Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · GB/T 39335

Information Security Technology — Guide for Personal Information Security Impact Assessment (GB/T 39335-2020).

信息安全技术 个人信息安全影响评估指南 (GB/T 39335-2020)

FILED UNDER · Personal Information

DCC summary, not a translation. GB/T 39335-2020 is a copyrighted national standard. The structured summary below is DCC’s own paraphrase of the standard’s method and structure, for overseas compliance teams.

Scope

GB/T 39335-2020 provides the basic principles, the implementation methodology and the working procedure for conducting a personal-information security impact assessment (个人信息安全影响评估 — the PIA, the direct forebear of PIPL’s “personal information protection impact assessment”, PIPIA). It addresses when an assessment should be triggered, how to assess the impact on personal-information subjects’ rights and interests, and how to document the result. It applies to handlers assessing their own processing activities, and serves as a reference for regulators and third-party assessors.

It is a recommended standard, but it is the canonical methodology behind a now-mandatory statutory duty.

Key contents

The standard frames the assessment around two dimensions of risk — the likelihood of a security event and the severity of its impact on data subjects — and walks through the exercise step by step.

Assessment triggers. Guidance on the circumstances that warrant a PIA, including new collection of personal (especially sensitive) information, changes in processing purpose/scope/method, sharing/transfer/public disclosure, cross-border transfer, large-scale or high-sensitivity processing, automated decision-making, and significant changes to the processing system or environment. It distinguishes routine/periodic assessment from event-driven assessment.

Assessment principles. The exercise should take the personal-information subject’s rights and interests as its focus, be conducted objectively, and account for the full processing context.

Working steps. A structured procedure: (1) preparation — assemble the team, define scope, and gather data flows; (2) data mapping — identify the personal information involved and chart its flows across the lifecycle; (3) risk identification and analysis — assess the impact on data subjects (the degree of harm) and the likelihood of a security event (in light of existing security measures); (4) risk rating — combine impact and likelihood into an overall risk level; and (5) reporting — record findings, conclusions and recommended mitigations.

Impact and likelihood factors. Reference factors for judging the degree of impact on data subjects (sensitivity and volume of the data, potential for discrimination, reputational, physical, property and other harms) and the likelihood of an adverse event (the threat environment and the adequacy of safeguards).

Reporting. A recommended assessment-report format and content outline, so that the result is documented consistently and can be retained and reviewed.

The annexes provide reference material — including assessment factors, scoring approaches and a model report template.

How it fits the regime

GB/T 39335 is the methodology standard behind a statutory obligation. PIPL Article 55 requires handlers to conduct a personal-information protection impact assessment (PIPIA) before, among other things, processing sensitive personal information, using personal information for automated decision-making, entrusting processing or providing personal information to other handlers or to the public, and transferring personal information abroad; Article 56 specifies what the assessment must cover and requires the report and records to be retained for at least three years.

The statute states that an assessment must happen and what it must address; GB/T 39335 supplies how to perform it — the trigger analysis, the risk-rating method and the report template. For overseas compliance teams, it is the working manual for producing a defensible PIPIA, and it dovetails with the cross-border-transfer assessment requirements and with the sector-specific and audit standards that assume a PIA-style risk analysis has been done.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

1 brief references this law.

  • § 01 · IMPORTANT-DATA

    Are You Caught by the Annual Assessment? TRIMPS's Self-Identification Guide for 'Important-Data Handlers'

    With the Network Data Security Risk Assessment Measures (Order No. 24) taking effect August 20, 2026, the annual risk-assessment duty stops being a principle and becomes a hard calendar event — but only for 'important-data handlers' (重要数据处理者). DCC's summary of a self-identification guide from the Data Security R&D Center of the Ministry of Public Security's Third Research Institute (公安部三所 / TRIMPS), author Lü Mingxuan, walks the threshold test the institution that helps draft the standards wants processors to run before the clock starts. There are three independent gates, any one of which puts you in: (1) you process data meeting the 'important data' definition under Article 62 of the Network Data Security Management Regulation; (2) the deeming rule — you process the personal information of more than 10 million people, which pulls you into the important-data duties of Regulation Arts. 30 and 32 regardless of whether you hold any 'important data'; or (3) your data sits on a regional, departmental, or sectoral important-data catalogue. Entrusted processors inherit the duty from an important-data-handler client; CIIO status and important-data-handler status are separate, intersecting tests; and identifying important data runs through GB/T 43697-2024 Appendix G's 18 factors plus the applicable catalogues. The guide then lays out the operating requirements once you are in: annual mandatory assessment plus trigger-based instant assessments, a stacked PIPIA for the 10-million-PI cohort, three-year report retention, and submission within 20 working days. DCC's read for overseas counsel: classification is the gate, the 10-million-PI deeming rule is the trap for consumer businesses with no 'important data' at all, and the self-ID needs to happen now.

    important-data · risk-assessment · network-data
§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.