DCC summary, not a translation. GB/T 45574-2025 is a copyrighted national standard. The structured summary below is DCC’s own paraphrase grounded in the standard’s title and number; specific clauses should be checked against the published text.
Scope
GB/T 45574-2025 specifies security requirements for processing sensitive personal information — personal information that, if leaked or unlawfully used, would readily harm a natural person’s dignity or endanger personal or property safety (PIPL Article 28). It applies to handlers that process sensitive personal information, and is a reference for regulators and assessors.
It is a recommended standard in the “Data Security Technology” (数据安全技术) series, and is the protection-requirements counterpart to the TC260 Sensitive Personal Information Identification Guide (which addresses how to recognize sensitive PI in the first place).
Key contents
At a structural level the standard is expected to cover:
- General requirements for handling sensitive personal information, applying PIPL’s specific-purpose, strict-necessity and heightened-protection principles.
- Lawful basis and consent — implementation of separate consent, and written consent where laws or regulations so require, plus guardian consent for minors under 14.
- Notice obligations — the additional matters that must be disclosed when processing sensitive PI, including necessity and the impact on the individual.
- Lifecycle security controls — enhanced safeguards for collection, storage (e.g., encryption, access control), use, provision, public disclosure and deletion of sensitive PI.
- Impact assessment — the intensified PIPIA expected before processing sensitive PI.
- Governance and accountability — organizational measures, recordkeeping and oversight specific to sensitive-PI processing.
Editor: verify specific clauses against the published standard.
How it fits the regime
GB/T 45574 operationalizes the sensitive-personal-information regime of PIPL. PIPL Article 28 defines sensitive personal information and limits its processing to specific purposes with strict necessity and protective measures; Article 29 requires separate consent (and written consent where law requires); Article 30 adds notice obligations (the necessity of processing and its impact on the individual); and Article 55 requires a PIPIA before processing sensitive PI.
This standard supplies the security and implementation detail behind those statutory duties — the “how to protect” half of the sensitive-PI picture, where the TC260 Sensitive Personal Information Identification Guide supplies the “how to identify” half. For overseas compliance teams, it is the reference for engineering and governing the handling of biometric, health, financial, whereabouts, minors’ and other sensitive data in China, and it builds on GB/T 35273, the notice-and-consent guide, and the impact-assessment standard.