[China] Measures for Personal Information Protection Compliance Audits: Part 2

This second post on the ‘Measures for Personal Information Protection Compliance Audits’:

• Extracts key / interesting points from “Expert Interpretations” (专家解读) written by:

  • Wang Zhicheng, Deputy Director of the Data and Technology Security Center, CAC

  • Du Anning, Deputy Secretary-General of the China Cybersecurity Association

  • Fan Kefeng, Deputy Director, China Electronics Standardization Institute

  • Ding Xiaodong, Professor at the Law School of Renmin University of China, Vice President of the Future Legal Research Institute

  • Zhao Jingwu, Associate Professor and Assistant Dean, School of Law, Beihang University

• Shares some helpful pointers from the privacy community

Key / interesting points from “Expert Interpretations” (专家解读)

Wang Zhicheng, Deputy Director of the Data and Technology Security Center, CAC

1. To implement the legal and regulatory requirements in the PIPL and Cybersecurity Data Management Regulations requiring compliance audits, the Measures list 27 key audit focus areas. [This signals to me that the ‘Guidelines for Personal Information Protection Compliance Audit’ which contain the 27 areas are not just guidelines, but must be used. Also, they are key focus areas but only key areas. You might or should be audited on other matters.]