On 14 February 2025, the Cyberspace Administration of China (CAC) published the final Measures for the Personal Information Protection Compliance Audit (Measures). The Measures will take effect on 1 May 2025.

Conducting a data compliance audit: a must

• Data compliance auditing as a legal obligation: The Measures have been in development since a consultation draft was released in August 2023, followed by draft national standards in July last year. Once effective in less than two months, the Measures will implement existing legal obligations under the Personal Information Protection Law and the Network Data Security Administration Measures. These rules also mandate organisations to conduct periodic compliance audits on their personal data processing activities.
• Audit reports support compliance accountability: There are also strong commercial reasons to conduct an audit. Customers may request a vendor's data compliance audit report during the vendor onboarding due diligence process, so IT and other service providers should prepare accordingly. Similarly, investors or buyers might ask for this report during a transaction or IPO to understand businesses’ compliance with China’s data protection regime. 

Two types of audits

The Measures differentiate between two categories of audit:

• Self-initiated audit: Businesses acting as data controllers processing personal information of more than 10 million people must conduct a self-initiated audit at least every two years, either by themselves internally or through external professional agencies. Tech platforms and other large consumer-facing organisations will often cross that threshold in mainland China. Other businesses not meeting this threshold are afforded flexibility to determine their data compliance audit frequency. This lifts the triggering threshold and lowers the frequency compared with the 2023 draft. 

• External audit: A regulator may mandate data controllers to appoint a professional agency to conduct an audit as soon as possible, if: 
  • the regulator finds that there is a high risk arising from a business’ personal information processing; or
  • a cyber incident has occurred.

The guidelines appended to the Measures set out a relatively comprehensive checklist on what should be audited. Key points include the legal basis for processing, notice and consent, joint processing, entrusted processing, data sharing and transfer, data disclosure, automated decision-making, use of CCTV, processing publicly-available data, sensitive personal data, minor protection, cross-border data transfers, data subject rights, data governance, personal information protection impact assessments, security measures, and data breach response.

Helpfully, the Measures for the first time specify the long-awaited threshold at which the mandatory DPO appointment obligation will apply, i.e., a controller that handles personal information of more than one million individuals. This threshold amount was absent from under the PIPL. The appointed DPO will take responsibility for the business’s data compliance audits. 

Industry specific requirements 

Apart from the Measures, businesses should in parallel assess whether more stringent industry specific requirements apply. For example:

• for financial institutions, the Banking and Insurance Data Security Measures require financial institutions to conduct annual data security risk assessment, and their audit department must conduct a comprehensive data security risk assessment every three years; and
• for the gaming industry or other digital services providers facing minors as their user-base, the Regulations on the Protection of Minors in the Cyberspace require annual audits. 

Implementing audit policies and procedure

To implement the new Measures, tech-focussed and other multinational organisations in China need to adjust their global data compliance audit policies (if available) to PRC law requirements. These data compliance audit policies and procedures will also need to be tailored to the volume of personal information and roles businesses play.

However, there remain open questions, including:

• if separate data compliance audits are necessary for each subsidiary within a corporate group or if a centralised audit for all subsidiaries in China would suffice;
• whether audit requirements mandatorily apply to a data processor which processes a large volume of personal information on behalf of its controller; and
• which department within an organisation is more appropriate to lead a data compliance audit: the audit department, the legal and compliance department or the privacy department, especially taking into consideration the requirements of objectivity and independence of those leading an audit.

Organisations must establish and implement data compliance audit policies, covering the whole process from audit preparation, implementation, report issuance, gaps rectification and record keeping.

We are working with several clients to analyse the implications of the new rules on their business operations in China. As always, feel free to reach out if you have any questions.