On June 13, China’s official information security standards organization, known as TC260, released for comment a draft guide for organizations to assess the privacy implications of a wide variety of practices. The guide—officially named Information Security Technology – Security Impact Assessment Guide of Personal Information (信息安全技术 个人信息安全影响评估指南)—is designed to set a Chinese standard for “privacy impact assessments” (PIAs), following a global trend of emerging procedures to identify and minimize risks to privacy.

PIAs generally come into play in scenarios where data processing poses high or unknown risks to privacy, for example when new products or practices in an organization trigger particular privacy concerns, or when large amounts of sensitive personal information will be processed. China’s new draft guide specifically addresses both private sector and government actors.

Once finalized, the guide would be formally non-binding, but—like many TC260 standards—would effectively establish standard practices and a basis for regulatory enforcement. Along with the Guide for De-Identifying Personal Information and Guidelines for Data Cross-border Transfer Security Assessment, both currently in the drafting stage, the PIA guide is designed to establish a tripartite standard system for personal information security under the broader Personal Information Security Specification, which is already in effect.

The guide covers details like who should initiate and lead PIAs (section 4.4), how to prepare (section 5.2), what factors should be considered with what weights (sections 5.4–5.6), and when PIAs should be conducted (section 6). In many aspects, the guide appears similar to an EU approach, setting a high bar to protect individual rights against data breaches. In the suggested criteria, heavy weight is placed on potential risks to individual interests, which range broadly from financial loss, and effects on credit scores, to discrimination, reputational damage, and psychological effects.

The guide embeds the idea of privacy-by-design, echoing elements of the EU’s General Data Protection Regulation (GDPR). It suggests that organizations assess impacts from the very beginning of a new product design and continue in an ongoing process whenever a significant legal or business environmental change occurs. Section 6.3 lists nine high-risk scenarios where impact assessments are suggested, which are highly similar to the list recommended by the EU advisory body WP29 in its Guidelines on Data Protection Impact Assessment supporting the GDPR.

Below is a translation of a crucial appendix to the draft PIA guide that elaborates the details regarding risks, practices, and standards for organizations to determine impacts on personal information security.