National Financial Regulatory Administration, Measures for Administration of the Security of the Data of Banking and Insurance Institutions (Draft for Comments)

Issued: March 22, 2023

Main contents: A banking or insurance institution shall divide data into core data, key data and general data based on their importance and sensitivity. General data is further divided into sensitive data and miscellaneous general data (Article 18).

In business activities involving the processing of data of sensitive or higher grade or conducting activities that have a relatively large impact on data subjects, such as commissioned processing, joint processing, transfer, disclosure or sharing of data, a banking or insurance institution shall conduct a data security assessment beforehand. A data security assessment shall, in light of the objective, nature and scope of the processing of the data, and in accordance with the requirements of laws, regulations, and ethical and moral norms, analyze the risks to data security and the impact on the rights and interests of the data subjects, assess the necessity and compliance of the data processing, and assess the risks to data security and the effectiveness of the preventive and control measures (Article 22).