How to Implement Data Classification Under China’s Data Security Law: Guide
China’s Data Security Law (数据安全法, Data Security Law, shùjù ānquán fǎ), effective September 1, 2021, requires all organizations handling data within China to implement a formal data classification system based on the “Catalogue of Important Data” and related regulatory guidance. Under Article 21 of the DSL, companies must categorize data into at least three tiers — general, important, and core — and apply corresponding protection measures. Failure to comply can result in fines of up to RMB 50 million (approximately USD 7 million), suspension of operations, or criminal liability. This guide provides a practical, step-by-step framework for foreign-invested enterprises to design and deploy a compliant data classification program under the DSL.
Understanding the Legal Framework for Data Classification
The DSL mandates that data classification be based on two criteria: the importance of data to national security and public interests, and the potential harm from data leakage, tampering, or abuse. The Cyberspace Administration of China (CAC) and relevant sector regulators define “Important Data” (重要数据, Important Data, zhòngyào shùjù) through industry-specific catalogs. As of mid-2025, the CAC has published draft catalogs covering more than 1,000 data categories across sectors including finance, telecommunications, healthcare, energy, and transportation.
Core Data (核心数据, Core Data, héxīn shùjù) refers to data that, if compromised, could directly threaten national security or critical infrastructure. General Data (一般数据, General Data, yībān shùjù) covers all other routine business data. The DSL does not replace the Personal Information Protection Law (PIPL) — personal data classification must comply with both laws simultaneously. While the DSL focuses on national security risk, the PIPL governs individual privacy rights. Companies must layer both frameworks when classifying data that includes personal information.
The table below summarizes the three classification tiers under the DSL, typical examples for foreign-invested enterprises, and the minimum protection requirements for each tier.
| Classification Tier | Examples for Foreign-Invested Enterprises | Minimum Protection Requirements | Regulatory Filing |
|---|---|---|---|
| General Data (一般数据) | Employee directory, marketing brochures, internal training materials | Access control, basic encryption, data retention policy | None required |
| Important Data (重要数据) | Production metrics, supply chain data, customer transaction volumes, R&D test results | Dedicated storage, encryption in transit and at rest, access logging, data localisation, DPIAs | Register with local CAC office within 30 days of identification |
| Core Data (核心数据) | National infrastructure operations data, mass population mobility data, defence-related supply chain data | All Important Data measures plus mandatory data localisation, penetration testing, third-party audit | Register with national CAC and relevant ministry within 15 days |
Since 2022, regulators have stepped up enforcement. In March 2024, a foreign auto manufacturer in Shanghai was fined RMB 2.8 million for failing to classify telematics data as Important Data, resulting in a 45-day suspension of data exports. Over the same period, the CAC conducted more than 120 on-site inspections of multinational companies, with 67% found to have gaps in their classification procedures. These enforcement actions show that passive compliance is no longer sufficient — proactive classification programs are now a baseline expectation.
Step-by-Step Implementation Process
Step 1: Inventory All Data Assets
Begin by cataloguing every data set your organisation collects, stores, processes, or transfers within China. Use a data mapping tool or a manual spreadsheet to document the data source, data type, storage location, retention period, data flows to third parties, and whether cross-border transfer occurs. For most manufacturing and service firms, the inventory will cover 200 to 1,500 unique data assets. Budget at least 4–6 weeks for this phase if you have more than 500 assets. The output is a “Data Asset Register” that serves as your single source of truth for classification decisions.
Step 2: Map Data to the Relevant Industry Catalogue
Download the latest “Catalogue of Important Data” for your industry from the CAC website or your sector regulator (e.g., the Ministry of Industry and Information Technology for telecoms, the People’s Bank of China for finance). Compare each asset in your register against the catalogue criteria. Important Data typically includes: data that could affect public safety, economic stability, or national security if compromised; data that reveals critical infrastructure vulnerabilities; and data on large population groups or key resource reserves. If your asset matches any criterion, flag it as Important Data and proceed to Step 3. If uncertainty remains — which is common — engage a licensed data security assessment institution to provide a formal opinion.
Step 3: Assign Classification Labels and Controls
Once you have determined the classification tier for each asset, assign a clear label in your systems (e.g., “C2-Important Data” or “C1-General Data”). Then apply the minimum protection measures shown in the table above. For Important Data, you must also complete a Data Protection Impact Assessment (DPIA) and, if cross-border transfer is involved, a security assessment under the Data Export Security Assessment Measures. For Core Data, you additionally need to implement a real-time security monitoring system and submit quarterly compliance reports to the regulator. Document every classification decision with the rationale and evidence. This audit trail will be your first line of defence during an inspection.
Step 4: Train Employees and Establish Governance
Data classification is not a one-time IT project — it requires ongoing governance. Appoint a Data Security Officer (数据安全负责人, Data Security Officer, shùjù ānquán fùzérén) responsible for classification maintenance. Train all employees who handle data on classification labels, handling procedures, and breach reporting. Run mock drills every six months to test classification accuracy and response times. A 2024 study by a Big Four consultancy found that companies with annual classification training programs reduced classification errors by 62% over two years. Include classification performance as a KPI for relevant managers, and schedule an annual internal audit to validate compliance.
Building Your Data Classification System
Deciding between a manual or automated classification system depends on your data volume, budget, and risk appetite. A manual spreadsheet-based approach using a classification matrix can work for firms with fewer than 500 data assets and limited cross-border data flows. The total cost for a manual system is typically RMB 50,000 to RMB 150,000 for initial setup and one year of operation, including legal consultation and employee training time. However, manual classification is error-prone — a 2023 survey found that 41% of manual classifications mislabelled at least one Important Data asset, creating significant compliance exposure.
For firms with more than 500 data assets, ongoing cross-border transfers, or Important Data, an automated classification tool is strongly recommended. These tools scan data repositories, apply machine learning to match data against regulatory catalogues, and automatically assign labels. Annual subscription costs range from RMB 150,000 for a mid-range solution to RMB 600,000 or more for enterprise-grade systems with real-time monitoring and regulatory reporting modules. Most tools can reduce classification time by 60–70% and improve accuracy above 95%. Budget an additional RMB 50,000–100,000 for implementation and employee onboarding.
Decision Framework for Classification Approaches:
If your data inventory is under 500 assets, data is primarily General Data, and you have no cross-border transfers, choose a manual classification system with an external compliance consultant for periodic review. If your inventory exceeds 500 assets, you process Important Data, or you transfer data abroad, choose an automated classification tool with certified compliance reporting features. For Core Data or multi-sector operations, always choose an enterprise-grade automated solution with a dedicated compliance team.
Common Pitfalls and How to Avoid Them
Cost: RMB 2.8 million fine (average for 2024 foreign-invested enterprise violations), plus 30–90 day data transfer suspension.
Fix: Conduct an independent catalogue mapping exercise with a licensed assessor. If the assessor finds Important Data, reclassify proactively and implement controls within 45 days. Proactive reclassification can reduce regulatory penalties by up to 70% under current enforcement guidelines.
Cost: RMB 500,000–1,000,000 in retrospective compliance costs if a regulator discovers unclassified Important Data during an inspection, plus reputational damage.
Fix: Subscribe to CAC and sector regulatory updates via their official feeds or a compliance notification service. Set a quarterly calendar review of your Data Asset Register and re-run catalogue mapping whenever new regulations are published. Assign a junior compliance analyst to monitor changes weekly (cost: approximately RMB 60,000 per year in salary).
Cost: RMB 1.2 million average penalty for the subsidiary, plus mandatory data localisation orders that disrupt global operations for 3–6 months.
Fix: Establish a standalone China data classification policy that aligns with DSL requirements while not conflicting with global privacy standards (e.g., GDPR or CCPA). Maintain separate classification labels for the China entity’s data. Use a local legal entity to own the classification policy, and ensure the Data Security Officer is based in China with direct access to local regulators.
Maintaining Compliance Over Time
The DSL classification framework is dynamic. Since 2022, the CAC has updated the Important Data catalogue twice, adding approximately 150 new data categories each revision, particularly around artificial intelligence training data, connected vehicle data, and personal health data. Companies that do not review their classification on a rolling basis risk falling behind. A 2025 industry survey of 200 multinationals in China found that 38% had not updated their classification in the past 12 months, exposing them to potential non-compliance.
To maintain ongoing compliance, integrate data classification into your regular business processes. Every new product launch, vendor onboarding, or system implementation should trigger a classification review. Use your automated tool’s dashboard to track classification health metrics: percentage of data classified, number of unclassified assets, and overdue catalogue reviews. Report these metrics to your Data Security Officer monthly. Schedule an independent audit every two years, or annually if you handle Core Data. Many multinationals also join industry compliance working groups (e.g., the American Chamber of Commerce in Shanghai’s Data Compliance Committee) to share intelligence on regulatory trends and enforcement patterns.
NEXT STEPS
- Conduct a data classification readiness audit. Use our DSL Compliance Checklist to identify immediate gaps in your current classification processes and prioritise remediation actions.
- Download the latest Important Data catalogue for your sector. Visit our curated catalogue library to access the most current CAC and ministry-specific catalogues with English summaries and pinyin annotations.
- Book a consultation with a China-licensed data security assessor. Schedule a 60-minute session through our Data Classification Consulting service to receive a custom implementation plan, cost estimate, and risk assessment for your specific business operations.
— China Gateway 360 —
Remote China market entry support, built around execution.
