As Wired reports reports, the Personal Information Protection Law tightens rules on how companies use customers’ data and is joined at the hip with national security policy in Beijing. Multinational corporations that run afoul of PIPL could be effectively banned from handling Chinese personal information.

Yahoo shuttered its remaining Chinese operations when PIPL took effect on November 1. The tech company pointed to an “increasingly challenging business and legal environment.” LinkedIn left in October citing similar worries.

Like Europe’s General Data Protection Regulation, PIPL allows people to see their data, ask for corrections or deletions and withdraw their consent for a company to process their data. Yet while the GDPR sets up independent data regulators in each of the European Union’s countries, PIPL is overseen by China’s state-backed internet regulator. According to Wired, under PIPL, “any reasonable-sized company operating in and out of China could be swept up in [a national-security] review process."

No organization looking to do business can afford to ignore PIPL, cautions Isabelle Hajjar, cybersecurity and privacy head of compliance for digital risks and security firm TekID, and Mathieu Gorge, founder of cybersecurity company VigiTrust. Writing in VentureBeat, they advise running a compliance self-evaluation, knowing the PIPL risks of every decision and continuing to audit compliance regularly.

As cybersecurity risk-assessment firm ACA Aponix notes in a report on PIPL, similar to GDPR, the law applies to companies without a physical presence in China, if the companies are targeting people within China or monitoring their data.

According to ACA Aponix, organizations should take inventory of their personal data assets, including specifics about sensitive personal data elements, cross-border transfers and third-party relationships. ACA Aponix also recommends a records management program that requires secure disposal or personal data after a certain retention period.