---
title_en: "Information Security Technology — Guide for Personal Information Security Impact Assessment (GB/T 39335-2020)"
title_zh: "信息安全技术 个人信息安全影响评估指南 (GB/T 39335-2020)"
abbreviation: "GB/T 39335"
hierarchy: "standard"
issuing_body: "Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)"
effective_date: 2021-06-01
status: "effective"
related_laws: ["pipl"]
domains: ["personal-information"]
url: https://datacompliancechina.com/laws/gbt-39335-pi-impact-assessment-guide/
summary: "GB/T 39335-2020 is the recommended national standard that operationalizes the personal-information security impact assessment (PIA / 个人信息安全影响评估). It sets out the principles, implementation method, working steps and reporting format for assessing the risks that personal-information processing poses to data subjects' rights and interests. Issued in 2020 and effective 1 June 2021, it is the practical reference China's handlers use to conduct the impact assessment that PIPL Article 55 makes mandatory before high-risk processing activities."
---

> **Source: Data Compliance China** — https://datacompliancechina.com/laws/gbt-39335-pi-impact-assessment-guide/ · English rendering and annotations by DCC; the Chinese original governs. Cite as: Data Compliance China, "Information Security Technology — Guide for Personal Information Security Impact Assessment (GB/T 39335-2020)", https://datacompliancechina.com/laws/gbt-39335-pi-impact-assessment-guide/
> *DCC summary, not a translation.* GB/T 39335-2020 is a copyrighted national standard. The structured summary below is DCC's own paraphrase of the standard's method and structure, for overseas compliance teams.

## Scope

GB/T 39335-2020 provides **the basic principles, the implementation methodology and the working procedure** for conducting a personal-information security impact assessment (个人信息安全影响评估 — the PIA, the direct forebear of PIPL's "personal information protection impact assessment", PIPIA). It addresses **when** an assessment should be triggered, **how** to assess the impact on personal-information subjects' rights and interests, and **how** to document the result. It applies to handlers assessing their own processing activities, and serves as a reference for regulators and third-party assessors.

It is a **recommended** standard, but it is the canonical methodology behind a now-mandatory statutory duty.

## Key contents

The standard frames the assessment around two dimensions of risk — the likelihood of a security event and the severity of its impact on data subjects — and walks through the exercise step by step.

**Assessment triggers.** Guidance on the circumstances that warrant a PIA, including new collection of personal (especially sensitive) information, changes in processing purpose/scope/method, sharing/transfer/public disclosure, cross-border transfer, large-scale or high-sensitivity processing, automated decision-making, and significant changes to the processing system or environment. It distinguishes routine/periodic assessment from event-driven assessment.

**Assessment principles.** The exercise should take the personal-information subject's rights and interests as its focus, be conducted objectively, and account for the full processing context.

**Working steps.** A structured procedure: (1) preparation — assemble the team, define scope, and gather data flows; (2) data mapping — identify the personal information involved and chart its flows across the lifecycle; (3) risk identification and analysis — assess the **impact on data subjects** (the degree of harm) and the **likelihood of a security event** (in light of existing security measures); (4) risk rating — combine impact and likelihood into an overall risk level; and (5) reporting — record findings, conclusions and recommended mitigations.

**Impact and likelihood factors.** Reference factors for judging the *degree of impact* on data subjects (sensitivity and volume of the data, potential for discrimination, reputational, physical, property and other harms) and the *likelihood* of an adverse event (the threat environment and the adequacy of safeguards).

**Reporting.** A recommended assessment-report format and content outline, so that the result is documented consistently and can be retained and reviewed.

The annexes provide reference material — including assessment factors, scoring approaches and a model report template.

## How it fits the regime

GB/T 39335 is the methodology standard behind a **statutory obligation**. **PIPL Article 55** requires handlers to conduct a personal-information protection impact assessment (PIPIA) before, among other things, processing sensitive personal information, using personal information for automated decision-making, entrusting processing or providing personal information to other handlers or to the public, and transferring personal information abroad; **Article 56** specifies what the assessment must cover and requires the report and records to be retained for at least three years.

The statute states *that* an assessment must happen and *what* it must address; GB/T 39335 supplies *how* to perform it — the trigger analysis, the risk-rating method and the report template. For overseas compliance teams, it is the working manual for producing a defensible PIPIA, and it dovetails with the cross-border-transfer assessment requirements and with the sector-specific and audit standards that assume a PIA-style risk analysis has been done.
