A Discussion of the PI Protection Compliance Audit Measures

On February 12, 2025, the Cyberspace Administration of China (CAC) officially released the Personal Information Protection Compliance Audit Measures (the "Audit Measures"), which will take effect on May 1, 2025. The Audit Measures further clarify the compliance audit obligations of personal information processors, reinforce corporate data protection responsibilities, and enhance the regulatory oversight of government authorities. For businesses, the implementation of the Audit Measures signifies a shift toward stricter regulatory scrutiny in personal information compliance. Companies engaged in large-scale personal data processing, cross-border data transfers, automated decision-making, or handling of sensitive personal information must pay close attention to their compliance obligations.  

1. Compliance Audit Becomes a "Must-Do"

The Personal Information Protection Law (PIPL), enacted in 2021, already mandates that businesses conduct regular compliance audits. The Audit Measures provide more detailed requirements regarding audit frequency, scope, selection of audit firms, and regulatory intervention, outlining both self-initiated compliance audits and audits mandated by regulators:

(1) Businesses processing large volumes of personal data (exceeding 10 million individuals' records) must conduct a compliance audit at least once every two years.  

(2) Regulators may require a compliance audit under the following circumstances:  When serious risks to personal rights are identified, or security measures are deemed inadequate;When personal information processing activities may infringe on a large number of individuals’ rights; orWhen a major data breach occurs, leading to the exposure, alteration, loss, or destruction of data affecting over 1 million individuals or over 100,000 individuals’ sensitive personal information.

(3) Industry-specific requirements: Companies handling minors’ personal information must conduct annual compliance audits in accordance with the Regulations on the Protection of Minors in Cyberspace.

2.Types of Compliance Audits

(1)  Self-Initiated Compliance AuditsCompanies that conduct self-initiated compliance audits may:  Assign the task to internal departments such as compliance or legal teams, provided the auditors do not directly engage in daily business operations; or  Engage an independent third-party firm to conduct an external compliance audit.  Additionally, Businesses processing more than 1 million individuals’ data must appoint a Personal Information Protection Officer (PIPO) to oversee compliance audits; and large internet platform operators with a high user base and complex business operations must establish an independent audit body, primarily composed of external experts.  

(2) Regulatory-Mandated AuditsIf regulators require a company to conduct a compliance audit, the company must engage a third-party professional firm to perform the audit and should:Fully cooperate with auditors and provide necessary data access;Cover the costs of the compliance audit;Complete the audit within a specified timeframe (extensions may be granted for complex cases);Submit to regulatory authorities the final compliance audit report issued by the auditing firm;Implement corrective actions based on audit findings and submit a remediation report within 15 working days of completing the rectifications.  

(3)  Responsibilities of Third-Party AuditorsThird party auditing firms shall maintain confidentiality regarding personal data, trade secrets, and proprietary business information obtained during audits, and permanently delete such information once the audit is completed. The auditing firm must not delegate the work to another entity. The same auditing firm and its affiliates, as well as the same lead auditor, cannot conduct more than three consecutive audits for the same company.  

3.Key Focus Areas in Compliance Audits

The Audit Measures include an Annex: Guidelines for Personal Information Protection Compliance Audits, outlining 26 key compliance areas. Businesses should focus on the following critical aspects:  

(1) Legality of Personal Information Collection and ProcessingHas clear and informed user consent been obtained?Has the principle of data minimization been applied?  Is renewed user consent obtained when the purpose of personal information processing changes?  

(2) Personal Information Security Measures  Has the company implemented a classification and hierarchical protection system for personal data?  Are security measures such as access controls, encryption, and anonymization in place?Is there a well-defined data breach response plan?

(3) Protection of User Rights  Can users access, rectify, delete, or withdraw consent for their personal data?  Is there a clear and accessible complaint-handling mechanism?

(4) Cross-Border Data Transfer Compliance  Do international data transfers comply with China’s Data Export Security Assessment requirements?  Have the required security assessments or contract filing obligations been fulfilled?  

(5) Automated Decision-Making and Algorithmic Compliance  Are users fully informed about how their data is used in automated decision-making?  Can users opt out of personalized recommendations and dynamic pricing models?  

4.Strengthening Business Competitiveness

Through Compliance Audits  Compliance audits are not merely a passive response to regulatory requirements; they are a core reflection of a company's data governance capabilities. By proactively planning compliance audits, businesses can reduce compliance risks associated with regulatory investigations or data breaches while improving transparency and strengthening user trust. This, in turn, enhances a company’s overall competitiveness. In line with the Audit Measures, businesses should establish a compliance audit framework tailored to their specific circumstances:

(1) Implement a “Regular + Special” Audit Framework  Conduct routine audits to ensure continuous compliance in daily business operations.  Schedule special audits for major business changes affecting personal data processing.  

(2)  Monitor Data Processing Scale  If the processed data volume approaches 10 million individuals, businesses should schedule compliance audits proactively rather than wait for regulatory mandates.

(3) Engage An Independent Third-Party FirmWhile self-initiated audits do not necessarily require outsourcing to a professional firm, the choice of audit method directly impacts the independence and credibility of the results.For businesses processing over 10 million individuals’ data, it is advisable to engage an independent third-party audit firm to conduct regular audits and provide written reports.Companies without a well-established compliance team should also consider seeking external consulting or legal support at an early stage to mitigate potential compliance risks.Smaller businesses may start with internal self-assessments and gradually enhance their audit mechanisms over time.

4) Establish a Corrective Action Plan  Develop a clear remediation process to promptly address compliance gaps identified during audits.  

(5) Stay Informed on Legislative Developments and Emerging Compliance RequirementsFor example, the National Information Security Standardization Technical Committee is currently drafting a national standard for personal information protection compliance audits and has released a consultation draft. This standard aligns closely with the Audit Measures in terms of audit content and also provides a template for audit reports. Businesses are advised to closely monitor the development of this standard to ensure better implementation of the Audit Measures in practice.