The Cyberspace Administration of China (CAC) published the Administrative Measures for the Audit of Personal Information Protection Compliance for Comment in August. The aim is to operationalize the regular compliance audit for processors of personal information in accordance with Article 54 and 64 of the Personal Information Protection Law (PIPL).
The administrative measures specify the obligation to conduct regular compliance audits in terms of frequency and distinguish between two types of subjects: A processor that processes more than one million pieces of personal information must conduct an audit at least once a year, while a processor that processes personal information should do so at least every two years. The method involves conducting the compliance audit by the company itself or engaging a specialist institution recognized by CAC. However, it should be noted that an identical auditor may not conduct personal data protection compliance audits for the same object more than three times in a row.
If supervisory authorities identify a significant risk in the processing of personal information or personal data protection incidents occur, they may require processors to engage external specialized institutions to conduct a specific compliance audit of their personal information processing activities.
The audit items reflect the requirements of the PIPL and national standards and include regulations on the processing of personal information, cross-border provision of personal information, protection of the rights of personal information subjects, obligations of personal information processors, and specific responsibilities of large Internet platforms. Once the administrative measures enter into force, they will be binding for all companies that process personal information.
The new audit is another building block in China’s data protection regime. China wants to use strict regulations to ensure that all companies based in China have a sufficient level of data protection. We recommend that companies carry out a data mapping and data flow analysis of personal data now and adapt their IT compliance accordingly.
image>Unsplash
China Intellectual Property Blog 