[China] Finalised “Cybersecurity Standard Practice Guidelines - Personal Information Protection Compliance Audit Requirements”
What
On 26 May 2025, TC260 issued the finalised “Cybersecurity Standard Practice Guidelines - Personal Information Protection Compliance Audit Requirements”, just 13 days after they closed the public consultation on the second draft.
While the finalised version is just 6 pages longer than the second draft, it is still a huge 109 pages long.
Most of the changes to the second draft seem to be stylistic in nature, but there are a few substantive ones.
Key / interesting substantive changes spotted
#1. TC260 seems to be concerned about the quality of auditors performing the compliance audit.
The finalised Requirements now define the term “auditors”. It refers to “personnel in [PI] handlers or professional institutions who have the ability to conduct [PI] protection compliance audits and independently review and evaluate whether [PI] processing activities comply with laws and administrative regulations”.
There’s also a new compliance audit principle of “professionalism”: professional institutions and auditors should have the ability to conduct audits on PI protection, have the professional knowledge and skills to perform compliance audits, and have a deep understanding of relevant laws and regulations.
#2. There are a couple of other new definitions in the Requirements, and I wonder if it’s just so that people don’t get confused between the terms “audit findings” (审计发现) and “audit conclusions” (审计结论), and what the “audit report” (审计报告) is supposed to contain.
“Audit findings”: Facts, differences, risks or issues related to the audit object identified by compliance auditors after performing audit procedures.
“Audit conclusions”: After completing the PI protection compliance audit, the compliance auditors make a formal evaluation and judgment on whether the audit object (such as PI handlers, PI processing activities) complies with laws and administrative regulations.
“Audit report”: The compliance auditor shall communicate the conclusions, findings and suggestions of the PI protection compliance audit to the report users (such as PI handlers and departments that perform PI protection duties) based on the final written document compiled from the audit working papers.
#3. Instead of a chunk of obligations that seemed to apply to both external auditors and companies conducting internal audits, the finalised Requirements now impose obligations specific to professional organisations conducting compliance audits:
They cannot delegate the work to other organisations.
The organisation, its affiliates, and the person in charge must not conduct compliance audits on the same audit object for more than three consecutive times.
PI, trade secrets, confidential business information, etc obtained during the audit must be kept confidential, and relevant information must be deleted in a timely manner after the audit is done.
[All three obligations appear in Articles 13-15 of the PI Protection Compliance Audit Management Measures, which are mandatory.]
#4. The finalised Requirements also impose obligations specific to on PI handlers conducting compliance audits on their own. Some existed in the second draft, some are new:
A PI handler that processes PI of >1m people must designate a PI protection officer to be responsible for the PI protection compliance audit.
[New]A PI handler that provides important Internet platform services, has a huge number of users, and has complex business types (such as large network platforms) must establish an independent organisation mainly composed of external members to supervise the PI protection compliance audit.[This appears in Article 12 of the PI Protection Compliance Audit Management Measures.]
Note: A large network platform refers to a network platform with >50m registered users or >10m monthly active users, complex business types, and network data processing activities that have a significant impact on national security, economic operation, national economy and people's livelihood.[This definition does not appear in the Measures, but it is not new and comes from the Regulation on the Management of Network Data Security, which came into force on 1 Jan 2025. It’s very helpful that the finalised Requirements repeat the definition here. My previous paid subscribers can refer to a post I had written about the Regulation in 2024https://dgcbriefings.substack.com/p/china-regulation-on-the-management
][New]Formulate a PI protection compliance audit management system, clarify the organisation, personnel, methods, content basis, scope and frequency of PI protection compliance audits, as well as the responsibilities and authority of compliance auditors.[The “management system” is briefly mentioned in section 19 of the PI Protection Compliance Audit Guidelines.]Ensure that PI protection compliance audits have the necessary resources and authority, including reasonable compliance audit budgets and human resources plans, as well as necessary office space, systems, equipment, etc.
Ensure the independence of personal information protection compliance audit activities. Auditors should not participate in the management or decision-making of the audited objects, and the audit report should be reported directly to the board of directors or the security compliance committee.
Establish and improve the PI protection management system, security technical measures, processing records, operation behavior logs, supervision and inspection records, test evaluation reports and other compliance audit evidence systems for personal information protection compliance audits to review and evaluate.
Prepare appropriate PI protection compliance audit-related tools to improve the efficiency and quality of PI protection compliance audits.
[In the second draft, Items 4-7 applied to both internal and external auditors.]
#5. The second draft requires auditors to consider specific factors in preparing audit plans. These do not appear in the finalised Requirements. They are:
Key processes that are highly dependent on PI processing;
The organisational structure and strategic goals of PI handlers;
Long-term and short-term plans for PI protection;
Business forms, business processes and changes that are closely related to PI processing activities;
Problems found in PI compliance audits in the past three years and rectifications;
PI security incidents that have occurred in the past three years;
Complaints and reports related to PI;
Specific technologies related to PI processing activities;
PI involving special groups;
Other factors that affect the conclusions of PI protection compliance audits.
[I have mixed feelings about the removal of these factors. On the one hand the factors usefully highlight possibly problematic areas. On the other hand the factors are too granular to have as mandatory requirements, and should take the form of guidance instead.]
Other comments
In my post on the second draft, I had said that section 6 was akin to an audit manual. The CAC seems to see the Requirement in this light - in a Q&A with reporters on the PI Protection Compliance Audit Management Measures on 27 May, a reporter asked if there was any operational guide for conducting PI protection compliance audits. The CAC said that the PI handlers and professional institutions could refer to the Requirements.
Original Chinese announcement
Original Chinese Cybersecurity Standard Practice Guidelines - Personal Information Protection Compliance Audit Requirements (V1.0-202505)