On January 2, the National Information Security Standardization Technical Committee released the final version of the "GB/T 35273-2017 Information Security Technology—Personal Information Security Specification" (source document in Chinese). The Personal Information Security Specification sets out best practices for enforcing China's data protection rules and applies to "personal data controllers" and those with the right to decide the purpose and method of processing personal information. The Personal Information Security Specification also protects "personal sensitive information," defined as information that may lead to bodily harm, property damage, reputational damage, harm to personal heath, or discriminative treatment if such data is disclosed, unlawfully provided, or abused. The law will take effect on May 1.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.