China: Closed public consultation on Emergency Plan for Data Security Incidents in the Industrial and Information Technology Fields

On 15 January 2024, the Ministry of Industry and Information Technology of the People's Republic of China closed the public consultation on the guidelines and procedures for responding to data incidents. The guidelines aim to establish an emergency response system for data protection incidents in the industrial and IT sectors. The objective is to respond effectively to such incidents, minimize damage, and protect the rights of individuals, organizations, and national security. The Ministry of Industry and Information Technology leads and coordinates the emergency response, while local regulatory authorities are responsible for implementation in their respective areas. An early warning system for data protection risks shall be established. The system includes monitoring, analysing, and reporting on incidents of data protection. The plan categorizes these incidents into different levels of severity and defines appropriate response measures. Data processors are required to report incidents and activate emergency plans. After a data protection incident, affected entities must conduct an investigation to identify the causes and damages and propose improvements. Data processors should also conduct regular risk assessments and implement preventive security measures, including training and emergency drills. The plan also includes annexes with detailed guidelines for the classification of data protection incidents and emergency response procedures.