DCC summary, not a translation. GB/T 39335-2020 is a copyrighted national standard. The structured summary below is DCC’s own paraphrase of the standard’s method and structure, for overseas compliance teams.
Scope
GB/T 39335-2020 provides the basic principles, the implementation methodology and the working procedure for conducting a personal-information security impact assessment (个人信息安全影响评估 — the PIA, the direct forebear of PIPL’s “personal information protection impact assessment”, PIPIA). It addresses when an assessment should be triggered, how to assess the impact on personal-information subjects’ rights and interests, and how to document the result. It applies to handlers assessing their own processing activities, and serves as a reference for regulators and third-party assessors.
It is a recommended standard, but it is the canonical methodology behind a now-mandatory statutory duty.
Key contents
The standard frames the assessment around two dimensions of risk — the likelihood of a security event and the severity of its impact on data subjects — and walks through the exercise step by step.
Assessment triggers. Guidance on the circumstances that warrant a PIA, including new collection of personal (especially sensitive) information, changes in processing purpose/scope/method, sharing/transfer/public disclosure, cross-border transfer, large-scale or high-sensitivity processing, automated decision-making, and significant changes to the processing system or environment. It distinguishes routine/periodic assessment from event-driven assessment.
Assessment principles. The exercise should take the personal-information subject’s rights and interests as its focus, be conducted objectively, and account for the full processing context.
Working steps. A structured procedure: (1) preparation — assemble the team, define scope, and gather data flows; (2) data mapping — identify the personal information involved and chart its flows across the lifecycle; (3) risk identification and analysis — assess the impact on data subjects (the degree of harm) and the likelihood of a security event (in light of existing security measures); (4) risk rating — combine impact and likelihood into an overall risk level; and (5) reporting — record findings, conclusions and recommended mitigations.
Impact and likelihood factors. Reference factors for judging the degree of impact on data subjects (sensitivity and volume of the data, potential for discrimination, reputational, physical, property and other harms) and the likelihood of an adverse event (the threat environment and the adequacy of safeguards).
Reporting. A recommended assessment-report format and content outline, so that the result is documented consistently and can be retained and reviewed.
The annexes provide reference material — including assessment factors, scoring approaches and a model report template.
How it fits the regime
GB/T 39335 is the methodology standard behind a statutory obligation. PIPL Article 55 requires handlers to conduct a personal-information protection impact assessment (PIPIA) before, among other things, processing sensitive personal information, using personal information for automated decision-making, entrusting processing or providing personal information to other handlers or to the public, and transferring personal information abroad; Article 56 specifies what the assessment must cover and requires the report and records to be retained for at least three years.
The statute states that an assessment must happen and what it must address; GB/T 39335 supplies how to perform it — the trigger analysis, the risk-rating method and the report template. For overseas compliance teams, it is the working manual for producing a defensible PIPIA, and it dovetails with the cross-border-transfer assessment requirements and with the sector-specific and audit standards that assume a PIA-style risk analysis has been done.