Chinese statutory law requires that data controllers perform data protection audits at regular intervals. Both the China Personal Information Protection Act and the Internet Data Security Regulations have sections that require periodic audits be done. There are two regulations which explain in great detail how to implement the statutory requirement. They are:
- Personal Data Protection Compliance Audit Procedures
- Personal Data Protection Compliance Audit Guidelines
These regulations were issued by the Cyberspace Administration of China with an effective date of May 2025. The article will walk you through both the statute and regulations, how they are enforced in practice and how it will affect your business’s obligation as a data controller.
Contents
Events Necessitating a Data Controller Audit
Internal Team or Outside Firm for Audits?
Compliance Strategy for China Data Regulation
Core Data Audit Rules
The Audit Procedures establish a highly comprehensive set of personal data protection rules. Data controllers must do an audit at least once every two years. This implements statutory rules requiring that an annual compliance audit be done every two years for organization that processes over 10 million Chinese individuals’ personal information.
The Audit Procedures do not establish periodic auditing requirements for organizations processing fewer than 10 million persons’ personal information but do require data controllers to develop an audit plan that is appropriate to their business model that can enable them to follow their data protection obligations. The Audit Procedures also mandate that data controllers that process information of over 1 million individuals must name a data protection officer to oversee compliance auditing.
The Audit Procedures do not set a floor of total individuals at which a data above which a controller must begin doing audits, which means audit obligations are always applicable. However, data controllers with over 10 million individuals in China must submit two audit reports annually, the reason being the large scale of their processing operations impose significant risks. The requirement is designed to make sure data controllers can rapidly discover and prevent issues like large data breaches in advance. Data controllers that handle personal data on fewer than 10 million persons in China may determine an auditing interval appropriate to their own business model. When planning audit frequency for a particular business model, consider how the business units operate and how quickly their scale is increasing.
Events Necessitating a Data Controller Audit
China’s Audit Procedures provide that the events mandating a third-party audit are those where there is a risk of major impact on individuals’ rights or where there are material deficiencies in security measures or that may result in infringement upon the rights of a large number of data subjects. The Procedures require that government regulators and other interested government agencies require a third-party professional services firm audit in the event of a material incident.
Specifically, that refers to an incident involving the breach, manipulation, loss, or destruction of personal data for processing operations involving over 1 million individuals or there is sensitive personal information on over 100,000 individuals. The Audit Procedures require instituting regularized risk controls as part of a personal data auditing process. Businesses processing data for over 10 million persons who are in China must engage an independent outside firm to perform comprehensive auditing, and the resulting audit record and corrective action plan be submitted to the regulator.
Businesses not falling into this category, i.e., those that process data on fewer than 10 million individuals, may choose an reasonable auditing frequency for their data sensitivity, risk exposure, and volume. They are not required to use an independent outside firm, instead they may do audits internally, provided that all auditors have full professional independence.
When Outside Firms Are Required
A professional firm must be engaged to perform an outside audit and remediation in the event of a data breach involving data of more than one million individuals, or of sensitive data on over 100,000 individuals, or if the data security regulator in China otherwise determines the activity is high risk. Failure to comply can result in regulatory penalties. Auditing plans, logs, reports, and corrections made should be kept on file and a total lifecycle accountability process be set up by linking it to supplier, HR, and accounting processes. The audit must designate a data protection officer to coordinate activities with technical, legal, and business operations departments, who will ensure the firm can perform oversight, be responsive to personal rights, and has a follow-up audit mechanism, ensuring the audit conclusion is translated to improved management that reduces operating and reputational risks.
Regulatory Agency Powers
Following from the above, if a data protection agency is empowered to mandate a business engage a firm to perform an external audit of any data processing activity. Nonetheless it is possible that a business that does something that triggers an external compliance audit be permitted by the data protection agency to merely do an internal audit.
Additionally, observe that regulatory penalties can be personally imposed on a responsible manager in the event of a data security incident that results in the exposure, modification, loss, or destruction of data for over 1,000,000 individuals or over 100,000 individuals’ sensitive personal data that causes damage to data subjects rights; these can include a corrective action order, warning, confiscation of illegal income, and fines, under the authority of the China Cybersecurity Act and Personal Information Protection Act. The Audit Procedures empower data protection agencies after such events to require a business to get a compliance audit and share the report, then take corrective actions; the event can be declared a violation and the agency can impose regulatory penalties in order to “immediately stop ongoing damage.”
You can expect that completing a compliance audit and taking corrective action at the direction of the data protection agency in such a way that prevents harm to data subjects’ rights will result in forgiveness from further regulatory penalties that may be otherwise imposed.
Several Agencies Enforce the Law
China is expanding data protection agency enforcement activity, and this results in is higher compliance resource demands on business. A noteworthy evolution is how under the Audit Procedures, oversight authority was broadened from “the Cyberspace Affairs Commission” to “data protection agencies,” which includes in addition to the Commission, numerous other agencies responsible for personal data protection.
China’s rationale for these changes is that modern data protection is multi-disciplinary, needing a diverse staff drawn from several regulatory agencies. These other agencies include the Ministry of Industry and Information Technology, which regulates data transmission security, because it has special expertise in Internet data regulation. The Ministry of Public Security, where police investigators work, enforces criminal data processing law.
The Audit Procedures are intended realize better personal data protection by using a multi-agency approach to provide total lifecycle oversight coverage for activities including data collection, transit, use, and providing specialized assistance for personal data processor compliance audits.
Internal Team or Outside Firm for Audits?
Under the Audit Procedures, data controllers with records on over one million data subjects in China must designate a personal data compliance officer, and if you must do an audit, set up independent team that is primarily comprised of staff from outside of the business. The first step to coordinate their work by involving all departments that are involved in data processing, and meet to form a shared understanding the nature and extent of the business’s processing activities.
Internal Teams
A structure that ensures the independence of the audit must be set up; and that can be achieved by forming two teams to do the audit, one for the business front office and the other being the compliance back office. The data controller can improve the independence, competence, and comprehensiveness of the audits by coordinating all departments responsible for different parts of the data life cycle to provide mutual supervision while also maintaining their independence.
Outside Firms
You may be required by Chinese regulators to use an outside firm in some cases, because the Audit Procedures describe three different contexts in which a local government’s data protection agency can require a data controller to contract with an outside firm. Additionally, the Audit Procedures recommend a business that has a large number of users on a major Internet platform that uses an outside audit firm staffed primarily by members outside the organization to deal with the volatile risks of personal data processing. They also emphasize the importance of audit firms’ independence.
Further, observe that the Audit Procedures encourage audit firms to obtain certifications and have adequate staff, office space, facilities, and financing, to demonstrate their professional audit capability. Only with these essential elements in place, can they be deemed to adequately produce audit compliance reports.
A business ordering an audit will typically make an audit plan that describes the scope of the audit and what their business model necessitates, which can then determine how to contract with a third-party professional services firm or other intermediary.
Compliance Audit Challenges
Audit Scope
The Audit Procedures are focused narrowly on the duty of the data controller receiving Chinese individuals’ data; they do not address audits for contracted processors, recipients, or transferors. While this reduces the burden of the regulation, these parties’ close relationship with controllers imply that audits raise compliance implications when data is transferred to them. For example, a data controller must oversee a third-party processor’s activities, but being unable to directly inspect them during audits due to audit scope restrictions can result in illegal processing practices being hidden by a third party.
Data controllers may need to consider implementing vigorous controls to more closely vet and monitor third party processors to which they transfer personal information, keeping audit trails. China’s data protection agencies will begin looking at indirect oversight techniques to reduce compliance burdens for processing personal information in the future.
As discussed above, the Audit Procedures have changed the role of independent compliance audit organizations by adding higher compliance and process requirements. The audit deliverables for a personal information processor by an independent audit organization must contain genuine and detailed information about the audit methodology, findings, and corrections, and must be available for oversight by the Chinese public. While these rules improve the Chinese public’s trust in tech companies, there are doubts about the trustworthiness of compliance auditor work.
Evidentiary Basis for Audit Conclusions
The privacy professional community in China, and increasingly regulators, criticize compliance audits as being mostly a sham focused on optics and not actually protecting users and employees. The “independent” third-party professional services firms are mainly smoke and mirrors even though they apply genuine professional expertise to issue opinions. The reality is, those audit reports are usually written to persuade regulators and the general public, or the auditors are hobbled by budget restrictions, forcing them to do limited testing in order to make the client look good but without correcting problems.
Regulators in China are therefore aware the compliance audit cannot provide assurance that its final report does not contain material misrepresentations. At best, they only provide assurance that the firm’s auditors have found some amount of documentation to support a conclusion that there is reasonable assurance the data processor has a certain level of compliance capability.
The audit conclusions cannot assure the data processors is following the law, at most the audit opinion can make claims about the nature of the data processor’s compliance programs and their effectiveness. The risk that the audit contains errors is significant. To avoid being the subject of future regulatory penalties, data controllers should instead target industry-wide compliance benchmarks and consider doing follow-up compliance reviews focused on solving actual problems.
Compliance Practices
The Audit Procedures and Audit Guidelines provide detailed specifications of how data protection auditing should be done and provides insight about the Chinese government’s compliance expectations. For example, the Audit Guidelines have guidance for businesses about the expectations for providing notice. It has granular data processing policy requirements that address consent notice conspicuousness by specifying size, font, and colors that are easy to read.
It assesses compliance by looking at whether the notice is provided in several different ways, for example offline notice, labeling, or providing explanations. In another example, the Audit Guidelines include several practices to avoid for auditing organizations that have already publicly announced they are processing data.
For example, it is not acceptable to use publicly available information (phone, email) in ways not related to the original purpose for which it was made available, or using publicly available information for cyberbullying, spreading unverified or fake information. This provides a good reference for determining how to apply the standard, “reasonably processing personal information that was voluntarily made publicly available or otherwise lawfully obtained.”
In this respect, the Audit Procedures have numerous provisions that serve as a compliance advisory function for businesses, showing how an effective personal information protection program can be set up in advance. However, some parts of the Audit Guidelines are too ambiguous, for example rules against “providing personal data to organizations or individuals that have been added to a list restricting or prohibiting them from such access” when making cross-border data transfers.
Compliance Strategy for China Data Regulation
Businesses will need to think about how they will comply with the auditing requirements imposed by the Audit Procedures. The Audit Procedures do not contemplate any audit obligation exemptions; the review looks at all data processing activities related to individuals in every kind of business operations context.
Thus, in practice a review will look at all data processing activities that are done internally by business units as part of operations and for processing for every different kind of data subject. This review should extend to users and customers processed as part of business operations, internal employees, or persons from business partners. Such a thorough review is necessary to minimize the risk that the audit activity overlooks certain data processing activities.
The Audit Guidelines set forth detailed rules on how to approach different audit contexts that involve special personal data processing activities that include joint processing, contracting a data processor, transferring, automated decision making, and processing publicly available data. How Chinese law defines these different data protection contexts is explained in detail in CBL’s article on whether a data processing agreement is needed.
Businesses should identify use cases involving such activities where auditing is required, then determine what the mandatory obligations are for how this data processing activity is classified.
Setting Up the Audit Team
Businesses should set up internal teams to take preventative action by first identifying who should be a member of that team, bearing in mind that an outside firm is required under the Audit Procedures for data controllers that provide significant internet services, have many users, or are a complex enterprise.
For both internal and external teams, you should make sure they have sufficient legal and compliance expertise in personal data protection, and the IT competence to determine whether personal data protection technology is deployed effectively for the business in China.
Secondly, the staff performing the audit function should be independent from the subject being audited and maintain their objectivity, i.e., avoiding any conflict of interest that could bias the audit conclusion. They should not be involved in business planning or operations or be someone who has an ongoing legal dispute with the business. The data compliance audit teams thus will have significant employee mobility, being dynamic and fluid as to who is staffed to a particular audit engagement. Nonetheless, businesses should have standards for the audit team structure for ensuring that members are drawn from each of the compliance, IT, operations management, and legal functions. The audit team members will require access to confidential business and personal information; therefore, they should be required to sign an NDA, and the core audit team members should undergo a background check.
Drafting an Internal Management Policy
The Audit Procedures are intended to get businesses to proactively conduct internal audits on a regular basis and imply a business will need to prepare an internal management policy that incorporates its rules. Workflows and plans need to be established for staff in China to carry out both internal audits and regulatory audits. The policy should describe its applicability and the compliance auditing principles covering personal data protection and define the functions of the internal team and what its composition should be.
The Audit Guidelines should be incorporated to fill out audit goals, activities, frequency, reporting requirements, and how reporting will be done. Task functions and assignment should be delineated, such as delegating review for lawful basis to legal professionals and technical measure evaluations be delegated to information technology professionals.
Note that doing an external audit mandated by a Chinese regulatory agency does not mean that everything is being turned over entirely to a professional services firm that is doing the audit. Instead, you should have internal teams first conduct meetings and discussions with the data protection agencies to understand the regulator’s requirements.
That internal team should designate individuals to receive regulators’ instructions and who can make reports to senior management, so that the business can successfully implement the appropriate compliance changes within the expected time frame.
Process For Selecting and Managing Third Party Audit Firms.
The Audit Procedures specify certain qualification requirements for outside professional services firms that perform personal data protection audits, such as having adequate office, personnel, facilities, and financing, and encourage firms to be certified. If using one, you should have an internal process in place for choosing a good professional services firm in China, because the audit has major value as a way of doing compliance self-certification. The business should set up a team to perform the selection and approval process, involving professionals from all the interested company departments, typically compliance, legal, audit, and procurement.
Ideally, firms selected should be the ones that government agencies responsible for Internet and information technology regulation put on their list of recommendations (if any), have qualification certifications, and a strong reputation in the market.
The business needs to sign an agreement with the firm that describes the terms of the engagement, spanning the legal and ethical requirements for professional services firm providing compliance audit services for China law. It should include:
- Professional judgment exercised must be candid, impartial, and objective;
- There is a duty of confidentiality as to all personal information, business information, and trade secrets learned during the personal data protection audit engagement;
- No disclosure or unauthorized provision to any person of data;
- The firm must delete all the data upon completion;
- No subcontracting compliance audit work to any other firm;
The Audit Procedures also has practice management rules where the same professional services firm cannot perform three consecutive personal data protection audits on the same subject. Thus, the business management should monitor how they are working with the outside firm for audits and replace them before that happens.
Necessary Preventative Action (i.e. DPIAs)
Personal data protection audits are closely related to internal controls such as the Data Protection Impact Assessment (DPIA) process, responding to individuals’ complaints, and designating a data protection officer. The Audit Guidelines provide a clear warning to business about what will come under regulatory scrutiny when enforcing the China Personal Information Protection Act.
Firstly, data protection auditing requires doing a DPIA which businesses are already supposed to perform, but in practice DPIAs are not being done by most businesses at all. The Audit Procedures are intended to send a clear message to businesses that DPIAs are required. Take a look at CBL’s article on Data Privacy Impact Assessments in China to learn more about that process.
The Audit Procedures include provisions describing how the audit must look for “whether there is a mechanism to allow individuals to submit a request to exercise their rights.” The current practice among managers in China has been to use privacy policies that superficially describe a mechanism and channel by which individuals can submit requests to protect their rights, but do not have an internal process for resolving those requests. Thus, businesses will need to see if their inquiry mechanism has been provided with a process to resolve data protection related requests, and if not to set an internal process that assigns duties for receipt, review, resolution, and response.
Next, the audit must review their performance to see that the individual’s data protection rights request is resolved or receives an appropriate resolution, and within the statutory deadline for doing so.
Conclusion
The purpose of personal data protection auditing in China is to ensure that organizations process personal data in a manner that is both lawful and secure, in a way that balances the interests of data utilization and individual rights, in a way that supports the digital economy.
This governance approach underpins China’s digital transformation initiative, aiming to use oversight to improve business compliance, while incentivizing innovation to achieve the policy goals of modernizing government and sustainably improving China’s economic development.
FURTHER READING
When do you need a Data Processing Agreement (DPA) in China?