What It Is

Personal Information Protection Law (PIPL) is China's comprehensive national regulation, effective November 1, 2021, governing collection, processing, storage, transfer, and deletion of personal information. It applies to domestic and foreign organizations handling data of individuals in China, with extraterritorial scope. Adopting a risk-based approach, it emphasizes consent, minimization, and security, intersecting with Cybersecurity Law and Data Security Law.

Key Components

• Eight chapters, 74 articles covering processing rules, cross-border transfers, individual rights, handler obligations.
• Core principles: lawfulness, necessity, minimization, transparency, accountability.
• Sensitive personal information (SPI) rules, automated decision-making restrictions, data subject rights (access, deletion, portability).
• Compliance via impact assessments, audits; no certification but CAC enforcement.

Why Organizations Use It

Mandatory for China-exposed entities to avoid fines up to 5% annual revenue or RMB 50 million. Enables market access, builds trust, reduces breach risks, supports cross-border operations via SCCs/security reviews. Strategic for MNCs in e-commerce, fintech, healthcare.

Implementation Overview

Phased: gap analysis, data mapping, policies, controls, transfers. Applies universally; high complexity for globals. 6-12 months typical, with ongoing audits, training, representatives for foreigners. (178 words)

What It Is

ISO 31000:2018, Risk management — Guidelines, is an international standard offering a principles-based framework for systematic risk management. It defines risk as the effect of uncertainty on objectives, providing non-certifiable guidelines applicable across sectors to identify, assess, treat, monitor, and communicate risks, creating and protecting value.

Key Components

• **Three pillars8 principles (integrated, structured, customized, inclusive, dynamic, best information, human factors, continual improvement); Framework (leadership, integration, design, implementation, evaluation, improvement); Process (context, assessment, treatment, monitoring, recording).
• No fixed controls; flexible PDCA-aligned approach.
• Emphasizes leadership commitment and culture.

Why Organizations Use It

• Drives strategic decisions, resilience, and opportunities.
• Aligns with regulations like Basel III; reduces losses.
• Builds stakeholder trust, lowers insurance premiums.
• Competitive edge via risk-adjusted performance.

Implementation Overview

• Phased: diagnose/design, build/deploy, operate/optimize, institutionalize.
• Key activities: policy, risk registers, training, integration.
• Suits all sizes/industries; no certification, internal audits suffice. (178 words)