China: Time for your data protection compliance audit

Derived from an existing high-level requirement under the Personal Information Protection Law (PIPL) from 2021, data protection compliance audits have risen to the top of Mainland Chinese regulators’ legislative priorities. 

Last month, the National Cyber Security Standardisation Technical Committee of China (also known as TC260) proposed a set of national standards on Personal Information Protection Compliance Audit Requirements for a two-month consultation. 

Release of these standards follows that by the Cyberspace Administration of China, in August last year, of the Draft Measures for the Personal Information Protection Compliance Audit. Once in effect, these binding data audit rules, along with the recommendatory standards serving as industry best practice, will supplement existing audit requirements such as to guide companies in China to conduct periodic audits on their personal data processing activities.  

Broad scope of application

The PIPL mandates any personal information processor (which is akin to a ‘data controller’ under the GDPR) to conduct periodic compliance audits on its personal data processing activities. 

A party that is entrusted to process personal data (which is akin to a ‘data processor’ under the GDPR), although not directly subject to the audit obligation, must assist the controller to fulfil its obligations including data compliance audit. 

In essence, this means that the audit rules will likely be relevant to almost all businesses processing anything except a small volume of personal data in China (and even outside China where the PIPL’s extra-territorial effect applies). 

Two types of audits

The PRC regulators have been silent about implementation details of the data protection audit introduced under the PIPL, until now. 

• Self-initiated audit: Under the proposed audit rules, most business acting as data controllers will be required to conduct a self-initiated audit at least once every two years; more frequent audits of at least once a year will apply to controllers processing personal data of more than one million individuals – i.e. the same threshold at which government-led data export security assessment likely also apply if the personal data is being exported. Businesses are afforded flexibility to determine whether to conduct the audit themselves or through external professional agencies.
• External audit: Regulators may mandate controllers to appoint a professional agency to conduct an audit as soon as possible, if:
  • regulators find that there is a high risk arising from a business’ personal information processing, or 
  • a cyber incident has occurred. 

The rules further propose that a regulator-requested audit must be completed within 90 working days after the regulator’s instruction. This timeline can only be extended with special approval from the regulator.

What needs auditing?

The audit rules propose some comprehensive guidance on what should be audited. Key points include the legal basis for processing, notice and consent, joint processing, entrusted processing, data sharing and transfer, data disclosure, automated decision-making, use of CCTV, processing publicly-available data, sensitive personal data, minor protection, cross-border data transfers, data subject rights, data governance, personal information protection impact assessments, security measures, incident response.

One interesting observation is that the proposed audit rules appear to follow not only the PIPL and its implementation rules, but also some best market practices. For example, when evaluating whether a robust data breach response process has been established, factors to be considered include whether the audited organisation is able to report to relevant authorities and individuals 72 hours after the incident occurs. This reporting timeline is not yet specified elsewhere under current PRC laws, nor in China’s recently proposed cybersecurity breach reporting regime. 

For international businesses that have been building their global data governance based merely on GDPR principles, additional PIPL uplift compliance will be necessary to ensure they are able to satisfy these data audits requirements. 

Professionalism and independency of auditors

Aligning with other audits, a data protection audit must follow the principles of legality, independence, objectivity, comprehensiveness, impartiality and confidentiality. 

In particular, auditors should be independent of the audit activity and have no conflict of interest with the auditee. Although businesses can choose to conduct a self-initiated data protection audit on their own, the proposed audit rules specifically require the personnel conducting the audit to be independent of the personal information processing and protection specifically being audited. 

On the other hand, auditors are also expected to be equipped with data protection expertise so that they can conduct the audit work professionally.

If both requirements for the auditors are kept in the current form, however, conducting a self-initiated audit through an internal team might not be feasible in practice – while an in-house data privacy counsel has the professional expertise to conduct the work, unless it is a big internal team, presumably independence will be a challenge to show. 

Preparing for your (first) PIPL data compliance audit

Delaying adoption of the standard’s process could, if non-compliance is left unresolved, result in operational disruptions and (indirectly) significant legal risk.

With this forthcoming audit regime that will seek to thoroughly evaluate adherence to PRC data protection law and practice, organisations should revisit their local compliance strategy, and take immediate action to ensure all compliance measures are fully implemented before auditing begins. 

With the introduction of a data audit regime imminent and the length of any grace period uncertain, compliance-conscious organisations should begin planning their data audit systems, procedures and responsible team, and integrate the auditing process into their broader compliance programmes. 

Stay tune for more on this fast-evolving regulatory regime!