The study aims to analyse data security in the financial and banking sector of China. The data laws provide a ‘consent-oriented’ approach where consent, along with a limited list of exceptions, is the legal basis for the processing of personal information. The personal data protection mechanism comprised the Data Security Law, the Cybersecurity Law, and the Personal Information Protection Law. Taken together, they cover all areas of information security and establish a severe data protection regime: they determine the scope of regulation, objects and subjects, responsibility, and institutional control mechanisms. For an accurate assessment, it is necessary to wait for the adoption of by-laws that specify the provisions of these laws. The financial and banking sector already has several by-laws in place that set stringent standards for the security of personal information. The leading role in this mechanism is taken by the financial regulator - the People’s Bank of China.