DCC summary, not a translation. GB/T 43697-2024 is a copyrighted national standard. The structured summary below is DCC’s own paraphrase of the standard’s framework, drawn from the published text, for overseas compliance teams who need to understand how data is classified and graded under China’s Data Security Law.
Scope
GB/T 43697-2024 specifies the principles, framework, methods and workflow for data classification and grading, and provides an important-data identification guide. It applies in three settings:
- Sector regulators (行业领域主管/监管部门) use it as the reference for drafting classification-and-grading standards for their own sectors.
- Regions and departments use it to carry out their own classification and grading work.
- Data processors use it as a reference for classifying and grading the data they hold.
The standard expressly does not apply to state-secret data or military data, which are governed by their own regimes.
It is the technical companion to DSL Article 21, which establishes the “data classification and grading protection system” (数据分类分级保护制度) and directs that data be protected according to its importance to economic and social development and the degree of harm that would result if it were tampered with, destroyed, leaked, or illegally obtained or used.
Key contents
The standard is organized into seven main clauses plus extensive informative annexes (A–J).
Core definitions (Clause 3). Three grade tiers are defined:
- Core data (核心数据) — important data that, given high coverage of a domain/group/region or high precision, scale or depth, could directly affect national political security if illegally used or shared. It chiefly covers data bearing on key national-security fields, the lifelines of the national economy, major public interest and people’s livelihood, plus other data so designated by the relevant state authorities.
- Important data (重要数据) — data of a specific field, group, region or reaching a certain precision and scale that, if leaked or tampered with/destroyed, could directly endanger national security, economic operation, social stability, or public health and safety. Data affecting only the processor itself or individual citizens is generally not important data.
- General data (一般数据) — all data other than core and important data.
Supporting definitions include data, personal information, sensitive personal information, industry-sector data, public data, organization data, derived data (衍生数据), and data processor.
Basic principles (Clause 4). Five principles govern the exercise: scientific-and-practical (科学实用), clear-boundary (边界清晰), higher-and-stricter (就高从严 — when multiple factors apply, grade to the highest applicable impact), point-and-surface integration (点面结合 — account for aggregation across fields/groups/regions), and dynamic updating (动态更新).
Data classification rules (Clause 5). Classification proceeds first by sector, then by business attribute. Sectors include industrial, telecom, financial, energy, transport, natural-resources, health, education, and scientific data, among others. Within each sector, regulators refine classification using business attributes such as business area, responsible department, described object, process stage, data subject, content theme, data use, processing activity, and data source. Categories with dedicated legal requirements (notably personal information) are identified and classified per the applicable rules — sensitive PI identification is deferred to the dedicated sensitive-PI national standard.
Data grading rules (Clause 6). Grading runs in four steps: (a) determine the grading object (data item, dataset, derived data, cross-sector data); (b) identify the grading factors (Clause 6.3) — domain (领域), group (群体), region (区域), precision (精度), scale (规模), depth (深度), coverage (覆盖度) and importance (重要性); (c) conduct impact analysis (Clause 6.4) over the impact object (national security, economic operation, social order, public interest, organizational rights, personal rights) and the impact degree (特别严重危害 especially serious / 严重危害 serious / 一般危害 general harm); and (d) determine the grade per the level-determination table (Table 1) and the comprehensive rules (Clause 6.6). Datasets default to the highest grade among their constituent data items (subject to upward adjustment for scale); derived and cross-sector data are graded under the higher-and-stricter principle with attention to processing depth and fusion effects.
Identification thresholds (Clause 6.5 + Table 1). Data is core data where it would cause especially serious or serious harm to national security, or especially serious harm to economic operation / social order / public interest (e.g., relating to the lifelines of the national economy, major livelihood, or major public interest), or where it has high coverage/precision/scale/depth directly affecting political security, or is so assessed by the relevant authorities. Data is important data where it would cause general harm to national security, or serious harm to economic operation / social order / public interest, or relates to specific fields/groups/regions or reaches a certain precision/scale/depth directly bearing on national security, economic operation, social stability, or public health and safety, or is so assessed by the sector regulator. All other data is general data.
Workflow (Clause 7). Two workflows are given: the sector-regulator workflow (draft sector standards, then organize processors to classify, grade, and report important/core-data catalogues) and the processor workflow (inventory data assets → set internal rules → classify → grade → review and report catalogues → dynamically update).
Annexes (A–J, informative). These provide reference material: classification by described object (user/business/operations-management/system-O&M data) and by data subject (public/organization/personal data) in Annex A; grading-factor, impact-object and impact-degree considerations (Annexes C–F); the important-data identification guide (Annex G); optional sub-grading of general data (Annex H); derived-data grading (Annex I); and dynamic-update triggers (Annex J).
How it fits the regime
GB/T 43697-2024 is the keystone technical standard for the data classification and grading protection system required by DSL Article 21. Where the DSL sets the policy at a high level, this standard supplies the operational method that turns it into practice — the common vocabulary (core / important / general data) and the step-by-step grading logic that sector regulators and data processors are expected to follow.
It interlocks with the Network Data Security Management Regulations (effective 1 January 2025), which impose heightened obligations on processors of important data (risk assessments, designated security officers and management bodies, and reporting of important-data catalogues). Identifying which data is “important” or “core” is precisely what this standard governs, so it is the practical precondition for complying with those downstream duties. Sector catalogues issued under DSL Article 21 (for industrial, automotive, financial, health and other sectors) are built on this framework, and a processor’s data-classification inventory and important/core-data catalogue — produced via the Clause 7 processor workflow — are the artefacts regulators expect to see in a data-security review or inspection.