Email marketers with customers in Asia are facing a tough new law in China: the Personal Information Protection Law (PIPL), according to an analysis by JDSupra.
The draft law focuses largely on data breaches. And while it lacks a clear definition of a breach, the law requires that firms protect data on individuals or face tough fines, JDSupra writes.
Under PIPL, China’s data protection authority may “order a correction, confiscate any unlawful income, issue a warning,” or impose a fine of up to 50 million CNY roughly U.S. $7.8 million, or 5% of the previous year’s revenue, JDSupra adds.
What’s more, the authority can suspend the firm’s business operations and revoke its business license.
In addition, the data controller may be personally fined up to 1 million CNY, or U.S. $160,000.
According to the analysis, firms must:
- Develop internal management systems and operating procedures
- Implement classified and categorized management of personal information
- Take security technical measures such as encryption and de-identification
- Reasonably set operating permissions for personal information handling, and conduct security education and training for employees on a regular basis
- Develop and implement response plans for personal information security incidents a
- Take other measures prescribed by laws and regulations.