’s cybersecurity programme.

During economic downturns, regulatory bodies may increase scrutiny to protect national interests

China’s cybersecurity laws are complex and frequently updated. The Cybersecurity Law, Data Security Law, and Personal Information Protection Law form a comprehensive framework that affects almost all aspects of business operations.

During economic downturns, regulatory bodies may increase scrutiny to protect national interests. More and more non-traditional areas such as climate and the environment could now come under the umbrella of China’s state security.

Restricting the outbound flow of data means all data storage and processing such as AI and machine learning needs to be done locally. This creates job opportunities and upskilling in the local market.

The main difference between the Chinese data laws and UK GDPR is the wide and vague scope of what “important data” is to China. The deliberate vagueness means it could be interpreted in any ways that suit its purpose.

The high stakes of data breaches: Financial and reputational risks you can’t afford

Europe tends to enforce GDPR consistently and regularly; China tends to make an example of large corporations as a deterrence mechanism.

For example, Chinese ride-hailing firm Didi Global was fined 8.026 billion yuan (£860.3 million) by the Cyberspace Administration of China in 2022 after it decided that the company violated the nations’ Network Security Law, Data Security Law, and Personal Information Protection Law. In a statement, Didi Global said it accepted the cybersecurity regulators’ decision, which came after a year-long investigation into the firm over its security practices and “suspected illegal activities”.

The key point is, the more foreign ties a company has, the more the company is subject to geopolitical risks. To date (and my knowledge), no UK companies have been fined under the Chinese Data Laws.

Cost-effective strategies for safeguarding data interests in China

Companies can apply these cost-effective practices to safeguard their interests in challenging times:

a) Smart data management: Balancing localisation and global operations

• Targeted data classification: Implement targeted data classification to minimise unnecessary data localisation costs.
• Data minimisation: Don’t hoard data. It costs money to collect, store, and increases your organisation’s burden to protect. Explore data minimisation technologies or practices to reduce storage and compliance costs.
• Secure cloud solutions: Leverage secure cloud solutions that comply with Chinese regulations while maintaining global data access.

b) Maximising security ROI: Encryption and access control on a budget

• Prioritise encryption: Prioritise end-to-end encryption for your most critical data assets.
• Risk-based authentication: Implement risk-based authentication to balance security and user experience.
• Regular access audits: Conduct regular access audits, particularly during sensitive times, to prevent unauthorised data exposure and reduce overheads.

c) Navigating compliance efficiently

• Build relationships: Cultivate a good relationship with the relevant authorities.
• Shared compliance resources: Consider shared compliance resources or partnerships to distribute costs while maintaining regulatory alignment.
• Focus on fundamentals: Focus on the foundation of good data security practices and develop a streamlined compliance monitoring system to stay ahead of regulatory changes without overburdening resources.
• Leverage technology: Utilise technology for automated compliance checks and reporting.

Staying ahead of the curve: What to watch for in an evolving landscape

a) Emerging threats in a shifting economic climate

• Insider threats: Watch for a potential rise in insider threats as economic pressures mount.
• Opportunistic cybercrime: Stay vigilant against opportunistic cybercrime targeting businesses perceived as vulnerable during downturns.
• Cyber espionage: Be alert to increased cyber espionage as companies and state actors seek competitive advantages. I often see companies become the collateral damage of national rivalry rather than the targeted victim.

b) Regulatory evolution in response to economic conditions

• Data regulation fluctuations: Anticipate potential loosening or tightening of data regulations as China balances economic growth with security concerns.
• New incentives and requirements: Monitor for new incentives or requirements aimed at boosting specific sectors or technologies.
• Cross-border data flow: Stay informed about changes in cross-border data flow regulations that may impact global operations.

c) Adapting to shifting cultural and operational norms

• Evolving business practices: Be prepared for changes in business practices and cybersecurity attitudes as economic pressures evolve.
• Government intervention: Anticipate potential increases in government oversight or intervention in key industries.
• Risk tolerance: Understand how economic challenges might influence risk tolerance and security investment decisions among Chinese partners and competitors.

In times of economic uncertainty, businesses don’t want to spend more than needed on risk management. However, effective cybersecurity and data protection strategies become more critical in times like this. By prioritising these areas, companies can protect their most valuable assets, maintain regulatory compliance, and position themselves for resilience and future growth.

The key is to approach security as a strategic investment, balancing immediate cost considerations with long-term risk mitigation and competitive advantage. With careful planning and execution, UK businesses can navigate the complexities of the Chinese market, safeguarding their digital assets while remaining agile in the face of economic challenges.

The post Investing in cybersecurity is crucial for UK businesses in China – here’s why appeared first on Focus - China Britain Business Council.

The legislative framework in China for governing data security consists of three laws: the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law. The Measures on the Standard Contract for Cross-border Transfers of Personal Information, which came into effect last June, have the biggest impact on companies in China.

Though the measures have been in effect for some time, their implementation has been slow in practice as there are too many such companies in China and not enough manpower to handle their assessment reports. High compliance costs, difficulties in communicating with overseas data recipients and regulatory uncertainty are some key factors affecting companies’ willingness to declare cross-border data transfers.

The new rules, aimed at protecting national security, directly impact the cross-border transfer of personal information by businesses operating in China, Chinese companies listed overseas and those in data-rich industries such as retail, internet, health care, automotive, civil aviation and finance.

Corporations that regularly share employee or customer data with their headquarters, share IT infrastructure with their Chinese subsidiaries or have remote access to data stored in China may be subject to China’s cross-border data transfer requirements.

The first of the three mechanisms for transferring personal information out of China is the signing of a standard contract with an overseas recipient. The other two are a mandatory security assessment by the Cyberspace Administration of China (CAC) for critical information infrastructure operators, and transfers of important/sensitive personal data and certification by an accredited institution (applicable to intra-group transfers and data processors abroad subject to the extra-territorial application of China’s Personal Information Protection Law).

The latter certification is only available if the transfer does not fall within the mandatory assessment requirements, and not all entities can adopt this option. For example, representative offices set up by foreign entities are not eligible.

Businesses that transfer personal data out of Mainland China on a smaller scale, such as small and medium-sized enterprises, may opt for the standard contract. This option can only be used under certain circumstances:

• The data processor is not a critical information operator
• It processes the personal data of less than 1 million individuals
• Since 1 January of the previous year, the personal data of less than 100,000 individuals (in aggregate) has been transferred
• Since 1 January of the previous year, sensitive personal data of not more than 10,000 individuals (in aggregate) has been transferred

A personal information protection impact assessment (PIA) must be executed before entering into the standard contract. This step evaluates important matters such as the legality and necessity of the data transfer, the scale, scope, and sensitivity of the outbound personal data, the risks to the rights and interests of individuals concerned, and other security issues. Data systems must be compatible with Chinese law in order to pass the PIA, and it is prohibited to divide data into smaller quantities to meet the standard contract criteria in an attempt to circumvent the mandatory security assessment regime.

The standard contract, impact assessment report and other supporting documents must be presented to the local cyberspace administration authority within 10 working days of the effective date of the contract.

While the Chinese government hopes to develop the digital economy to uplift the country’s gross domestic product, the rules could slow down progress for the industry. Regulators are struggling to strike a balance between enhancing data security and promoting data-driven economic growth. Moreover, industry experts argue that many aspects of the rules remain vague, such as in security assessments, thus slowing down the approval process and causing confusion for some companies.

A lack of clarity on the review criteria is slowing down the approval process, with regulators and companies not seeing eye-to-eye on why the requested data transfers are necessary. The measures for security assessment require applicants to explain why it is justified, legal and necessary for their data to flow overseas and for overseas recipients to process it, but not much more is specified.

Regulators are trying to shift more of their efforts to helping contracts complete the filing process, which in turn will speed up their approval of security assessments, according to experts.

Companies that need to rectify any non-compliant arrangements occurring before 1 June 2023, have until 30 November 30 to do so.

The post How to comply with China’s new rules for cross-border transfer of personal information appeared first on Focus - China Britain Business Council.

Over the last decade, laws governing the collection, storage, transfer and usage of data have become a cornerstone of the regulatory environment in many markets, including China. Indeed, with China as one of the chief sources of data created worldwide – by 2025, data from China is predicted to account for 27.8% of the total global data created that year – such laws have been among the most high-profile passed there in recent years, attracting attention and commentary from business, legal and administrative communities alike.

Data protection laws are applicable in a wide range of sectors, from e-commerce and the creative industries, to life sciences and healthcare. They are of particular relevance to the education sector though, where those providing services rely upon the accurate and timely collection of various types of data to ensure the quality, suitability, and safety of their offerings. For higher education institutions from the UK, the European Union’s General Data Protection Regulation (GDPR) is likely to be the most familiar. And while an understanding of the GDPR is, by itself, not sufficient to effectively operate within the China market, it remains a useful starting point due to certain similarities between its goals and practices and those of China’s own data protection laws. Succeeding in China generally requires a deeper comprehension of local requirements, however.

The evolution of China’s data protection regime

At the most fundamental level, there are three key laws covering data protection in Mainland China: the Cybersecurity Law (CSL), the Personal Information Protection Law (PIPL), and the Data Security Law (DSL) – all of which were passed in the years since 2017. Together, and alongside various other measures issued by the authorities, they lay out the demands on those handling different types of data. For higher education institutions, meeting these demands involves knowing the differences between Network Operators and Critical Infrastructure Information Operators; the importance of roles such as that of the Personal Information Handler, as well as how these roles can fit into existing institutional infrastructures; and the classification framework that splits data into three categories.

Cybersecurity Law

In China, the first major law regulating data was the Cybersecurity Law (CSL) in 2017, which, at the time, had a strong emphasis on national security. Since then, the focus has shifted towards data privacy and personal information. While this is partly due to the vagueness of the initial law – which included only superficial provisions regarding private data – growing consumer concerns over data theft and insufficient privacy protection have added pressure on Chinese policymakers to create a more coherent and comprehensive data protection regime.

The CSL created strong incentives for the Chinese government to establish clear standards for data collection and transfer. Thus, shortly after the CSL came into force, China published its first Personal Information Security Specification, which defined personal data as including biometric information, personal addresses and bank records. The specification was updated in 2020, adding further safeguards against the unauthorised collection of private data: for example by allowing users to opt-out from specific online functions.

Personal Informational Protection Law

Despite the regulatory activism sparked by the CSL in 2017, the legal foundations for individual data protection remained shaky and scattered across several laws. One particular problem was the lack of a uniform definition of the individual’s right to his or her own data, which was compounded by the fact that the exact nature of what constitutes a violation of privacy rules was stipulated in four different laws: the Criminal Law, the General Principles of Civil Law, the CSL, and the new Civil Code.

The passage of the Personal Information Protection Law (PIPL) in August 2021 marked an important milestone as it provided a single, systematic framework for individual data protection. The many similarities between the GDPR and the PIPL have earned the latter the moniker ‘China’s GDPR’, which, despite differences between the two, has brought China’s data protection regime more in line with international standards.

More importantly, the PIPL has shifted the legal focus of China’s data rules away from security and instead in a more consumer– and commercial-orientated direction. This shift has not only allowed for a more open and pragmatic discussion about the challenges any new data regime faces in a continually evolving technological environment, but also raised the possibility for foreign organisations – such as UK higher education institutions – to participate more actively in future legislative processes; an input which was mostly ignored during the early stages of China’s cyber-related rule-making.

Data Security Law

Nonetheless, national security remains important. The Data Security Law (DSL), which came into effect in June 2021, is a strong reminder of this. The DSL affirms that the Chinese Administration for Cyberspace (CAC), a government agency, remains in charge of all data-related regulations. The law also highlights the importance of the two areas which particularly affect foreign institutions: how to manage sensitive personal information and how to conduct cross-border data transfers of such information.

Both above-mentioned issues are subject to evolving regulatory frameworks which have sprung up following the implementation of the CSL in 2017. Sensitive personal information – including biometrical, health, and financial data – is defined by the Personal Information Security Specification. Data which falls into this category is subject to specific rules governing data storage, requirements in case of breaches and leaks, and data transfers

The CBBC View

Success in China is often best rooted in the knowledge that its data protection laws, while complex and at times fragmented, and while perhaps somewhat unfamiliar in comparison with the legal regimes in place in other markets, continue to be refined, deepened and expanded upon. Crucially, there are solutions to the challenges that China’s data protection laws present, and they are solutions that start with a thorough and up-to-date understanding of the history, development, and application of the laws themselves.

Looking ahead to 2023 and beyond, the China opportunity remains vast. More than ever for UK higher education institutions, it an opportunity that they are well placed to grasp as the country continues to build and modernise its data protection infrastructure, while at the same time continuing to refine and adapt their services alongside these changes.

The information in this article is extracted from “China’s Data Protection Laws and What They Mean for The UK’s Higher Education Sector”, and is the first in a series of reports available exclusively to subscribers of CBBC’s Comprehensive Higher Education Strategy Service (CHESS).

Click here to read more about the benefits of CHESS and how to sign up

The post What do China’s data protection laws mean for UK higher education? appeared first on Focus - China Britain Business Council.

In this article, first published in China Briefing, Thomas Zhang, Dezan Shira & Associates’ Group IT Director, introduces the PIPL and explains several key considerations for companies to build a roadmap for compliance.

PIPL states that a company should appoint “a person in charge of personal information protection” when processing personal information on a large scale based on the criteria specified by the CAC. Is the appointment of a Data Protection Officer (DPO) mandatory under the PIPL?

No, it is not mandatory; however, for companies that don’t have an office in China and still want to provide services in China, a DPO or representative is necessary. In general, in cases where the company has an office in China and they can find a local person to play the role of representative, there is no need to have a DPO. Nevertheless, many companies don’t have enough internal resources to support this, so an external DPO can be very helpful.

Can a company send aggregated information derived from personal information across borders, especially if it doesn’t contain any specific personal information on Chinese citizens?

Yes, because we are talking about aggregated data – which doesn’t have any specific personal information of individuals. This means that it will be “abstract” data that cannot be tracked to one single individual. In this case, the data will not be treated as personal information or as sensitive personal information, and you are allowed to transfer it outside of China.

A company is exchanging data with its headquarters via SAP. Will this be deemed a cross-border transfer and require a Data Protection Impact Assessment (DPIA)?

If your IT system is located in the UK, but your business operations in China are processing personal information, you will need a DPIA. Whether you are allowed to transfer personal information out of the country or not is based on the scale of the personal information. The Cyberspace Administration of China (CAC) will specify the criteria about which kind of personal information will not be allowed to be transferred out, but for now, we will need to wait for more details from the government.

Many international schools store student data. What about the protection of data for children under 14 years old? Are there special protections under the PIPL?

Yes. Information from people under 14 years of age will also be regarded as sensitive information. If you are going to process sensitive personal information, you must collect separate consent and conduct a DPIA.

Are employee names and mobile phone numbers in an active directory considered personal information?

Yes. The definition of personal information is very wide under the PIPL. Any information that can be tied to one single individual is considered personal information. For example, mobile phone numbers in China are tied to real names and can be connected to an individual. Names are also a kind of personal information. Although a name can be common and used for multiple people, under the PIPL it is still considered personal information.

Yes. The definition of personal information is very wide under the PIPL. Any information that can be tied to one single individual is considered personal information. For example, mobile phone numbers in China are tied to real names and can be connected to an individual.

Are security logs (e.g., firewalls and active directories) considered personal information (as they are usually linked to an IP address or account name and not directly linkable to the user)?

Yes. Under the GDPR, IP addresses are defined as personal information, and this is the same for the PIPL. We know that IP addresses are dynamic, but from an IT perspective, we can still trace an individual to their IP address most of the time with certain efforts, making IP addresses one kind of personal information under the PIPL.

If processed personal information is stored by a third-party vendor such as Google Drive, does it fall to the vendor to formulate proper information protection that complies with the PIPL?

Similar to GDPR, under PIPL, it is the information controller – the one who makes decisions on how to collect and store the data – that assumes the responsibility for personal information protection. Therefore, if you are the information controller, and you make the decision to collect personal information and make the decision to transfer it out to save in Google Drive, you are responsible for everything. Of course, you can make a service agreement with your vendor to specify what kind of measures should be taken to protect the personal information.

If an IP address is a company private IP address, for example, 10.0.0.1, is it considered personal information?

From a technical perspective, yes. For example, in China, the cyber police require companies to set up a firewall or security device, which can allow the company to track the website access logs for users. This means that even if you are using a private IP of your company, your firewall or security can still track these records, and IT can use these records to trace back to the individual using this IP address. In practice, however, at the current stage, IP address information is really a minor consideration for the authorities. There are other more significant issues for the authorities to pay attention to.

This article was first published by China Briefing, which is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia from offices across the world, including in China, Hong Kong, Vietnam, Singapore, India, and Russia. Readers may write to info@dezshira.com for more support.

The post What does China’s new data privacy law mean in practice? appeared first on Focus - China Britain Business Council.

Two new regulations making their way into law, the Personal Information Protection Law (PIPL) and the Data Security Law (DSL), are predicted to add to the compliance burden of companies needing to move data to and from China. Together with the 2017 Cyber Security Law, these laws form the backbone of China’s cybersecurity regulation.

Data Security Law

Passed on 10 June and coming into effect on 1 September 2021, the DSL governs how data is collected, used, stored, and protected in China, including tightened restrictions on the transfer of data outside of China.

One important element of the law is a grading system that will define and establish a hierarchy of what they consider important data, based on which, companies will also have to classify the data they handle. There will also be different levels of fines and penalties for data protection violations depending on the importance of the data involved. For example, special permission may be required to collect data related to critical information infrastructure (including, but not limited to sectors such as public communications, energy, finance, and e-government) or any data which, if disclosed, might threaten national security, the national economy, or public interests. However,  beyond these, the classifications of important data have not yet been set.

Personal Information Protection Law

Sometimes referred to as China’s answer to the EU’s General Data Protection Regulation (GDPR), the PIPL was passed on 20 August and will be implemented from 1 November.

As Torsten Weller observed in a recent episode of China Business Brief, PIPL does share similarities with GDPR. For example, PIPL has strong consent and personalisation clauses, requiring user consent for the use and sharing of data, as well as an option to opt-out of automated data collection. However, there are some significant differences. For example, PIPL includes a separate clause on what happens to a user’s data after they die, i.e., their close relatives automatically gain the right to manage their data.

For businesses, there are two crucial parts of the law. The first is how data can be transferred outside of China. Companies will have to accept an audit and receive a license — likely from the Ministry of Industry and Information Technology (MIIT) —  in order to transfer data out of China. The other crucial element is the liability clause, which demands that companies have a specific person that supervises data protection policy (can also be external) and who is personally liable for any data violations.

Why have these laws been introduced?

There are two main drivers behind these new laws. The first is growing awareness of consumer data protection. As China’s tech giants like Tencent and Alibaba have grown, there have been increasing numbers of public complaints about misuse of data and user privacy violations. For example, during this year’s 618 shopping festival, several e-commerce companies and telecoms operators were called to a meeting with MIIT over invasive spam marketing text messages. Furthermore, on 18 August, 43 apps, including WeChat, were criticised by MIIT for illegally transferring user data such as contact information and location, and also spamming users with pop-up ads.

The second is national security, as evidenced by the emphasis on “critical information infrastructure” and “core data” in the text of the DSL. This was also made clear when the Cybersecurity Administration of China opened an investigation into Didi just days after its New York IPO, citing the need to “guard against risks to national data security.”

The impact on businesses

Many are wondering whether these new laws will become a burden for companies operating in China, especially those that are conducting R&D activities that involve significant amounts of data. Companies will potentially have to invest in data storage facilities in China or in hiring extra personal to manage data protection as mentioned above. As Torsten Weller pointed out, it will not really be possible for UK companies to operate in China without storing user data here.

Although to date, no detailed implementation guidelines have been released, companies should start reviewing and assessing their data activities to identify areas that could potentially require compliance with these new laws.

The post How will China’s new data protection laws affect your business? appeared first on Focus - China Britain Business Council.