Personal Information Protection Audits in China – New Draft Standards

Posted by Written by Arendse Huld Reading Time: 8 minutes

China’s standards authority has released draft standards for conducting personal information protection compliance audits. Regular compliance audits to ensure compliance with personal information protection regulations may become a requirement for companies in China under draft measures released in 2023. We explain the audit processes and requirements proposed in the draft standards.

The Standardization Administration of China (SAC) has released a set of draft standards for conducting personal information (PI) protection compliance audits. Under draft measures released by the Cyberspace Administration of China (CAC) in August 2023, companies that process the PI of people in China are required to undergo regular compliance audits.

Find Business Support
Get expert assistance in conducting compliance audits, penetration tests, and computer security and impact assessments for your China business.

Specifically, companies that process the PI of over one million people must undergo a compliance audit at least once a year, while companies that process the PI of under one million people must carry out an audit at least once every two years. 

Companies can carry out the audit themselves through an internal organization or entrust a third-party agency to do it on their behalf. The audit will ensure that the company is complying with China’s Personal Information Protection Law (PIPL) and other relevant regulations on PI protection, processing, and export. 

While the draft measures stipulate the obligations of the auditing body and the audit scope, the draft standards outline the specific audit process, including evidence management and permissions of the audit organization, as well as the professional and ethical requirements of auditors. 

The Secretariat of the National Cybersecurity Standardization Technical Committee is soliciting public feedback on the draft standards until September 11, 2024. Public comment on the draft measures released in August last year closed on September 2, 2023, but no updated document has yet been released. 

DOING BUSINESS IN CHINA EXPLORE IN-DEPTH INVESTMENT AND BUSINESS GUIDES.
Explore vital economic, geographic, and regulatory insights for business investors, managers, or expats to navigate China’s business landscape. Our Online Business Guides offer explainer articles, news, useful tools, and videos from on-the-ground advisors who contribute to the Doing Business in China knowledge. Start exploring

Audit process 

The draft standards outline five stages of the PI protection compliance audit: audit preparation, implementation, reporting, problem rectification, and archiving management. 

Auditors are required to accurately document identified security issues in the audit working papers, ensuring that the records are comprehensive, clear, and conclusive, reflecting the audit plan and its execution, as well as all relevant findings and recommendations. 

Step 1: Audit preparation 

Establishing the audit team 

Organizations or entrusted professional agencies must consider factors such as organizational size, business type, volume and sensitivity of PI, and system complexity to form an audit team. The team should have a designated leader who oversees resource allocation, task distribution, audit planning, review of working papers and evidence, and compilation of conclusions and reports. The team can be formed as follows: 

  • If the organization has a dedicated PI protection audit team, members are selected from this team.
  • If there is no dedicated team, members are chosen from internal audit, security, or legal teams with relevant expertise, maintaining independence.
  • If a third-party agency is used, the agency forms the team, possibly with internal support. 

The draft standards also stipulate that companies that provide important internet platform services, have a very large number of users, and have complex business structures are required to establish an independent organization mainly composed of external members to supervise the PI protection compliance audit. However, the standards do not currently provide definitions of what are considered important internet platform services, a very large number of users, or a complex business structure, meaning it is unclear which companies will have to comply with this requirement. 

Conducting pre-audit investigation 

Before the audit, the team should investigate the PI protection practices of the organization through surveys, data review, document examination, and interviews. This includes understanding: 

  • The organizational structure, responsible personnel, and management departments for PI protection.
  • Scenarios and activities involving PI processing, including types, volume, sensitivity, purpose, methods, scope, and key business processes.
  • Information systems supporting PI processing.
  • Relevant management systems, operating procedures, and security measures.
  • Any past PI security or compliance incidents. 

Determining audit methods 

A combination of on-site and off-site audits should be used, with a preference for electronic and automated methods to enhance audit quality. The choice of audit methods should be tailored to the audit target to gather the necessary evidence. 

Developing and reviewing the audit plan 

Before each specific audit, the team must draft an audit plan considering regulatory changes, organizational structure, strategic goals, PI protection plans, business processes, previous audit findings, security incidents, complaints, relevant technologies, and information on special populations. The plan should include: 

  • Names of the audited unit and audit object.
  • Audit goals, scope, basis, content, processes, methods, team composition, timeline, resource needs, and risk management measures.
  • Use of external experts’ results if needed. 

The audit leader and the audited party should review the plan, focusing on potential improvements, compliance with laws and standards, confidentiality, security, and the needs and expectations of stakeholders. If there are changes to audit objectives or criteria, the plan should be updated accordingly. 

Step 2: Implementation 

Sending a notice of audit 

Before the formal implementation of the audit, the organization carrying out the audit should notify the person in charge of the target company. The notice should clarify the following matters: 

  1. Audit participants and their job responsibilities;
  2. Audit objectives, scope, and basis;
  3. Methods used in the audit;
  4. Management methods for risks that may be posed to the organization by the presence of audit team members;
  5. Formal communication channels between the audit team and the audited party;
  6. Resources and facilities required by the audit team;
  7. Matters related to confidentiality and information security;
  8. Daily security matters, emergency and security procedures of the audit team; and
  9. Feedback channels for the audited party on audit findings, audit conclusions, and so on. 

Collecting audit evidence 

Audit personnel should gather evidence through multiple channels to reduce audit risk and ensure quality. The evidence should be relevant to the audit objectives and accurately reflect requirements. Proper storage and centralized archiving of evidence should be maintained, with timely organization into corresponding audit work papers. 

Accepting audit evidence 

Only evidence meeting specified requirements should be accepted. This includes results from network security, data security, and PI protection inspections, assessments, or certifications organized by relevant departments within the current year or still valid. 

Writing audit work papers 

Audit work papers should be complete, clearly recorded, and contain definitive conclusions. They should objectively reflect the preparation and implementation of the audit plan and all significant matters related to forming audit conclusions, opinions, and recommendations. Work papers should include: 

  • Audit paper number.
  • Name of the audit institution and names (signatures) of audit personnel, audit date, and location.
  • Name of the PI handler.
  • Audit matters and start/end dates.
  • Execution process and results of audit procedures.
  • Audit basis.
  • Audit findings and evidence.
  • Conclusions, opinions, and suggestions.
  • Names (signatures), dates, and opinions of reviewers.
  • Index number and page numbers.
  • Audit identifiers and other symbols and explanations.
  • List of interviewees and reviewed materials.
  • Any additional content deemed necessary by the auditors. 

Confirming audit findings 

Auditors should evaluate and analyze obtained evidence, identify issues, and form findings based on audit criteria. Findings and conclusions should be communicated to the PI handler’s management through meetings or other mechanisms for confirmation. If there are objections, discussions, and further verification may be necessary. If disagreements persist, they should be documented in the audit work papers. Issues should be ranked based on impact and rectification cost. Formal confirmation of audit findings by the audited party is required after audit completion. 

Step 3: Audit reporting 

Dispute resolution 

Before writing the audit report, a mechanism for resolving disputes between the auditors and the audited entity should be established. Any objections to the audit conclusions should be promptly addressed and documented. 

Report writing 

Upon completion of the audit, auditors must prepare a written audit report that includes an overview, basis, conclusions, findings, opinions, and suggestions. Internal audit reports should be signed by the audit leader and submitted to the relevant authority. 

The report should include: 

  • An audit overview: Introduction and description of the overall PI protection compliance audit project, covering information about the audit institution, the audited entity (target company), the background of the audit, audit objectives, scope, time frame, organizational and business coverage, and audit areas, the main audit content and focus areas, and the audit procedures and methods used.
  • The basis for the audit: Relevant laws, regulations, policies, and standards that formed the basis for the PI protection compliance audit.
  • The audit process: Systematic steps taken by the auditors from start to finish.
  • Audit conclusions: Evaluation of the compliance, appropriateness, and effectiveness of the audited entity’s PI processing activities based on the findings.
  • Audit findings: Key compliance issues discovered during the audit, including facts, reasons, consequences, and impacts.
  • Audit opinions: Recommendations for addressing violations of laws and regulations found during the audit.
  • Audit suggestions: Targeted recommendations for resolving the main issues identified, based on analysis of causes and impacts.
  • Supplementary materials: Additional explanatory materials and data supporting the main report. 

Delivering the audit report 

For internal audits, the report should be signed by the audit leader and submitted to the organization’s head or PI protection leader. For audits conducted by external third-party agencies, the report should be signed by the audit leader and the agency head, stamped with the agency seal, and delivered within the agreed timeframe. 

Step 4: Problem rectification 

Auditors should track areas of non-compliance items during the audit and urge the audited company to rectify them within a prescribed period. If necessary, auditors can conduct follow-up audits on the completion and effectiveness of rectification measures. 

Step 5: Archiving management 

PI processors and third-party professional institutions must keep archives of documents such as PI protection compliance audit working papers and reports. 

Auditor requirements 

The draft standards stipulate certain professional and competency criteria that auditors must meet in order to be able to carry out the audit work. They must also adhere to certain professional ethical rules, such as independence, objectivity, fairness, and confidentiality. 

Professional competency 

  • Auditors must be knowledgeable about PI protection laws, regulations, and standards, enabling them to accurately assess the legality and effectiveness of the auditee’s measures.
  • They should be familiar with the audit process, methods, key points, and technical measures related to PI protection.
  • Possessing professional certifications in related fields is preferred. 

Independence 

  • Internal auditors should avoid auditing areas they are responsible for and must not be involved in the daily operations or PI protection work of the audited entity. Their work should remain free from the target company’s influence.
  • External auditors must not have conflicts of interest with the target company or its staff, such as familial ties, financial transactions, or legal disputes.
  • Auditors should avoid activities that could impair their independence and should not accept any items that could influence their judgment.
  • If an auditor’s independence is compromised, they must report it in writing to the audit team, and the auditor should be temporarily removed or their work terminated.

Objectivity 

  • Auditors must ensure the reliability, authenticity, effectiveness, and completeness of collected and used evidence, using lawful, scientific, and transparent methods.
  • Conclusions should be based on sufficient, objective, and comprehensive evidence, without distorting facts, concealing findings, or making misleading statements.
  • Auditors should not participate in activities that could affect their objectivity or accept items that could influence their judgment.
  • Auditors must promptly and accurately report all evidence to the audit team to ensure an objective evaluation. 

Fairness 

  • Auditors should make unbiased, fact-based judgments that reflect reality.
  • In case of significant obstacles or disagreements among auditors, a truthful, accurate, and complete written report should be submitted to the audit team. 

Confidentiality 

  • External auditors must sign a confidentiality agreement with the target company before starting the audit, outlining mutual responsibilities and breach clauses.
  • Internal auditors should adhere to the company’s confidentiality policies.
  • Auditors must protect audit data per confidentiality agreements or internal regulations, and not use the data beyond the audit’s purpose.
  • Audit work should comply with the target company’s internal information security requirements.
  • Audit data should not be disclosed to third parties without written authorization from the target company or unless legally required. 

Considerations for companies 

Related Reading
Tax Audit in China: A Complete Guide

The requirement to conduct regular PI protection compliance audits, which has yet to be formally adopted, could add a significant compliance burden for companies. This is especially true for small companies that have fewer resources to handle the additional workload and companies handling large volumes of PI that will be required to conduct audits annually.  

In light of this, the draft standards provide much-needed clarity and detailed guidelines on the audit process. The structured approach outlined in the standards may also help organizations understand their obligations and the steps necessary to achieve compliance, while the audit process can itself be a useful exercise to better comply with data regulations. 

Maintaining open lines of communication with cybersecurity authorities and ensuring transparency throughout the audit process is crucial. Regular updates and feedback can help address any compliance issues promptly and demonstrate a company’s commitment to protecting PI.

About Us

China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.

Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.