To add to the compliance burden, new mandatory, periodic and detailed data protection compliance audits have now been proposed in China, with measures beyond the usual governance/compliance audit compliance steps expected under other data protection frameworks, and a duty to report the audit results to the China data authorities.

On 3 August 2023, the Cyberspace Administration of China (“CAC”) published the Administrative Measures for Personal Information Protection Compliance Audit (Draft for Comment) (“Draft Measures”) for public consultation, which closes on 2 September 2023. The Draft Measures expand on the audit requirements in the PRC Personal Information Protection Law (PIPL), by setting out the scope and frequency of audits.

According to the Draft Measures, a data controller who processes personal data of more than one million data subjects must carry out a compliance audit at least once a year. Other data controllers must carry out a compliance audit at least once every two years.

The Draft Measures set out the key points to be audited in each of the following data protection areas: lawful basis, notice and consent, sharing or transferring personal data with third parties, automated decision-making, CCTV, public disclosure of personal data, processing sensitive personal data, cross-border transfer of personal data, retention and deletion, data subject right request, DPO, internal data governance, data incident responsive plan and personal data impact assessment.

Under the Draft Measures, the CAC has the authority to order a compliance audit on a data controller and entrust a third party auditing institution to perform the audit. The entrusted institution may request the data controller to provide documents and materials, conduct on-site investigations, access relevant systems and devices, organize interviews and request other assistance from the data controller. It has 90 working days to complete the audit and issue auditing opinions.

The data controller is required to follow the auditing institution’s recommendations and take remediation measures. After remediation, the satisfactory auditing result will be reported to the CAC

If implemented, this is going to require significant internal resources to manage. While there may be some changes to the key audit points or other technical details in the final version of the Draft Measures, it is very likely that the data compliance audit regime will be launched soon. Data controllers are recommended to start to review their ongoing data processing activities, and take necessary remediation action now while they still have the chance to make plans suitable for its own operation before being audited by the CAC. Gradually, conducting periodic data compliance audits will likely become part of the regular business routines of data controllers