Further clarity to compliance requirements in the area of personal information processing

In alignment with the Personal Information Protection Law (PIPL) of the PRC, these measures provide detailed guidelines for organizations to conduct compliance audits of their personal information processing activities. The measures apply to all personal information processors (PI Processors) operating within China.

PI Processors are responsible for ensuring that compliance audits are conducted. While internal audit teams can perform these audits, organizations may also engage qualified third-party auditors to ensure objectivity and expertise.

Under the new measures, companies that process personal information will be subject to periodic audits to ensure compliance with Chinese data protection laws. The frequency of these audits depends on the volume of information handled. Companies that process personal information of over ten million individuals must conduct an audit every two years. In addition, the CAC and other responsible authorities may require PI Processors to entrust a specialized agency with the compliance audit of its personal information handling activities:

These thresholds or requirements for a compliance audit are an improvement compared to the original draft of the measures from 2023. According to that draft, all PI processors that have processed the personal information of more than 1 million people would have had to undergo an compliance audit every year, and all other PI processors every two years.

The audits are designed to be comprehensive, covering all aspects of information processing, including how information is collected, stored, shared and protected. Organizations are expected to identify compliance gaps, assess security risks and take corrective action where necessary. Unlike other assessments that focus on specific incidents or projects, compliance audits take a broad approach, evaluating an organization’s overall data governance and compliance.

Organizations can conduct audits internally or use external auditors to ensure objectivity. Regardless of the approach, companies must document audit findings and take corrective action where non-compliance or risks are identified. The CAC and other regulators can request these audit reports and impose penalties on companies that fail to meet audit requirements or correct deficiencies.

An important question is how compliance audits differ from personal information protection impact assessments (PIAs).

Although both compliance audits and PIAs are required under the PIPL, they serve different functions and apply in distinct situations. Compliance audits are broad evaluations of a company’s overall data protection framework, ensuring that all personal information processing activities comply with legal requirements. They are regular and ongoing.

In contrast, PIAs are specific, risk-focused assessments that companies must conduct before engaging in certain data processing activities. For example, a PIA is required if a company plans to process sensitive personal information, engage in automated decision making, or transfer personal information across borders. The purpose of a PIA is to identify the risks associated with a particular data processing activity, assess the potential harm to individuals, and implement mitigation measures before proceeding. Unlike compliance audits, which are conducted on a regular basis, PIAs are triggered by specific circumstances and must be conducted on an as-needed basis. In addition, compliance audits may be conducted by third party auditors, whereas PIAs are typically conducted internally by a company's data protection team.

For businesses in China, that are affected by the new measures, the measures bring with them additional data protection and security compliance requirements. Whereas previously the focus was on specific issues such as the cross-border transfer of personal data, affected companies will now have to address privacy and security in a much broader and more comprehensive way when handling personal data.