Article

PRC - New Measures for Personal Information Protection Compliance Audits

PRC - New Measures for Personal Information Protection Compliance Audits
Published Date
Mar 7 2025
Related people
The PRC Personal Information Protection Law (PIPL) mandates regular data compliance audits. Following a consultation period beginning in August 3, 2023, the Cyberspace Administration of China (CAC) issued the Measures for Personal Information Protection Compliance Audits (the Audit Measures) on February 14, 2025. The Audit Measures clarify the circumstances in which data compliance audits are required. The Audit Measures will take effect on May 1, 2025.

Key points of the audit measures

Who is required to conduct audits?

Personal information handlers processing data within the PRC of over 10 million individuals are required to conduct audits. Businesses processing the personal information of fewer than 10 million individuals may be ordered by Cyberspace Administration of China and other competent authorities to engage a professional agent to conduct an audit if:

  • there are serious risks affecting personal rights or significant security deficiencies; or
  • personal information processing activities may infringe upon the rights of many individuals; or
  • a security incident results in the leakage, tampering, loss, or damage of the personal information of more than 1 million people or the sensitive personal information of more than 100,000 people.

Who can conduct audits?

The Audit Measures state that personal information handlers can conduct audits internally or through a professional agency. Under certain circumstances, cybersecurity authorities may require companies to appoint a professional agency to conduct the audit on their behalf.

How often should audits be conducted?

Businesses processing the personal information of over 10 million individuals are required to conduct audits at least once every two years. Other businesses are required to conduct audits at regular intervals, but with no specific frequency prescribed by law.

Additional requirements

  • Businesses processing the personal information of more than 1 million individuals must designate a personal information protection officer responsible for the personal information audit.
  • Businesses providing "important internet platform services with a large user base and complex business structure" should establish an independent department composed mainly of external members to supervise the audit. However, it is unclear what is meant by "important internet platform services with a large user base and complex business structure".
  • A guideline issued with the Audit Measures outlines critical factors to be considered during the audit, such as whether the legal basis for data processing is sufficient and whether a mechanism is established for upholding data subjects' rights. This guideline should form the basis for conducting audits.

What should you do?

To ensure compliance with the new Audit Measures, businesses should:

  1. Assess the volume of personal information processed: Determine if your business processes the personal information of over 10 million individuals to understand the specific audit requirements.
  2. Designate a personal information protection officer: If your business processes the personal information of more than 1 million individuals, appoint a dedicated officer to oversee compliance.
  3. Establish an independent audit department: For businesses providing significant internet platform services, consider forming an independent audit department with external members.
  4. Review and implement the guideline: Familiarize yourself with the guideline issued alongside the Audit Measures and integrate its critical factors into your audit processes.
  5. Plan regular audits: Schedule audits at appropriate intervals to ensure ongoing compliance with the PIPL and the new audit measures.

Related capabilities