In a bid to bolster data security within the financial landscape, the National Financial Regulatory Administration unveiled the Draft Measures for Data Security Management of Banking and Insurance Institutions on March 22, 2024. These proposed regulations, in alignment with China’s Data Security Law, Cybersecurity Law, and Personal Information Protection Law, delineate stringent protocols for handling data within banking and insurance entities. This article delineates the compliance recommendations for financial institutions as outlined in the draft measures.
Internal Compliance Framework
One of the pivotal mandates of the draft measures is the establishment of robust data security governance structures and accountability mechanisms within financial institutions. Each department is assigned specific responsibilities to ensure data security:
- The central data security management department is entrusted with formulating data security management principles, planning, systems, and standards.
- Business departments are obligated to safeguard data within their domains and adhere to data protection management requirements.
- Risk compliance and audit departments are tasked with integrating data security into overall risk management and internal control systems, conducting regular audits, and initiating corrective actions as needed.
- Technical departments for data security protection are charged with devising and implementing technical protective measures and systems.
- Furthermore, financial institutions are required to provide data security education and training for all staff to foster awareness and create a conducive environment for data security and development.
Data Classification Protocols
The draft measures advocate for the categorization of data into core, important, and general segments based on their significance and sensitivity. Financial institutions are urged to establish a dynamic data classification and protection system to ensure data security across all levels.
Third-Party Management
The proposed regulations underscore stringent guidelines for financial institutions engaging third parties in data processing activities, including:
- Development of detailed security management guidelines.
- Conducting data security assessments prior to data transfers to evaluate necessity, compliance, security risks, and the efficacy of risk control measures.
- Establishment of a centralized approval system for external data procurement and collaboration.
- Prohibition of outsourcing responsibilities for IT management and data security, as stipulated by the Measures for the
- Regulation of Risks in Information Technology Outsourcing by Banking and Insurance Institutions.
- Monitoring for data processing anomalies or incidents in collaborations with third-party institutions to prevent data breaches or illegal usage.
Safeguarding Data Operations
Financial institutions are mandated to maintain logs and backups of sensitive data operations, with preservation periods varying based on the level of data sensitivity. Furthermore, the draft measures necessitate the conduct of Personal Information Protection Impact Assessments (PIPIA) for activities significantly impacting individual rights, with resulting reports and handling records retained for a minimum of three years.
Looking Ahead
The draft measures hint at the National Financial Regulatory Administration’s intention to develop a critical data catalogue for the banking and insurance sectors, urging financial institutions to closely monitor these developments and adjust their data protection measures accordingly.