The Cyberspace Administration of China (CAC) has announced new measures regarding data protection compliance audits, set to take effect on May 1, 2025. These measures aim to enhance the protection of personal information in accordance with the Personal Information Protection Law (PIPL) and the Administrative Regulations on the Security of Network Data.
Key Takeaways
- The new measures require data handlers processing personal information of over 10 million individuals to conduct audits every two years.
- Third-party audits may be mandated in high-risk scenarios, including data breaches affecting large numbers of individuals.
- Specific requirements are outlined for data handlers and third-party auditors, including the designation of Data Protection Personnel.
Overview of The Measures
The newly released “Administrative Measures on Compliance Auditing of Personal Information Protection” establish a framework for compliance audits that data handlers must follow. The measures include:
- Conditions for Audits: Audits will be triggered based on specific conditions, such as the scale of data processing and the presence of security risks.
- Selection of Auditors: Guidelines for selecting third-party compliance auditors are provided, ensuring they meet certain qualifications.
- Audit Frequency: Data handlers processing personal information of more than 10 million individuals must conduct audits at least once every two years.
- Obligations: Clear obligations are set for both data handlers and auditors during the compliance audit process.
Mandatory and Voluntary Audits
Data handlers are required to conduct mandatory audits under certain conditions:
- If their processing activities pose significant risks to individuals’ rights.
- If they lack adequate security measures.
- Following a data breach affecting over one million individuals.
In addition to mandatory audits, data handlers may also opt for voluntary audits, either internally or through third-party auditors.
Specific Requirements for Data Handlers
Data handlers processing personal information of over one million individuals must:
- Appoint a Designated Data Protection Personnel responsible for overseeing compliance.
- For those providing key online platform services, establish an independent organization to monitor compliance audits.
Third-Party Auditor Requirements
Third-party auditors must adhere to strict guidelines, including:
- Having appropriate staff, facilities, and funds to conduct audits.
- Maintaining confidentiality of the data reviewed during audits.
- Not using subcontractors for audit services.
Additionally, data handlers cannot use the same auditor for more than three consecutive audits to ensure objectivity.
Compliance Audit Guidance
The Measures provide detailed guidance on what data handlers must evaluate during compliance audits, including:
- Legal basis for processing personal information.
- Compliance with individual notification obligations.
- Management of vendors processing data on behalf of the handler.
- Procedures for handling sensitive personal information and minors’ data.
- Implementation of technical security measures and incident response plans.
These comprehensive guidelines aim to bolster data protection practices across China, ensuring that personal information is handled responsibly and securely. As the May 2025 deadline approaches, data handlers must prepare to comply with these new regulations to avoid potential penalties and enhance their data protection strategies.
Sources
- China Issues Measures on Data Protection Compliance Audits, Hunton Andrews Kurth LLP.