China's Data Regulator Clarifies Audit, Data and Protection Officer Requirements
China’s data regulator provided new clarity on audit and data protection officer requirements, issuing Measures for the Administration of Personal Information Protection Compliance Audits, according to a Morrison Foerster blog Monday.
Sign up for a free preview to unlock the rest of this article
"The Personal Information Protection Law (PIPL) requires the conduct of audits (Audits) to evaluate compliance with PIPL and other applicable privacy and data security laws and regulations but provides little detail on the standards to be met and procedures to be followed in the conduct of Audits," the lawyers said.
The Cyberspace Administration of China's (CAC) issuance of the measures came 18 months after the draft version, which was published in August 2023 for public comment. It is set to take effect May 1, said the bloggers, who noted it includes a guide with "detailed requirements on the capabilities of professional agencies" qualified to offer auditing services. The measures specified that if a handler processes the personal information of one million or more people, it must appoint a data protection officer, the lawyers said.
"We expect the CAC’s power to require the conduct of Mandated Audits and to review records of Regular Audits will be significant tools for the CAC in its policing of individual companies’ data processing practices," the lawyers said. "Conducting regular, robust Audits can help a company demonstrate its compliance with PIPL to regulators in the event of an inspection and to data subjects in the event of a claim. Companies operating in China should incorporate Audit programs into their broader privacy compliance frameworks and properly distinguish such programs from other assessment requirements."