guidebook

Top questions to ask to assess your employee data strategy for China’s Personal Information Protection Law (PIPL)

Wherever you are in the world, if you do business in China and handle China residents’ data, PIPL is set to change the way you manage data governance.  

While PIPL has similarities to GDPR, there are some key differences that all businesses with interests in or with China need to consider. 

Compliance with the new regulation extends to the information you hold on employees, not just your customers. It’s important to include HR and payroll systems in your plans as well.

The first place to start is an audit of your employee data. 

Auditing your data doesn’t have to be daunting. We share 11 key questions to help guide you in assessing your readiness and Employee Data areas to address to comply with PIPL.

  1. Where is your employee / interviewee data stored?

    It’s important that you’re certain of all the locations or systems in which your employee data is housed. You’ll need to map out all locations – everywhere from hard copy on top of the printer to servers, shared drives and desktops.

  2. Who has access?

    Often data needs to be shared with interviewers, but what happens to those CVs afterwards? Is it sitting in the interviewer’s inbox? Or have they printed or shared it? All employees will need to be properly trained in PIPL data security requirements.

  3. What’s keeping it secure? E.g. encryption rules

    You’ll need appropriate security procedures in place to be compliant with broader privacy regulation, such as training on handling data.

  4. What permissions have you set?

    A key foundation is ensuring that an individual's data is only used for the specific consent they’ve granted. But what about if an employee erroneously prints or shares a document they shouldn’t? Or the way in which information is used? You’ll need well mapped use cases and clear, associated permissions.

  5. How well protected are you against a data breach?

    A strong understanding of how secure your infrastructure is means you’ll need to think further than just your own business. For example, how familiar are you with the level of security applied to the data administered by your third-party providers? 

  6. What data do you store?

    A clear understanding on the level of data you hold on your employees, across systems needs to be charted, if you haven’t already. This can include everything from doctors’ notes relating to medical absence, through to details about their religion.

  7. How long is that data stored?

    PIPL requires not to process any data for longer than required depending on the purpose of each processing. You’ll need an understanding of the purge capability of all applications that you are using.

  8. Are you clear on what constitutes as personal data?

    Get thoroughly familiar on what counts as personal data under PIPL and the inferences your systems make about employee data. You’ll need this to organise, classify and help manage permissions.

  9. Do you manage data across multiple markets?

    Do you have the appropriate procedures in place to share employee data inside and outside China? Your need to be compatible and have the appropriate mechanisms in place to be both compliant and ensure that you’re able to effectively manage appropriate consent. 

  10. Do you feel your current provider is supporting your efforts in becoming compliant?

    It’s important that you feel confident that your providers are doing all they can to support you in ensuring your business is compliant. Find out how they will be supporting you throughout the process and as new rules are issued for interpretation.

  11. How do you deal with employee requests?

    PIPL stipulates that you need to respond to individuals’ requests about their personal information on a timely basis. How quickly can you respond to any employee request surrounding personal data and guarantee it remains compliant with the PIPL, as well as any additional local legislation? While “timely” hasn’t been defined yet, you’ll need an understanding of your response time as new rules and guidelines are released over time. 

Employee Lifecycle Map and Data Audit Tool 

There’s a lot to think about, so we’ve developed an employee lifecycle map and audit tool to help you assess where your plans are currently, and what you should focus on to ensure compliance. Download our audit tool for: 

  • Questions and practical prompts to help you audit and prepare your own internal data systems and processes
  • Examples of when an employee might use their new data rights, and what the implications would be for your systems
  • Checklist to help you ensure internal compliance requirements of PIPL are built into your overall strategy

This information is part of a series of information articles and webinars developed by ADP to help you learn more about China’s Personal Information Protection Law. For more information, register for our webinar: The Internal Impact of PIPL

This article is intended for informational purposes only and does not constitute legal advice. We recommend you seek independent legal advice for your specific business. 

Related resources

guidebook

China’s Personal Information Protection Law (PIPL) – don’t forget about your employee personal data