---
title: "Are You Caught by the Annual Assessment? TRIMPS's Self-Identification Guide for 'Important-Data Handlers'"
author: "DCC Editorial"
published: 2026-06-25T03:00:00.000Z
url: https://datacompliancechina.com/posts/important-data-handler-self-identification-annual-assessment/
description: "With the Network Data Security Risk Assessment Measures (Order No. 24) taking effect August 20, 2026, the annual risk-assessment duty stops being a principle and becomes a hard calendar event — but only for 'important-data handlers' (重要数据处理者). DCC's summary of a self-identification guide from the Data Security R&D Center of the Ministry of Public Security's Third Research Institute (公安部三所 / TRIMPS), author Lü Mingxuan, walks the threshold test the institution that helps draft the standards wants processors to run before the clock starts. There are three independent gates, any one of which puts you in: (1) you process data meeting the 'important data' definition under Article 62 of the Network Data Security Management Regulation; (2) the deeming rule — you process the personal information of more than 10 million people, which pulls you into the important-data duties of Regulation Arts. 30 and 32 regardless of whether you hold any 'important data'; or (3) your data sits on a regional, departmental, or sectoral important-data catalogue. Entrusted processors inherit the duty from an important-data-handler client; CIIO status and important-data-handler status are separate, intersecting tests; and identifying important data runs through GB/T 43697-2024 Appendix G's 18 factors plus the applicable catalogues. The guide then lays out the operating requirements once you are in: annual mandatory assessment plus trigger-based instant assessments, a stacked PIPIA for the 10-million-PI cohort, three-year report retention, and submission within 20 working days. DCC's read for overseas counsel: classification is the gate, the 10-million-PI deeming rule is the trap for consumer businesses with no 'important data' at all, and the self-ID needs to happen now."
tags: ["important-data", "risk-assessment", "network-data", "data-security", "data-classification", "critical-information-infrastructure", "pipl", "compliance"]
laws_cited: ["network-data-security-risk-assessment-measures", "network-data-security-regulations", "dsl", "pipl", "csl", "data-classification-grading-rules", "gbt-45577-data-security-risk-assessment", "gbt-39335-pi-impact-assessment-guide"]
domains: ["data-security", "personal-information", "critical-information-infrastructure"]
account: "sansuo-data-security"
original_title: "《网络数据安全风险评估办法》新规下，是否每年必须要做数据安全风险评估？—请查收这份重要数据处理者自我识别指南"
original_author: "吕铭轩 (Lü Mingxuan), Data Security Technology R&D Center, The Third Research Institute of the Ministry of Public Security (公安部第三研究所 / TRIMPS)"
original_publication: "三所数据安全 (TRIMPS Data Security) WeChat Official Account"
original_url: "https://mp.weixin.qq.com/s/bvkwBv0MipBmBqZCmE_pGg"
source_language: "zh"
---

> **Source: Data Compliance China** — https://datacompliancechina.com/posts/important-data-handler-self-identification-annual-assessment/ · China data law, translated and annotated for overseas counsel. Cite as: Data Compliance China, "Are You Caught by the Annual Assessment? TRIMPS's Self-Identification Guide for 'Important-Data Handlers'", https://datacompliancechina.com/posts/important-data-handler-self-identification-annual-assessment/
> *Editor's Note — DCC.*
>
> This is DCC's summary of a practitioner self-identification guide,
> **"Under the new Network Data Security Risk Assessment Measures, must you
> run a data-security risk assessment every year? — a self-identification
> guide for important-data handlers"**, by **Lü Mingxuan (吕铭轩)** of the
> **Data Security Technology R&D Center** at the **Third Research Institute
> of the Ministry of Public Security (公安部第三研究所 / TRIMPS)**, published
> on the institute's **三所数据安全** account on **25 June 2026**. The source
> matters: TRIMPS is not a commentary shop but one of the bodies that drafts
> the technical standards and runs the infrastructure behind China's
> data-security regime, so its read on *who is caught* is an early signal of
> where the compliance bar is being set. DCC treats this as a one-off
> summary, not a translation, and the framing for overseas counsel is ours.
>
> Read it as the **operational companion** to DCC's structural brief on the
> Measures themselves —
> [From Principle to Running System](/posts/network-data-risk-assessment-measures-operationalizing-the-dsl/) —
> which flagged that "classification is the gate." This guide *is* the gate
> test. It pulls together threads DCC has covered separately: how to tell a
> [CII operator from an important-data handler](/posts/assessing-cii-operator-important-data-handler-status/),
> [how to identify "important data"](/posts/qinglan-how-to-identify-important-data/),
> and why ["important data" is a category, not a tier](/posts/important-data-category-not-tier/).

## The argument in one line

From **20 August 2026**, the
[Network Data Security Risk Assessment Measures](/laws/network-data-security-risk-assessment-measures/)
(Order No. 24) turn "important-data handlers run an annual risk assessment"
from a statutory principle into a **hard, datable obligation** — but the
whole weight of the rule rests on a prior classification question that many
processors have never actually answered: **am I an "important-data handler"
(重要数据处理者) at all?** Lü Mingxuan's guide is the threshold test, and its
sharpest practical point is that you can be swept in **without holding a
single byte of "important data."**

## Why this is suddenly urgent

The annual-assessment duty existed in principle under the
[Data Security Law](/laws/dsl/) and the
[Network Data Security Management Regulation](/laws/network-data-security-regulations/),
but it was open-ended. The Measures (effective **August 20, 2026**) make it
**executable and verifiable**: a fixed annual cadence, a report retained for
three years, submission within 20 working days, and an escalation switch
when something is found. All of that **keys entirely off one status.** If you
are an important-data handler, the calendar starts; if you are not, you are
merely *encouraged* to assess once every three years. So the binary
self-identification is now the difference between a mandatory annual program
and almost nothing.

## The three gates — any one puts you in

The status is not a single static label. It is a **composite** built up
across the Cybersecurity Law, the Data Security Law, the Personal
Information Protection Law, and the Network Data Security Management
Regulation. Lü Mingxuan reduces it to **three independent tests — satisfy
any one and you are an important-data handler.**

| # | Gate | Source | Trigger |
|---|---|---|---|
| 1 | **You process "important data"** | Network Data Regulation, Art. 62 | The data you handle meets the "important data" definition |
| 2 | **The 10-million-PI deeming rule** | Network Data Regulation, Art. 28 | You process the PI of **more than 10 million people** |
| 3 | **You are on a catalogue** | [DSL](/laws/dsl/), Art. 21 | Your data is listed in a regional / departmental / sectoral **important-data catalogue** |

**Gate 1 — the "important data" definition.** Under Article 62 of the
[Network Data Regulation](/laws/network-data-security-regulations/), important
data is data in a specific field, group, region, or of a certain precision
and scale that, if tampered with, destroyed, leaked, or unlawfully obtained
or used, **may directly endanger national security, economic operation,
social stability, or public health and safety.** If your data meets it, you
are in. (How to actually run that test is the subject of Part 3 below.)

**Gate 2 — the deeming rule, and the trap.** This is the one overseas
counsel most often miss. Article 28 of the Regulation provides that a network
data handler processing the PI of **more than 10 million people** must comply
with the Articles 30 and 32 obligations imposed on important-data handlers.
In other words, **cross a 10-million-person headcount and you are *treated
as* an important-data handler — even if you hold no "important data" at
all.** A consumer app, platform, or service with a large Chinese user base is
in scope **purely on PI volume.**

**Gate 3 — the catalogues.** Under DSL Article 21, the national data-security
coordination mechanism organises the **important-data catalogues**, and each
region and department fixes the specific catalogue for its own area and
sector. If your data is **listed**, you are an important-data handler by
that fact.

> **Plus a fourth path in — entrustment.** Where important-data processing is
> entrusted, and the **entrusting party is an important-data handler**, the
> **entrusted processor carries the corresponding security obligations** and
> is supervised as an important-data handler too. A vendor or processor that
> holds no important data of its own can inherit the duty from its client.

## CIIO ≠ important-data handler — intersecting, not containing

A common shortcut is to assume that a critical information infrastructure
operator (关基单位 / CIIO) is automatically an important-data handler. Lü
Mingxuan is explicit that the two statuses **intersect but do not contain
one another** — there is no rule that "a CIIO is necessarily an important-data
handler." The test is the same "**data attribute → processing activity →
scale threshold**" trinity applied to the facts.

- **A CIIO usually *is* one** because the core business data it collects and
  generates is, as a rule, managed as important or core data and clears the
  threshold — and the CIIO autonomously decides the purpose and means of
  processing, meeting the subject test.
- **But a CIIO may *not* be one** where it only handles non-important data
  below the 10-million-PI line; or provides **pure network-infrastructure
  service** without autonomously deciding processing purpose and means; or
  acts only as an **entrusted processor** under another party's instructions.

DCC has covered this status question in its own right — see
[Are You a CII Operator or an Important-Data Handler?](/posts/assessing-cii-operator-important-data-handler-status/) —
and the takeaway is the same: **run both tests separately; neither implies
the other.**

## Part 3 — actually identifying "important data" (the hard gate)

Gates 2 and 3 are relatively self-evident — count your PI, check the
catalogue. Gate 1 is the hard one, because the statutory definition is
abstract. The guide's method: identify important data with **harm
consequence as the core**, combined with **precision, scale, and domain**
factors, **against the national / sectoral / local catalogues and the
national standard** [GB/T 43697-2024 *Data Classification and Grading
Rules*](/laws/data-classification-grading-rules/).

That standard's definition tracks the Regulation, and its **Appendix G sets
out 18 identification factors** spanning the four dimensions — national
security, economic operation, social stability, public health and safety.
**Data exhibiting any one of the 18 factors can be identified as important
data.** This is the working tool for Gate 1, and DCC's earlier plain-language
treatment of the same problem —
[How to Identify "Important Data"](/posts/qinglan-how-to-identify-important-data/) —
is a useful companion to it.

> **Classification is not set-and-forget.** The guide stresses that both the
> important-data determination *and* the important-data-handler determination
> must be **periodically reviewed** and updated as the business and the
> technology change. A "no" today is not a "no" forever.

A note on Gate 2's denominator: the 10-million count is of **personal
information**, and the [PIPL](/laws/pipl/) definition **excludes anonymized
information** — so genuine anonymization removes data from the headcount
(the guide points to GB/T 35273-2020's PI examples and the two classic
identification paths, *identify* (info → person) and *associate*
(person → info)). Anonymization architecture therefore has real leverage on
whether you cross the Gate 2 line.

## Once you are in: what the Measures require

If any gate catches you, the Measures' operating requirements attach:

**Frequency.**
- **Annual mandatory full assessment** for important-data handlers (general
  handlers are merely *encouraged* to assess at least once every three
  years).
- **Trigger-based instant assessment**, on top of the annual one, when:
  - before **providing, entrusting, or jointly processing** important data
    (statutory-duty cases excepted);
  - a **material change** in the security status of important data (a surge
    in scale, a change of purpose, a system-architecture adjustment);
  - **before a cross-border transfer** (which also requires a separate
    outbound security assessment); or
  - after a **major data-security incident**, or on discovering a major
    defect or vulnerability.

**Stacked PIPIA.** An important-data handler that **also** processes the PI of
more than 10 million people must run a **personal-information protection
impact assessment** in parallel (the
[GB/T 39335](/laws/gbt-39335-pi-impact-assessment-guide/) methodology) — the
two assessments stack.

**Report, retention, submission.**
- Prepare the report per the **competent authority's** rules; where there are
  none, reference the national standard
  [GB/T 45577-2025 *Data Security Risk Assessment Method*](/laws/gbt-45577-data-security-risk-assessment/).
- **Retain the report at least three years.**
- **Submit within 20 working days** of completing the annual assessment to
  the competent authority; where the competent authority is unclear, submit
  to the **provincial or national cyberspace administration**. The authority
  relays the report to the same-level cyberspace administration within 10
  working days.

## Why this matters for overseas counsel

- **Classification is the gate — and now it has a deadline.** DCC's
  structural brief said every hard obligation in the Measures keys off
  important-data-handler status; this guide is the test, from the institution
  that helps write the standard. With **under two months** to August 20, the
  self-identification is the work to do *now*, not after a regulator raises
  it.
- **The 10-million-PI deeming rule is the real trap.** A foreign-invested
  consumer business can become an "important-data handler" — and inherit the
  annual-assessment program, the PIPIA stack, and the cross-border triggers —
  **without holding any "important data" at all**, purely on Chinese-user
  headcount. If your China app or platform is anywhere near 10 million users,
  assume Gate 2 and plan the program.
- **Your China vendor may be in scope through you.** The entrustment path
  pulls an entrusted processor into important-data-handler supervision when
  its client is one. Allocate the assessment, retention, and submission
  duties explicitly in processing contracts — do not assume the duty sits
  only with the data "owner."
- **Run the CIIO and important-data tests separately.** Being (or not being)
  a CIIO tells you little about important-data-handler status, and vice
  versa. Map both.
- **Anonymization has compliance leverage on Gate 2.** Because anonymized
  information is outside the PIPL definition, anonymization genuinely reduces
  the 10-million denominator — one of the few architectural moves that can
  keep a high-volume consumer service below the deeming line.

The Measures do not change *what* data security requires. What this guide
makes concrete is *who* has to run the now-mandatory annual program — and the
answer reaches further than "companies that hold sensitive datasets." If you
process Chinese personal information at scale, the threshold question is no
longer academic.

---

*Source: 吕铭轩, "《网络数据安全风险评估办法》新规下，是否每年必须要做数据安全风险评估？—请查收这份重要数据处理者自我识别指南", 三所数据安全 (TRIMPS Data Security) WeChat Official Account, 25 June 2026 — [original](https://mp.weixin.qq.com/s/bvkwBv0MipBmBqZCmE_pGg). DCC's summary and analysis of the author's practitioner guide; not a verbatim translation, and not legal advice. Article numbers refer to the Network Data Security Management Regulation, the Data Security Law, and the Network Data Security Risk Assessment Measures (Order No. 24) as cited in the source.*
