Personal Information Compliance Audits under the New Rules

Personal information protection compliance audits refer to the supervisory activities that examine and evaluate whether personal information processors comply with laws and administrative regulations in their personal information processing activities. In 2021, the "Personal Information Protection Law of the People's Republic of China" (hereinafter referred to as the "Personal Information Protection Law") first introduced the concept of "personal information protection compliance audit."

To effectively implement this system, the Measures provide detailed regulations on the conduct of personal information protection compliance audit activities, the selection of compliance audit institutions, the frequency of compliance audits, and the obligations of personal information processors and professional institutions in compliance audits, aiming to provide operable standards for compliance audits.

Personal information processors handling personal information of more than 10 million people should conduct at least one personal information protection compliance audit every two years.

Entities that process minors' personal information must conduct an annual personal information protection compliance audit of such processing activities. The audit may be performed internally or commissioned to a professional institution.

When the department performing personal information protection duties (hereinafter referred to as the "Protection Department") finds the following circumstances in the performance of its duties, it may require enterprises to entrust a professional institution to conduct a compliance audit on their personal information processing activities:

i) When it is found that the personal information processing activities pose significant risks to personal rights and interests or seriously lack security measures;

ii)When the personal information processing activities may infringe upon the rights and interests of a large number of individuals;

iii)When a personal information security incident occurs, resulting in the leakage, tampering, loss, or destruction of personal information of more than 1 million people or sensitive personal information of more than 100,000 people.

In addition to the above specific circumstances, other personal information processors should also regularly conduct compliance audits on their personal information processing activities in accordance with laws and administrative regulations, but they may reasonably determine the frequency of compliance audits according to their own situations.

When undertaking compliance audits internally, enterprises may either conduct such audits through internal departments or commission accredited professional institutions to perform the audit activities.

If an enterprise intends to entrust a professional institution to conduct a compliance audit, it should ensure that the institution has the ability to conduct compliance audits, with audit personnel, premises, facilities, and funds commensurate with the services, and ensure the independence of the audit, that is, the same professional institution and its affiliated institutions, and the same compliance audit person in charge shall not audit the same object continuously three times. Furthermore, upon acceptance of the entrustment, the institution shall not subcontract the audit to other institutions.

The Measures "encourage" relevant professional institutions to obtain certification, but currently, there is no website or list available to query which professional institutions have certification qualifications (which may be further improved in the future). Enterprises may independently select law firms or other professional institutions with professional knowledge and experience in the field of personal information protection compliance to conduct entrusted audit work.

select a professional institution as required by the Protection Department and complete the compliance audit within the time limit. If the situation is complex, it may be extended with approval.

The annex Guidelines, in conjunction with previously promulgated laws and regulations on personal information protection, systematically organizes and elaborates compliance audit requirements by centering on 26 key areas such as the legal basis for personal information processing activities, transparency of processing rules, and handling of sensitive information.

Taking the cross-border transmission of personal information as an example, according to the previously issued "Personal Information Protection Law" and "Regulations on Promoting and Regulating the Cross-border Flow of Data," data export should at least meet one of the three compliance mechanisms of "security assessment, security certification, or standard contract," and it is also clearly stipulated that in circumstances such as "implementing cross-border human resource management" and "cumulatively providing personal information of less than 100,000 people," the above three export compliance mechanisms may be waived.

The data export compliance review items listed in the Guidelines are based on the above regulations, requiring priority scrutiny in the compliance audit of whether different types of data processors, such as operators of critical information infrastructure, have taken compliance mechanisms such as security assessment, security certification, or standard contract in accordance with the law under different circumstances.

The Measures stipulate that enterprises or professional institutions accepting the entrustment that do not conduct compliance audits in accordance with the law will be dealt with in accordance with the "Personal Information Protection Law," "Network Data Security Management Regulations," and other laws and regulations:

Recorded in the credit file and publicized in accordance with the regulations.

If a crime is constituted, criminal responsibility will be pursued in accordance with the law.

1. In combination with the various compliance audit review points listed in the annexed Guidelines, comprehensively sort out the personal information processing activities involved in the enterprise's internal personnel management, business operations, and other aspects, identify potential risk points, and establish written management systems when necessary, incorporating personal information protection and its compliance audit system into the enterprise's internal control system.

2. Comprehensively considering factors such as the enterprise's organizational size, business types, and the quantity of personal information, form an internal audit team. Audit personnel may be selected from teams with audit or personal information protection-related professional capabilities, such as internal audit teams, security teams, and legal teams, and pre-audit training should be organized.

3. For enterprises processing personal information of more than 1 million people, a personal information protection person in charge should be designated to be responsible for the compliance audit work.

4. Reasonably determine the frequency of compliance audits based on the enterprise's personal information processing volume and business scale, and if necessary, entrust external professional institutions to conduct independent audit work. It is recommended to form a written compliance audit report and keep it on file for review by the regulatory department.