PIPL Information Center
PIPL Technical First Steps
So you’re on the road to China PIPL compliance and are wondering how to get started on the technical side. More is coming soon, but here are some thoughts on China PIPL technical first steps:
- System Lists – The most basic first step is to build a list of all your systems that hold personal data. It’s a lot of systems, both inside the company and probably outside in SaaS or third-party products such as for HR, payroll, email services, and many others. Don’t be surprised if you have dozens or even hundreds of systems. You’ll also want to prioritize these by size or impact, as a customer data system or HR is was more important than the VIP parking lot access system for 10 people.
- Data Processes – You’ll need to find, document, and flow map your main data processes, such as onboarding new employees or customers, including the data involved in various steps, the systems touched, and where or what that data is, how it’s retained, and for how long. There are usually a lot of “ah, ha, didn’t know that” moments in this process.
- Data Mapping – Finding all your data is a long and complex process, but at least start listing what types of data are in each system, such as for employees, customers, etc. and the general use or processes involved in each, as that’ll help drive you to find more detailed information later. And you’ll often find things that no one knew or were long forgotten by departed employees, so it’s a good exercise in self-discovery. Here is a good blog on Data Mapping (for the GDPR).
- Vendor Lists – Be sure to find and carefully document all the 3rd parties and vendors in all this, including contact information and contracts in place, as much of this has to be shown publically to your users. We all increasingly rely on 3rd parties, so this is an ever-larger piece of the privacy tracking pie.
- Technical Projects – Start work on a list of projects your IT and development organizations will need, including some initial scoping and effort estimates, some priorities, and an initial sense of how you’ll deal with the PIPL requirements. That includes how you’ll get, store, and revoke consent, what 3rd party tools might be helpful, cookie management, etc.
- Technical Learning – Your tech team (and tech vendors or partners) will need to study up on the PIPL and its requirements, the available tools, best practices, and even if you have GDPR-compliant systems, the differences and tighter requirements of the PIPL.
- Technical Planning – Finally, really dig into how you’ll be solving the early and urgent challenges created by PIPL compliance, especially in globally-driven systems that may share source code with other country-level systems. And of course, if data is being off-shored, there is a whole other level of discussion and planning on how to manage that under the very strict PIPL requirements.