Law of the People's Republic of China on the Protection of Personal Information (effective November 1, 2021)
Articles 54 and 64: Provide the basic legal framework for personal information protection compliance audits, requiring companies to proactively fulfill their auditing obligations and cooperate with supervision.
Regulations on Network Data Security Management (effective January 1, 2025)
Article 27: To further refine the auditing requirements, network data processors shall periodically conduct compliance audits, either on their own or by commissioning professional organizations, of their handling of personal information in compliance with laws and administrative regulations.
Measures for the Management of Compliance Audits on Personal Information Protection (issued on February 14, 2025, effective May 1, 2025)
The first supporting rules for personal information protection compliance audits were formalized.
Table of contents
01 Individual insurance audits are a critical step from principle to implementation
On February 14, 2025, thePersonal information protectionCompliance auditManagement Measures" (hereinafter referred to as "Measures") was officially released, marking China's personal information protection supervision from the "legislation to improve" formally into the "law enforcement to deepen" stage. As thePersonal Information Protection ActThe introduction of the Scheme is of great significance as the first complementary rule to the obligation of Article 54 "Periodic Compliance Audit":(1) Refinement of landing requirements to fill the systemBlank:commander-in-chief (military)Personal protectionThe abstract requirements contained in the report were translated into 26 specific audit indicators (e.g., transparency of automated decision-making, mechanisms for the protection of minors' information, etc.);(2) Enhanced responsibility for clarifying the triggers for individual insurance audits:Specify that processors of personal information that "handle information on more than 10 million people" trigger mandatory audits at a frequency of at least once every two years; and that the presence of personal information is not a cause for concern.information securityincident or risk, the Protection Authority may require the processor of personal information to commission a professional body to carry out a personal protection audit;(3) Establishment of a coordinated governance mechanism for the protection of personal information:Build a three-tier governance system of "enterprise self-inspection + third-party audit + administrative supervision", and in particular require large platforms to introduce an external independent oversight body.Follow the NetworkData SecurityThe pace of the Administrative Regulations, the Measures have become an important piece of the legislative puzzle in the field of personal information protection in China. The introduction of the Measures has significantly increased the cost of compliance for enterprises, but it has also clarified the ambiguity under the previous legal framework for personal information data-intensive industries (e.g., telecommunications and Internet, finance, and medical care) and provided a concrete and enforceable compliance path.
02Core changes in the new provisions of the Scheme
A year and a half has passed since the release of the Exposure Draft, and the official draft of the Measures has made a large number of revisions, including the lowering of the audit trigger threshold and changes in the management strategy, all reflecting the inclusiveness and flexibility of the regulation, which is basically in line with the trend presented by the Provisions on the Facilitation and Regulation of Cross-border Flow of Data and the Regulations on the Management of Network Data Security, which will be released in 2024. The following are the changes to focus on in the official draft of the Measures:I. Increased threshold for triggering mandatory audits: 10 million peopleconstitutecritical watershed momentThe mandatory triggering threshold and implementation frequency requirements for personal information protection compliance audits are the most concerned elements, summarized in one sentence - higher threshold and lower frequency.
Threshold for the amount of personal information
Frequency requirements
Circumstances below the threshold
final version
Over 10 million
At least 1 time every 2 years
No explicit requirements
draft resolution for public comments
Over 1 million
At least 1 time per year
At least 1 time every 2 years
From "1,000,000" to "10,000,000", the official draft of the Measures has significantly increased the mandatory trigger threshold for personal information protection compliance audits, and the frequency of implementation has increased from the "1,000,000" to "10,000,000" threshold in the exposure draft to the "10,000,000" threshold in the exposure draft.Reduce "at least once a year" to "at least once every two years".At the same time, for enterprises that do not meet the threshold, there is no longer any explicit compliance audit requirement, but they are still required to fulfill the requirement of conducting regular audits under the Personal Information Protection Law. At the same time, for enterprises that do not meet the threshold, there is no longer a clear requirement for compliance audits, but according to the Personal Information Protection Law, it is still necessary to fulfill the requirement to conduct regular audits. Therefore, such enterprises are advised to conduct personal information protection compliance audits in a timely manner according to the nature of their business and the sensitivity of their personal information, in order to detect risks in a timely manner, because, after all, enterprises do not want to be triggered by "passive audits". After all, companies should not want to trigger a "passive audit".II. Regulatory-driven "reactive auditing": identifying three scenariosIn addition to the "proactive audit" mechanism mentioned above, the regulatory authorities may require enterprises to commission professional organizations to conduct compliance audits when there are personal information security incidents or risks.Three new scenarios have been identified in the official draft of the Scheme:(1) If it is found that there is a high risk that personal information processing activities will seriously affect the rights and interests of individuals or that there is a serious lack of security measures;(2) Personal information processing activities that may infringe on the rights and interests of a large number of individuals;(3) When a personal information security incident occurs that results in the leakage, alteration, loss, or destruction of more than 1 million people's personal information or more than 100,000 people's sensitive personal information.From the perspective of a risk event, if it involves "more than 1 million people's personal information or more than 100,000 people", with reference to the "Emergency Response Plan for Data Security Incidents in the Field of Industry and Information Technology (Trial)", i.e., if it is a large data security event or above, the regulatory authorities may require enterprises to carry out compliance audits on the protection of personal information.The Scheme clarifies that the same individual information security incident or risk shall not repeatedly require an enterprise to carry out a compliance audit.III. Choice of audit format: autonomous audits OR commissioned audits of specialized institutionsBoth the official draft and the exposure draft contain two forms of implementation of personal information protection compliance audits, which are carried out by in-house organizations and entrusted to third-party professional organizations.Under the form of "active audit", enterprises can choose the way of conducting compliance audit according to their actual needs. However, if the supervisory authorities require a compliance audit on personal information protection, the Measures make it clear that "a professional organization shall be selected in accordance with the requirements of the protection department", and the audit report and rectification report issued by the professional organization shall be sent to the protection department, with the specific timeframe for implementation as follows:
Time frame for submission of audit reports
Time frame for submission of rectification reports
final version
Unspecified, to be determined on a case-by-case basis, and the enterprise may apply for an extension
Within 15 working days of completion of rectification
draft resolution for public comments
Within 90 working days, companies can apply for an extension
unspecified
IV. Third-party professional bodies: encouraging accreditation + accepting oversightThird-party professional organizations are also a key part of personal information protection compliance audits, and whether or not they need to be explicitly qualified to carry out compliance audits has been a topic of great concern.In the previous draft, it was made clear that the company would "establish a recommended directory of professional organizations for personal information protection compliance audits" and encourage companies to give preference to them. AndThe official draft of the Measures removes the relevant provisions of the "recommended directory" and retains the "encouragement of relevant professional organizations to pass the certification", which, to a certain extent, still suggests that enterprises should give priority to selecting qualified organizations to carry out compliance audits, and only weakens the directory recommendation mechanism.The Measures also provide for regular rotation and supervision of third-party professional organizations in the course of conducting compliance audits of personal information protection:(1) Legal compliance and confidentiality obligations.(2) Compliance audits may not be subcontracted to other organizations.(3) No compliance audit shall be conducted on the same auditee more than three consecutive times, which is a requirement for professional organizations and their affiliates, and compliance audit leaders.(4) Obligation to accept supervision and inspection.The Measures, for professional organizations conducting compliance audits of personal information protection, mainly specify that they should be professional and independent, and at the same time be subject to supervision by the protection authorities and the public. Encouraging the accreditation mechanism also raises the entry threshold of professional organizations, forming a benign ecology of "regulatory guidance + market choice".V. Other: Establishment of a threshold by the person responsible for the protection of personal informationArticle 52 of the Personal Information Protection Law requires companies that handle personal information to designate a person responsible for personal information protection if the amount of personal information reached "the amount specified by the state net information department", but after more than three years, the final answer to the question of "the amount specified" has not been clarified by the relevant documents, and it has finally been determined in the official draft of the Measures - this time, the Measures are determined in the official draft of the Measures. The final answer to the question of "prescribed quantity" has finally been determined in the official draft of the Measures.A processor of personal information that handles more than one million people shall designate a person in charge of personal information protection who is also in charge of compliance audits of personal information protection.After the Measures have clarified the conditions for the establishment of the person in charge of personal information protection, it is foreseeable that the requirements of the Personal Information Protection Law, such as requiring enterprises to disclose the contact information of the person in charge of personal information protection and to report his or her name and contact information to the supervisory authorities, will soon be further implemented.
03Personal Information Protection Compliance Audit Guidelines Core Framework
As an important part of the release of the Measures, the "Reference Points for Personal Information Protection Compliance Audit" in the original exposure draft has now been renamed as the "Personal Information Protection Compliance Audit Guidelines". Compared with the version in the Exposure Draft, the Audit Guidelines in the Official Draft have been streamlined and optimized in a large number of ways and, for example, removed the safety assessment of algorithmic models in automated decision-making scenarios, the filing and review of scientific and technological ethics, and the review of the supervision requirements of independent organizations and external members of large Internet platforms, resulting in 26 audit items, which are categorized as a whole as shown in the chart below:
Personal Information Protection Compliance Audit Guidelines Framework
Based on the main line of "Risk Identification - Compliance Verification - Dynamic Improvement", the Audit Guidelines set differentiated review standards for specific high-risk scenarios (protection of minors, cross-border transmission, automated decision-making, etc.), and urge enterprises to comply with the following principles in the protection of personal information Principles:(1) The basis of legality is prioritized:Emphasizes the principle of "lawfulness, legitimacy, and necessity" in the handling of personal information, and pays particular attention to the validity of "consent" (e.g., separate consent, re-consent mechanism).(2) Scenario-based hierarchical management:Focus self-inspection on high-risk scenarios (e.g., information on minors, biometric data), and clarify the principle of "high risk, high obligation".(3) Technology and management driven:Both the effectiveness of technical security measures (e.g., encryption, de-identification) and the completeness of internal management systems (e.g., emergency plans, training programs) are required.The 26 audit requirements in the Audit Guidelines give enterprises a clear scope of review to carry out personal information protection compliance audits, and in the course of practice the conduct of audits can now refer to the national standard "Data Security Technology Personal Information Protection Compliance Audit Requirements" (comments are being solicited), which specifies in detail the specific operation of the personal protection compliance audits, covering the audit process, audit evidence, audit content, audit methodology, etc., and provides reference documents such as audit draft templates and audit report templates to provide a referable implementation framework for the personal protection compliance audits to take place. It also provides reference documents such as audit draft templates and audit report templates, which provide a reference implementation framework for personal insurance compliance audits.
Personal Information Protection Compliance Audit Implementation Process (Reference))
Last year, 36 enterprises participated in the pilot work of personal information protection compliance auditing based on this standard, and the Administrative Measures for Personal Information Protection Compliance Auditing have now been formally released, and the national standard for auditing requirements is expected to be formally launched soon, so that enterprises can refer to it for implementation if they carry out the audit on their own or entrust it to third-party professional organizations.
04Business Practice Suggested References
Personal information protection compliance auditing is derived from the universal compliance requirements of the Personal Information Protection Law, and only based on the Measures, there are differentiated requirements on the frequency and scope of auditing for personal information processors with more than 10 million people or more than 1 million people's personal information. The Measures will be formally implemented on May 1, 2025, and from the perspective of practical compliance, referring to the requirements of the Measures, enterprises should make preparations and work plans in advance:(1) Establishment of risk maps:Conduct a gap analysis against the 27 provisions of the Guidelines and prioritize the rectification of high-frequency penalty areas (e.g., lack of valid consent, excessive collection, cross-border violations).(2) Improve the governance structure:Establishing a full-time personal information protection officer and empowering him/her to coordinate across departments. A three-pronged compliance system of "system, technology and personnel" has been established to avoid "emphasizing technology over management".(3) Scenario-based compliance design:Develop special compliance guidelines for key scenarios such as automated decision-making, protection of minors, face recognition, and cross-border transmission.
(4) Dynamic response mechanisms:Quarterly update of personal information protection impact assessment reports, retaining the chain of evidence for rectification. Conduct regular internal audits + mock regulatory inspections to ensure that contingency mechanisms are enforceable.
Original article by Cyber Institute, if reproduced, please credit: https://cncso.com/en/personal-information-protection-compliance-audit-html
