By Connie Chen and Maarten Roos
On 3 August 2023, the Cyberspace Administration of China (CAC) released the Management Measures for Compliance Audits on Personal Information Protection (Draft for Comments). These Compliance Audit Measures, once adopted, will oblige all companies in China that handle personal information (PI), to complete regular audits on whether personal information is processed in accordance with the PRC Personal Information Protection Law (PIPL).
Key points of the draft include:
- Compliance audit requirements. A PI handler that processes PI of more than one million individuals is required to conduct a compliance audit at least once per year, while all other PI handlers are required to conduct a compliance audit every two years. Regulatory authorities may also require PI handlers to conduct compliance audits in the event of a security incident or when there is a significant risk in their PI processing activities.
- Which entities can conduct compliance audits. The compliance audit can be conducted by the PI handler, or an entrusted professional organization. If the compliance audit is ordered by the regulatory authorities, then the audit must be conducted by a professional organization.
- Professional organizations. The CAC, Public Security Bureau (PSB) and other authorities will jointly establish a directory of recommended professional organizations that can complete compliance audits. It is “encouraged” to engage such professional organization to complete the audit.
The Draft includes an annex – the Reference Points for Compliance Audits on PI Protection – that elaborates on items and areas to be reviewed and assessed during a compliance audit. These Reference Points for a large part mirror provisions from the National Standards on Cybersecurity and PI Protection, including the Personal Information Security Specifications (GB/T-35273).
Once the Compliance Audit Measures come into force, almost all companies will be affected by these compliance audit requirements, as processing personal information (incl. information of employees) is generally unavoidable for running a business. Any violation of the Measures may result in penalties as per the PIPL, including fines and potentially, an order to suspend the business. These new requirements add another layer to the compliance load of PI handlers, after the PIPL already requires PI handlers to conduct self-assessment on PI processing activities and to generate a PI Impact Assessment Report when they process sensitive PI or transfer PI abroad.
R&P’s data privacy team advises companies on how to remain compliant with China’s data privacy laws, and supports our clients with assessments, audits and CAC filings. For more information on how we can support your business to be compliant, please reach out to [email protected] or [email protected], or to your usual contact at R&P.