China’s Cyberspace Administration (CAC) has released new requirements regarding data protection audits, outlined in the “Administrative Measures on Compliance Auditing of Personal Information Protection” (the “Measures”). These Measures, which will come into effect on May 1, 2025, were developed in accordance with the Personal Information Protection Law (PIPL) and the Administrative Regulations on the Security of Network Data.
The Measures establish the conditions that could trigger an audit of a data handler’s compliance with personal information protection requirements. They also specify the process for selecting third-party auditors, the frequency of compliance audits, and the responsibilities of both data handlers and third-party auditors. An accompanying document, the “Guidelines on Personal Information Protection Compliance Auditing,” offers additional details on audit requirements.
Voluntary and Mandatory Compliance Auditing
Under the new Measures, data handlers processing personal information of more than 10 million individuals are required to undergo compliance audits at least once every two years.
The Measures also allow authorities to request third-party audits in certain cases, such as when a data handler’s processing activities pose a significant risk to individuals’ rights, lack adequate security measures, or when a data breach affects a large number of individuals. Specifically, audits are mandated if personal information of over one million individuals, or sensitive personal information of over 100,000 individuals, is compromised.
Data handlers may also opt to conduct compliance audits voluntarily, either internally or with the assistance of third-party auditors.
Requirements for Certain Data Handlers
For data handlers processing personal information of more than one million individuals, the Measures require the designation of a person responsible for personal information protection. Additionally, key online platform service providers with many users and complex business models must establish an independent organization, primarily consisting of external members, to oversee compliance audits.
Third-Party Auditors and Data Protection Personnel
Third-party auditors must have the necessary staff, resources, and confidentiality measures to conduct audits. They are prohibited from using subcontractors. The Measures also limit data handlers to using the same third-party auditor or its affiliates, or the same Designated Data Protection Personnel, for no more than three consecutive audits.
Compliance Audit Considerations
The Guidelines specify several factors for data handlers to evaluate during compliance audits, including:
- The legal basis for processing personal information
- Compliance with individual notification obligations
- Joint processing activities and vendor management
- Transfers of personal information due to business changes
- Engagement in automated decision-making and surveillance practices
- Protection of sensitive personal information and minors’ data
- The handling of cross-border data transfers and data erasure rights
- The effectiveness of internal policies, security measures, and workforce training
Additionally, data handlers offering key online services must include a social responsibility report on personal information protection in their audits.
These new requirements reflect China’s ongoing efforts to strengthen data protection practices and ensure compliance with international standards for personal information security.
Stay current with supply chain report news at The Supply Chain Report. For international trade tools, see ADAMftd.com.
#ChinaDataProtection #DataAuditMeasures #CybersecurityRegulations #PrivacyLaws #DataCompliance #TechPolicy #GlobalTrade
