Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ 070 · IMPORTANT-DATA

Are You Caught by the Annual Assessment? TRIMPS's Self-Identification Guide for 'Important-Data Handlers'

With the Network Data Security Risk Assessment Measures (Order No. 24) taking effect August 20, 2026, the annual risk-assessment duty stops being a principle and becomes a hard calendar event — but only for 'important-data handlers' (重要数据处理者). DCC's summary of a self-identification guide from the Data Security R&D Center of the Ministry of Public Security's Third Research Institute (公安部三所 / TRIMPS), author Lü Mingxuan, walks the threshold test the institution that helps draft the standards wants processors to run before the clock starts. There are three independent gates, any one of which puts you in: (1) you process data meeting the 'important data' definition under Article 62 of the Network Data Security Management Regulation; (2) the deeming rule — you process the personal information of more than 10 million people, which pulls you into the important-data duties of Regulation Arts. 30 and 32 regardless of whether you hold any 'important data'; or (3) your data sits on a regional, departmental, or sectoral important-data catalogue. Entrusted processors inherit the duty from an important-data-handler client; CIIO status and important-data-handler status are separate, intersecting tests; and identifying important data runs through GB/T 43697-2024 Appendix G's 18 factors plus the applicable catalogues. The guide then lays out the operating requirements once you are in: annual mandatory assessment plus trigger-based instant assessments, a stacked PIPIA for the 10-million-PI cohort, three-year report retention, and submission within 20 working days. DCC's read for overseas counsel: classification is the gate, the 10-million-PI deeming rule is the trap for consumer businesses with no 'important data' at all, and the self-ID needs to happen now.

Editor’s Note — DCC.

This is DCC’s summary of a practitioner self-identification guide, “Under the new Network Data Security Risk Assessment Measures, must you run a data-security risk assessment every year? — a self-identification guide for important-data handlers”, by Lü Mingxuan (吕铭轩) of the Data Security Technology R&D Center at the Third Research Institute of the Ministry of Public Security (公安部第三研究所 / TRIMPS), published on the institute’s 三所数据安全 account on 25 June 2026. The source matters: TRIMPS is not a commentary shop but one of the bodies that drafts the technical standards and runs the infrastructure behind China’s data-security regime, so its read on who is caught is an early signal of where the compliance bar is being set. DCC treats this as a one-off summary, not a translation, and the framing for overseas counsel is ours.

Read it as the operational companion to DCC’s structural brief on the Measures themselves — From Principle to Running System — which flagged that “classification is the gate.” This guide is the gate test. It pulls together threads DCC has covered separately: how to tell a CII operator from an important-data handler, how to identify “important data”, and why “important data” is a category, not a tier.

The argument in one line

From 20 August 2026, the Network Data Security Risk Assessment Measures (Order No. 24) turn “important-data handlers run an annual risk assessment” from a statutory principle into a hard, datable obligation — but the whole weight of the rule rests on a prior classification question that many processors have never actually answered: am I an “important-data handler” (重要数据处理者) at all? Lü Mingxuan’s guide is the threshold test, and its sharpest practical point is that you can be swept in without holding a single byte of “important data.”

Why this is suddenly urgent

The annual-assessment duty existed in principle under the Data Security Law and the Network Data Security Management Regulation, but it was open-ended. The Measures (effective August 20, 2026) make it executable and verifiable: a fixed annual cadence, a report retained for three years, submission within 20 working days, and an escalation switch when something is found. All of that keys entirely off one status. If you are an important-data handler, the calendar starts; if you are not, you are merely encouraged to assess once every three years. So the binary self-identification is now the difference between a mandatory annual program and almost nothing.

The three gates — any one puts you in

The status is not a single static label. It is a composite built up across the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law, and the Network Data Security Management Regulation. Lü Mingxuan reduces it to three independent tests — satisfy any one and you are an important-data handler.

#GateSourceTrigger
1You process “important data”Network Data Regulation, Art. 62The data you handle meets the “important data” definition
2The 10-million-PI deeming ruleNetwork Data Regulation, Art. 28You process the PI of more than 10 million people
3You are on a catalogueDSL, Art. 21Your data is listed in a regional / departmental / sectoral important-data catalogue

Gate 1 — the “important data” definition. Under Article 62 of the Network Data Regulation, important data is data in a specific field, group, region, or of a certain precision and scale that, if tampered with, destroyed, leaked, or unlawfully obtained or used, may directly endanger national security, economic operation, social stability, or public health and safety. If your data meets it, you are in. (How to actually run that test is the subject of Part 3 below.)

Gate 2 — the deeming rule, and the trap. This is the one overseas counsel most often miss. Article 28 of the Regulation provides that a network data handler processing the PI of more than 10 million people must comply with the Articles 30 and 32 obligations imposed on important-data handlers. In other words, cross a 10-million-person headcount and you are treated as an important-data handler — even if you hold no “important data” at all. A consumer app, platform, or service with a large Chinese user base is in scope purely on PI volume.

Gate 3 — the catalogues. Under DSL Article 21, the national data-security coordination mechanism organises the important-data catalogues, and each region and department fixes the specific catalogue for its own area and sector. If your data is listed, you are an important-data handler by that fact.

Plus a fourth path in — entrustment. Where important-data processing is entrusted, and the entrusting party is an important-data handler, the entrusted processor carries the corresponding security obligations and is supervised as an important-data handler too. A vendor or processor that holds no important data of its own can inherit the duty from its client.

CIIO ≠ important-data handler — intersecting, not containing

A common shortcut is to assume that a critical information infrastructure operator (关基单位 / CIIO) is automatically an important-data handler. Lü Mingxuan is explicit that the two statuses intersect but do not contain one another — there is no rule that “a CIIO is necessarily an important-data handler.” The test is the same “data attribute → processing activity → scale threshold” trinity applied to the facts.

  • A CIIO usually is one because the core business data it collects and generates is, as a rule, managed as important or core data and clears the threshold — and the CIIO autonomously decides the purpose and means of processing, meeting the subject test.
  • But a CIIO may not be one where it only handles non-important data below the 10-million-PI line; or provides pure network-infrastructure service without autonomously deciding processing purpose and means; or acts only as an entrusted processor under another party’s instructions.

DCC has covered this status question in its own right — see Are You a CII Operator or an Important-Data Handler? — and the takeaway is the same: run both tests separately; neither implies the other.

Part 3 — actually identifying “important data” (the hard gate)

Gates 2 and 3 are relatively self-evident — count your PI, check the catalogue. Gate 1 is the hard one, because the statutory definition is abstract. The guide’s method: identify important data with harm consequence as the core, combined with precision, scale, and domain factors, against the national / sectoral / local catalogues and the national standard GB/T 43697-2024 Data Classification and Grading Rules.

That standard’s definition tracks the Regulation, and its Appendix G sets out 18 identification factors spanning the four dimensions — national security, economic operation, social stability, public health and safety. Data exhibiting any one of the 18 factors can be identified as important data. This is the working tool for Gate 1, and DCC’s earlier plain-language treatment of the same problem — How to Identify “Important Data” — is a useful companion to it.

Classification is not set-and-forget. The guide stresses that both the important-data determination and the important-data-handler determination must be periodically reviewed and updated as the business and the technology change. A “no” today is not a “no” forever.

A note on Gate 2’s denominator: the 10-million count is of personal information, and the PIPL definition excludes anonymized information — so genuine anonymization removes data from the headcount (the guide points to GB/T 35273-2020’s PI examples and the two classic identification paths, identify (info → person) and associate (person → info)). Anonymization architecture therefore has real leverage on whether you cross the Gate 2 line.

Once you are in: what the Measures require

If any gate catches you, the Measures’ operating requirements attach:

Frequency.

  • Annual mandatory full assessment for important-data handlers (general handlers are merely encouraged to assess at least once every three years).
  • Trigger-based instant assessment, on top of the annual one, when:
    • before providing, entrusting, or jointly processing important data (statutory-duty cases excepted);
    • a material change in the security status of important data (a surge in scale, a change of purpose, a system-architecture adjustment);
    • before a cross-border transfer (which also requires a separate outbound security assessment); or
    • after a major data-security incident, or on discovering a major defect or vulnerability.

Stacked PIPIA. An important-data handler that also processes the PI of more than 10 million people must run a personal-information protection impact assessment in parallel (the GB/T 39335 methodology) — the two assessments stack.

Report, retention, submission.

  • Prepare the report per the competent authority’s rules; where there are none, reference the national standard GB/T 45577-2025 Data Security Risk Assessment Method.
  • Retain the report at least three years.
  • Submit within 20 working days of completing the annual assessment to the competent authority; where the competent authority is unclear, submit to the provincial or national cyberspace administration. The authority relays the report to the same-level cyberspace administration within 10 working days.

Why this matters for overseas counsel

  • Classification is the gate — and now it has a deadline. DCC’s structural brief said every hard obligation in the Measures keys off important-data-handler status; this guide is the test, from the institution that helps write the standard. With under two months to August 20, the self-identification is the work to do now, not after a regulator raises it.
  • The 10-million-PI deeming rule is the real trap. A foreign-invested consumer business can become an “important-data handler” — and inherit the annual-assessment program, the PIPIA stack, and the cross-border triggers — without holding any “important data” at all, purely on Chinese-user headcount. If your China app or platform is anywhere near 10 million users, assume Gate 2 and plan the program.
  • Your China vendor may be in scope through you. The entrustment path pulls an entrusted processor into important-data-handler supervision when its client is one. Allocate the assessment, retention, and submission duties explicitly in processing contracts — do not assume the duty sits only with the data “owner.”
  • Run the CIIO and important-data tests separately. Being (or not being) a CIIO tells you little about important-data-handler status, and vice versa. Map both.
  • Anonymization has compliance leverage on Gate 2. Because anonymized information is outside the PIPL definition, anonymization genuinely reduces the 10-million denominator — one of the few architectural moves that can keep a high-volume consumer service below the deeming line.

The Measures do not change what data security requires. What this guide makes concrete is who has to run the now-mandatory annual program — and the answer reaches further than “companies that hold sensitive datasets.” If you process Chinese personal information at scale, the threshold question is no longer academic.


Source: 吕铭轩, “《网络数据安全风险评估办法》新规下,是否每年必须要做数据安全风险评估?—请查收这份重要数据处理者自我识别指南”, 三所数据安全 (TRIMPS Data Security) WeChat Official Account, 25 June 2026 — original. DCC’s summary and analysis of the author’s practitioner guide; not a verbatim translation, and not legal advice. Article numbers refer to the Network Data Security Management Regulation, the Data Security Law, and the Network Data Security Risk Assessment Measures (Order No. 24) as cited in the source.

— Not legal advice.


§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.