CAC Introduces New Personal Information Protection Compliance Audit Management Measures
March 3, 2025
In February 2025, the Personal Information Protection Compliance Audit Management Measures (hereinafter the “Measures“) were released, clarifying that starting from May 1, 2025, the responsibility of personal information processors will be strengthened through compliance audits.
Policy Background and Legal Basis
The Measures aim to reinforce the responsibilities of personal information processors and enhance risk control and supervision. Based on the Personal Information Protection Law and the Regulations on Network Data Security Management, personal information processors are required to periodically audit the legality of their personal information processing activities. In cases of significant risks or security incidents, they shall comply with mandatory audit requirements imposed by regulatory authorities.
Two Types of Compliance Audits: mandatory and self-initiated
- Mandatory (self-initiated) Audits: Processors handling the personal information of more than 10 million individuals shall conduct regular personal information protection compliance audits on their own, at least once every two years. These audits can be carried out by internal teams or delegated to professional institutions.
- Mandatory Audits: The Cyberspace Administration of China (CAC) and other relevant departments may require enterprises to commission professional institutions to conduct audits under three circumstances:
- When there are significant risks, such as severe impacts on individual rights or a serious lack of security measures;
- When the rights of a large number of individuals may be infringed;
- When a personal information security incident occurs, resulting in the leakage, alteration, loss, or destruction of personal information affecting more than 1 million individuals or sensitive personal information of more than 100,000 individuals.
- Self-Initiated Audits
Enterprises processing the information of more than 1 million individuals shall designate a personal information protection officer to oversee audit-related work.
Requirements for Audit Institutions
- Capability Threshold: They shall have professional personnel, facilities, and funding, and be accredited by national certification bodies.
- Independence Requirement: The same institution or responsible officer shall not conduct audits for the same enterprise more than three consecutive times.
Guidelines for Enterprises: How to Respond to Compliance Audits?
- Refer to the Guidelines for Personal Information Protection Compliance Audits to identify risk points across the entire data processing workflow.
- Establish a long-term mechanism: Set up dedicated positions and regularly conduct internal training and self-audits.
Back
