What is China's Personal Information Protection Law (PIPL) and how does it impact payroll and HR?

What is the PIPL?

The new China Personal Information Protection Law (PIPL) represents the first comprehensive privacy law in the nation’s history. 

The introduction of the PIPL in November 2021 has a significant impact on the way that companies who do business in China or who handle and manage Chinese residents’ personal data.

Non-compliance could result in fines of up to 5% of a company’s annual revenue (or ¥50 million or approximately USD 12 million).

How is “personal data” defined within PIPL?

Personal data under the PIPL is any kind of information related to an identified or identifiable natural person that has not been anonymised. This means any information that could identify any aspect of an individual’s personal, public or professional life.  

Examples include a person’s name, address, phone number, email address, IP address, and cultural, economic and biometric information.

What responsibilities do HR leaders face around PIPL?

Among the most important considerations for business and HR leaders related to China’s Personal Information Privacy Law is how they’re capturing, using, managing and securing their Employee Data throughout its full lifecycle. 

There are many use cases that HR professionals and leaders will need to think as they prepare for further developments related to China’s Personal Information Privacy Law including: 

  • Use of entrusted parties 
  • Handling of sensitive Personal Information 
  • Cross-border transfer of Personal Information

Other PIPL points to consider:

Update your staff and applicants with privacy notices

Under the PIPL, you have to update your staff and applicants with privacy notices that specify what is the purpose of the processing, what is the legal basis for such processing, and who is processing their personal data.

Transfer personal data out of China

HR will have to implement a lawful mechanism to transfer personal data out of China. The exact mechanisms have yet to be defined by the Chinese government.

Notify the data protection authorities in time

Personal information handlers, meaning persons or companies making the decision to launch data processing and overseeing the means by which personal data is processed, must notify the Data Protection Authorities once made aware of a personal data breach.

Document and demonstrate compliance with the PIPL

HR is now expected to document and demonstrate compliance with the PIPL, such as being able to provide a registry of applications, processes and categories of data being processed by your organisation.

How an outsourced HCM solution can help

Given the complexity of compliance, it is not surprising that over three quarters of HR leaders are using the PIPL, GDPR and other data privacy legislation as a driver for seeking an outsourced HCM solution. 

Why outsource? Your company may not have the technical expertise or resources to carry out the necessary requirements of the PIPL and outsourcing your HR data processing to a cloud-based HCM provider like ADP can go a long way towards meeting the burden of accountability. ADP has experience in successfully implementing privacy principles similar to PIPL across the globe. We have operationalised PIPL provisions within our services to help you navigate compliance challenges. ADP can help your organisation position itself to meet the requirements of this demanding new age in China’s privacy protection. 

Meet the PIPL requirements with ADP’s suite of global payroll products.

Recent blog articles

guidebook

China’s Personal Information Protection Law (PIPL) – don’t forget about your employee personal data

guidebook

China PIPL vs. GDPR: Similarities and Differences Explained

guidebook

Top questions to ask to assess your employee data strategy for China’s Personal Information Protection Law (PIPL)

Let's find the perfect solution for your business

How can we help today?
Are you a current ADP client?

Call us at: +65 6499 5388

Your privacy is assured.