China Is About to Beef Up Personal Data Protection Audits
Raymond Wang and Yihan Zang of Shihui Partners discuss China’s proposed new national standard for data protection audits, which represents the latest enhancement of personal data protection in the county.
Raymond Wang
Ranked in TMT: Data Protection & Privacy (PRC Firms) in Chambers Greater China Region
Data protection audits are measures widely recognised by international regulators to ensure that businesses comply with personal data protection regimes. China’s Personal Information Protection Law (PIPL) also requires data controllers to periodically audit their compliance with laws and regulations concerning the processing of personal data. However, when the law was enacted in 2021, this provision was not accompanied by any implementation rules, rendering it temporarily dormant.
This situation is now being reversed by the latest rule-making efforts. In particular, on 12 July 2024, China’s National Information Security Standardisation Technical Committee released the draft version of a recommended national standard: the Data Security Technology - Personal Information Protection Compliance Audit Requirements (the “Draft National Standard”), which aims to provide practical guidance at the national level on how such audits should be conducted.
What Are the Highlights of the Draft National Standard?
Supervision v risk assessment
The Draft National Standard views personal data protection audits as a formal, independent supervisory activity. It differs from, and is not intended to replace, a company’s general risk assessment and risk monitoring concerning personal data protection. It serves as a thorough wellness check on the robustness of the company’s data protection programme as implemented, focusing on identifying deviations from legal requirements.
Guidance for internal and third-party auditors
While the Draft National Standard considers useful content from mature international data protection audit rules, such as those of the European Data Protection Supervisor (EDPS), the UK’s Information Commissioner's Office (ICO), and France’s Commission nationale de l'informatique et des libertés (CNIL), there is a fundamental difference: these international rules are intended to provide guidance on audits conducted by regulatory authorities, but the Draft National Standard’s audience is data controllers and third-party auditors, because under the PIPL, the duty to carry out the audits remains with the controllers.
To this end, the Draft National Standard sets forth more detailed and comprehensive rules on the principles, procedures, items, methodologies and evidence of such audits, and the requirements and authority of the auditors. Notably, it includes a detailed appendix associating audited items with the recommended methodologies and evidence.
How to Conduct an Audit Pursuant to the Draft National Standard?
Institutional requirements
The board of directors (including the audit committee), the data protection officer, or the principal of the company is obliged to establish and maintain the audit mechanisms and holds ultimate responsibility for the independence and effectiveness of such audit mechanisms.
“Data controllers should familiarise themselves with the detailed requirements in the standard, and build the capabilities not only to conduct the audits, but also to pass them.”
When determining the composition of the specific team for each audit, the company should consider multiple factors, including the size and nature of the business; the volume, categories and sensitivity of the personal data; and the complexity of the internal systems involved. If the company has a dedicated personal data protection audit group, team members should generally be selected from the group. Where there is no dedicated group, team members should be selected from the internal audit team, the security team, the legal team, and other teams with audit or data capabilities. A cross-departmental team is preferred as it is better placed to maintain its independence. The company may also engage a third-party professional institution to carry out the audit.
Audit process
The Draft National Standard breaks down a typical audit into the following stages: planning, preparation, implementation, reporting, rectification, and archival, and provides detailed guidance on each stage.
- Planning is different from preparation as the former is a higher-level effort, focusing on determining the targets, scope, and priorities of the audit; the latter focuses on the detailed steps.
- Reportingis the process of issuing audit conclusions. Before drafting the audit report, any objections to the audit conclusions should be promptly discussed and addressed, and the discussion results should be archived along with the audit conclusions.
- Rectification occurs only after reporting. Consistent with the supervisory nature of the audit process, a company is not allowed to take remediation measures during the audit to procure an all-clean report.
Audit evidence
The collection and analysis of evidence are key parts of the audit. All audit findings must be substantiated by evidence (or the lack thereof). The Draft National Standard imposes various requirements for the validity of different types of evidence, as summarised in the table below.
What Are the Implications?
As the Draft National Standard will be finalised soon, the obliged data controllers need to start preparing for such audits. These controllers should familiarise themselves with the detailed requirements in the standard, and build the capabilities not only to conduct the audits, but also to pass them. Notably, as such audits are highly reliant on evidence, controllers are advised to maintain detailed written records evidencing their implementation of compliance programmes, as part of their day-to-day operations.