On July 12, 2024, China’s National Technical Committee on Cybersecurity of the Standardization Administration of China (SAC/TC260) released the draft for public comment of the national recommended standard titled 20240896-T-469 Data security technology — Personal Information Protection Compliance Audit Requirements (hereinafter referred to as the Standard). The public consultation period ended on September 11, 2024. The Standard aims to clarify the principles and overall requirements for conducting personal information protection compliance audits and to standardize the auditing practices of personal information processors. The China Electronics Standardization Institute is leading the development of the Standard.

Overview of the Standard

The Standard provides comprehensive guidelines for conducting personal information protection compliance audits, ensuring alignment with the Personal Information Protection Law (PIPL). It applies to both internal audits conducted by personal information processors and audits outsourced to professional institutions. The key highlights of the Standard include:

  • Audit Principles and Obligations: The standard outlines the principles and obligations for both personal information processors and professional auditors in compliance audits.
  • Practical Guidance for complying with PIPL’s Article 54, which mandates regular compliance audits for personal information processing activities. The Standard includes detailed guidance on audit processes, types of audit evidence, content, methods, and templates for audit papers and reports,offering comprehensive tools for practical
  • Supplementary Audit Content. Annex C of the Standard expands on the annex of the Measures for the Administration of Personal Information Protection Compliance Audits (draft for comment)(hereinafter referred to as the Measures), issued by the Cyberspace Administration of China in August 2023. These additions and modifications address industry needs and align with relevant regulations. Key updates include:
    • Adding contentfor auditing the implementation of the principle of the “minimum and necessary” during the collection of personal information.
    • Supplementing audit content to protect minors’personal information, consistent with the Regulation on the Protection of Minors in Cyberspace.
    • Modifying audit contentrelated to cross-border transfers of personal information, aligning with the Regulations on Promoting and Regulating Cross-border Data Transfers.

In conclusion, the Standard represents a critical advancement in China’s data security governance by providing clear guidelines for personal information protection compliance. Foreign stakeholders should pay attention to two key aspects:

  1. Once the Measures takeeffect, compliance audits will become mandatory for entities that fall within the scope outlined in Article 4 of the Measures: “Personal information processors handling the personal information of more than 1 million individuals must conduct personal information protection compliance audits at least once a year; other personal information processors must conduct such audits at least once every two years.” Entities must reference the forthcoming standard when conducting these audits.
  2. Thedraft of the Measures are expected to undergo revisions, particularly in the appendix, which significantly overlaps with Annex C of the S International stakeholders are advised to closely monitor developments concerning both the Standard and the Measures.