DCC summary, not a translation. GB/T 41479-2022 is a copyrighted national standard. The structured summary below is DCC’s own paraphrase of the standard’s structure, for overseas compliance teams.
Scope
GB/T 41479-2022 specifies security requirements for network data processing activities — the collection, storage, transmission, use, provision, public disclosure and deletion of data carried out through networks. It applies to network operators conducting such activities, and is a reference for regulators and assessors supervising network-data security.
It is a recommended standard that provides a baseline of good practice for the network-data-security duties imposed by the Cybersecurity Law (CSL) and the Data Security Law (DSL).
Key contents
The standard organizes its requirements around the network-data processing lifecycle, with general requirements layered on top.
General security requirements. Cross-cutting expectations — data-security management responsibilities, classification-and-grading-aware handling, security of the processing environment and systems, access control, logging and audit, and personnel and supply-chain security.
Lifecycle-stage requirements. Security requirements stage by stage:
- Collection — lawful and minimal collection, source verification, and protection of data in transit at the point of collection.
- Storage — protections appropriate to data classification, including access control, encryption where warranted, backup/recovery, and retention discipline.
- Transmission — confidentiality and integrity protection for data in transit, including encryption and integrity verification.
- Use / processing — controls over internal use, display and aggregation; protections during development, testing and analytics.
- Provision / sharing — security due diligence and controls when providing data to third parties or entrusting processing.
- Public disclosure — controls and review before any public release of data.
- Deletion / destruction — secure deletion and destruction at end of lifecycle, including handling on cessation of service.
Special-category handling. Requirements that reflect the heightened treatment of important data and personal information, cross-referencing the personal-information and classification-and-grading standards rather than restating them.
The annexes provide reference material supporting the lifecycle requirements.
How it fits the regime
GB/T 41479 is one of the baseline technical standards underpinning China’s network-data-security layer. The CSL imposes general network-operation security duties and the DSL establishes the data-security and classification-grading framework; this standard translates those duties into concrete, lifecycle-organized requirements for the network data that operators handle day to day.
It sits directly upstream of the Network Data Security Management Regulations (effective 1 January 2025), which give the network-data-security regime its binding administrative force — covering general processors, important-data processors, large platforms and cross-border transfers. Where those Regulations state obligations, GB/T 41479 (alongside the classification-grading rules and risk-assessment standards) supplies the implementation detail. For overseas compliance teams, it is a reference for designing data-security controls across the processing lifecycle in a way Chinese regulators will recognize as conformant.