Connect with us
Key Guidelines for Companies in Compliance Audits for Personal Information Protection Standards Key Guidelines for Companies in Compliance Audits for Personal Information Protection Standards

China

Key Guidelines for Companies in Compliance Audits for Personal Information Protection Standards

Published

on

China’s standards authority has released draft standards for personal information protection compliance audits, potentially making them mandatory for companies in 2023. The audits will require companies to undergo annual or biennial checks based on the number of people’s information they handle. The draft standards outline the audit process and requirements, seeking public feedback until September 11, 2024.


China’s standards authority has released draft standards for conducting personal information protection compliance audits. Regular compliance audits to ensure compliance with personal information protection regulations may become a requirement for companies in China under draft measures released in 2023. We explain the audit processes and requirements proposed in the draft standards.

The Standardization Administration of China (SAC) has released a set of draft standards for conducting personal information (PI) protection compliance audits. Under draft measures released by the Cyberspace Administration of China (CAC) in August 2023, companies that process the PI of people in China are required to undergo regular compliance audits.

Specifically, companies that process the PI of over one million people must undergo a compliance audit at least once a year, while companies that process the PI of under one million people must carry out an audit at least once every two years. 

While the draft measures stipulate the obligations of the auditing body and the audit scope, the draft standards outline the specific audit process, including evidence management and permissions of the audit organization, as well as the professional and ethical requirements of auditors. 

The Secretariat of the National Cybersecurity Standardization Technical Committee is soliciting public feedback on the draft standards until September 11, 2024. Public comment on the draft measures released in August last year closed on September 2, 2023, but no updated document has yet been released. 

The draft standards outline five stages of the PI protection compliance audit: audit preparation, implementation, reporting, problem rectification, and archiving management. 

Auditors are required to accurately document identified security issues in the audit working papers, ensuring that the records are comprehensive, clear, and conclusive, reflecting the audit plan and its execution, as well as all relevant findings and recommendations. 

This article is republished from China Briefing. Read the rest of the original article.

China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at china@dezshira.com.