On March 21, 2024, the National Technical Committee (TC260) on Cybersecurity of Standardization Administration of China released the GB/T 43697-2024 "Data Security Technology - Rules for Data Classification and Grading" (hereinafter referred to as "the Rules"), which will be implemented starting from October 1, 2024. The publication of the Rules marks the culmination of two and a half years of meticulous preparation since the Data Security Law (DSL), which came into effect in September 2021, mandated the establishment of a national data classification and grading protection system. The Rules establish a comprehensive and coherent operational framework that offers definitive guidance for regulatory departments across various industries, regional authorities, and data custodians.
The Rules stipulate the basic principles, framework, methods, and processes for data classification and grading, and provide guidance for the identification of critical data. The core content is summarized as follows:
Data classification and grading should follow the basic principles of being scientific and practical, having clear boundaries, adhering to the strictest standards where necessary, integrating points and surfaces, and being dynamically updated. These five principles are concretized throughout the Rules.
The data classification framework begins with categorization by industry domain, such as industrial data, telecommunications data, etc., and then further categorizes based on business attributes within the determined industry domain. The appendix provides more detailed guidance on categorization by business attributes. Special data categories, such as personal information (PI), should be classified in accordance with the specific requirements of relevant laws and regulations.
It is advisable to adopt a structured approach to data classification by adhering to the following sequence of precise steps: "Identify the scope of data, refine the categorization based on business context, classify the data according to business attributes, and establish definitive rules for data classification."
Data grading is based on the importance of the data in economic and social development, and the degree of harm to national security, economic operations, social order, public interests, organizational rights, and personal rights that could result from data leaks, tampering, destruction, or unauthorized access, use, or sharing. Data is classified into three levels: core data, key data, and general data.
The following reference steps are recommended regarding data grading: "Determine the subject for grading, identify the essential grading elements, analyze the potential impact of the data, and make a comprehensive determination of the data's classification level." It is crucial that these steps are executed in alignment with the five foundational principles of data grading.
For instance, when establishing the classification level for derivative data, one must apply the principle of adhering to the most stringent standards. It is also important to recognize that data classification levels are not static; they should be subject to dynamic revision in response to any shifts in the data's significance or the potential risks it may pose.
The Rules delineate distinct operational procedures for the classification and grading of data that are tailored to the roles of industry regulatory departments and PI handlers. Industry regulatory departments are tasked with the initial step of formulating industry-specific standards and norms. Subsequently, they should proceed with the classification and grading of data in accordance with these established benchmarks. PI handlers, in compliance with national and industry-specific mandates, should adhere to a systematic process that encompasses the following stages: "Taking stock of data assets, establishing internal guidelines, conducting data classification, carrying out data grading, reviewing and reporting directories, and dynamically updating management practices."
On top of the basic guidelines, this edition of the "Data Classification and Grading Rules" also provides more specific references in the appendix for the detailed work involved in the data classification and grading process, offering valuable guidance for professionals in related industry fields carrying out data classification and grading work.
In addition to the foundational guidelines, the Rules includes an enriched appendix that offers detailed references for the intricate tasks associated with the data classification and grading process. This supplementary material serves as an invaluable resource for practitioners within the relevant industry sectors who are engaged in the work of data classification and grading, providing them with enhanced guidance to facilitate their responsibilities.