How should life sciences companies implement China’s PIPL regulations?

Collecting private individuals’ health data is an important mechanism for the pharmaceutical industry. However, the emergence of data privacy laws around the world has made it necessary for pharmaceutical companies to pay more attention to how this data is handled to avoid the compliance, penalty, and remediation costs that come with falling out of line with a data protection law.

In November 2021, the Chinese government implemented the Personal Information Protection Law (PIPL) that set new regulations for collecting, processing, storing, and transferring private individuals’ data. This policy applies to all individuals, organizations, and businesses that process the personal data of Chinese citizens. As expected, the policy includes severe punishments for defaulting individuals or organizations.

PIPL, in conjunction with the Cybersecurity Administration of China (CAC), has made it increasingly difficult to export health data out of China and is driving data residency implementations.

This article will reveal how to manage China’s PIPL for pharma companies and how InCountry can help your pharmaceutical business stay compliant with China’s data residency for pharma companies.

Who should be aware of pharma data regulations in China?

Anyone involved in collecting, processing, storing, and transferring personal data in China must be familiar with these regulations. They are as follows:

These organizations research, develop, and produce drugs or medications for medical conditions. Every such organization with operations in China must be aware of the pharma regulations in China and comply to avoid the penalties that are sure to follow.

This type of company provides a range of services to organizations in the biotechnology, pharmaceutical, etc. industries. They support the planning, execution, and management of clinical trials and other research studies. As expected, they are included in companies that must be aware and compliant with China data localization pharma regulations.

As the name suggests, they are companies that provide manufacturing or production services to companies in the pharmaceutical industry and other relevant industries. They are also expected to comply with the pharma data protection regulations in China since they collaborate with pharma companies and need to be compliant.

Data analytics companies play a crucial role in helping pharma companies make informed decisions about drug production and marketing. By processing and interpreting data collected by these companies, they can provide valuable insights that aid in decision-making. However, it’s important for these companies to be aware of data regulations and remain compliant, given the large amounts of data they handle.

This pertains to any entity that engages in the collection, processing, storage, or transfer of personal information belonging to patients in China. This encompasses top-level personnel such as Chief Executive Officers, Chief Information Officers, and data protection officers.

Key Chinese data protection laws for the pharmaceutical industry

Here are some healthcare data protection laws in China that apply in the pharmaceutical industry as well:

The PIPL is a Chinese legislation dedicated to safeguarding the personal information of residents of China. Its primary objective is to regulate the handling of personal information by both organizations and individuals involved in the processing of personal data. The scope of the PIPL extends from the collection of personal data to its processing within China’s borders, including the international transfer of Chinese citizens’ personal data. Below are the requirements the PIPL places on organizations processing personal data:

Finally, it applies penalties of as much as $7.7 million on defaulting companies or 5% of their annual revenue (depending on which is greater).

China’s DSL is a comprehensive legislation that was passed on June 10, 2021, and officially came into effect on September 1, 2021. It is specifically designed to address the critical matter of data security within China. The fundamental goal of the DSL centers around safeguarding the nation’s sovereignty, security, and developmental interests by meticulously overseeing the entire spectrum of data-related activities, including collection, storage, processing, utilization, transmission, and disclosure conducted within China’s borders. The DSL presents several requirements for organizations and individuals that handle data. These requirements include:

Failing to follow this law could attract a penalty as high as $1 million, or 1% of the company’s annual revenue (whichever is greater).

China’s Regulations on Human Genetic Resources (HGR) Protection, effective from July 1, 2021, was established on January 10, 2021. These regulations are China’s initial national legislation dedicated to overseeing the proper collection, storage, utilization, and export of human genetic resources (HGR).

The HGR Regulations are designed to safeguard the well-being and rights of Chinese citizens, ensuring ethical and accountable practices in the handling of HGR. They also foster advancements in human genetics research and innovation. This is a major China data protection pharma law that every pharmaceutical company needs to be aware of,

These rules extend to all entities and individuals engaged in the collection, storage, use, or export of HGR within China’s borders. The HGR Regulations define HGR as any biological materials that contain human genes, including blood, tissue, cells, and DNA. Below are some requirements for organizations and individuals that handle HGR:

Flouting this law could attract a penalty as high as $1 million, or 1% of the company’s annual revenue (whichever is greater).

Chinese data cross-border rules

China’s data residency laws provide guidelines for the transfer of data outside the country. Some of these rules were provided by the Cyberspace Administration of China (CAC) to ensure adequate security for data that is transferred out of China. Below are some of the rules:

How InCountry can help pharma companies to stay compliant with Chinese laws

Managing a pharma company is engaging enough and does not require the distraction that comes with worrying about staying compliant and not breaching any data regulations. With InCountry’s Data Residency-as-a-Service, you would never need to bother about compliance again.

Our Data Residency-as-a-Service platform helps organizations store, process, and share regulated data internationally while complying with local data residency laws. This managed platform seamlessly integrates with existing systems in your organization, sparing organizations the need to create and oversee their infrastructure. A few of the benefits you enjoy by using our platform include:

Get in touch to discuss your needs and find out how much value we can contribute to your pharmaceutical organization.