As a guidance and enhanced regulations on the compliance audit activities of personal information protection, the Cyberspace Administration of China issued “Administrative Measures for the Personal Information Protection Compliance Audit (Comment Draft)” and the annex of “Reference Points for Compliance Audit of Personal Information Protection” for public comments.
Avista extracted some key provisions, with additional interpretation in terms of internal control, to provide personal information processors a better understanding for the regulatory requirements of the personal information protection-related compliance audit.
What is personal information protection compliance audit?
As mentioned in the Management Measures, the Compliance Audit is defined as a supervisory activity that reviews and evaluates whether the personal information processing activities of personal information processors comply with applicable personal information protection-related laws and regulations.
The Compliance Audit should clearly define the types of personal information to be audited, which include general personal information and sensitive personal information.
General Personal Information
Personal basic information, general identification information, online identity information,
personal education and work information, personal communication information, contact
information, personal internet usage records, commonly used personal device information,
personal location information, and other information.
Sensitive Personal Information
Biometric information, religious beliefs, specific identity, medical and health information,
financial accounts, whereabouts and tracks, and personal information of minors under the age of
fourteen.
Why conduct the Compliance Audit?
Article 54 and Article 64 of the PIPL stipulate the legal obligations of regular compliance audits and special compliance audits . Any company failed to fulfill its obligations to conduct compliance audits will be subject to punishment in accordance with Article 66 of the PIPL, including confiscation of illegal proceeds, suspension of business, fines, and revocation of business qualifications.
Who should conduct Compliance Audit?
Articles 4 and 6 of the Management Measures detail the criteria and categorise the Compliance Audit, as
required in PIPL, into regular compliance audits and special compliance audits , which has been summarised as follows:
Who is the appropriate person to conduct the Compliance Audit?
1) Audit agencies
Articles 5 and 7 of the Management Measures defines the appropriate person as below
2) Audit approach comparison
3) Requirement for professional agencies
Pursuant to the Management Measures and Reference Points, to ensure the objectivity of the Compliance Audit, professional agencies should not perform the Compliance Audit for the same entities more than three consecutive years.
Except for some enterprises requiring official verification in information security capabilities and technical
measures capability, the major focus for the Compliance Audit are risk evaluation and review of internal control systems. Therefore, enterprises can choose consulting agencies expertise in internal control review and consulting with considerable experiences in risk and compliance advisory industry
What are the work processes of the Compliance audit?
What are the key focuses of the Compliance Audit?
1)Key policies and systems End
We have summarized some key policies and systems to be focused in the Compliance Audit, as follows but not limited to:
2)Audit focuses for different industries
Financing and money-lending
Online platform service
Retail
Conclusion
The Management Measures provides clear guidance on how enterprises should conduct the Compliance Audit. Enterprises should be aware of the importance the Compliance Audit and consider it as a tool to identify and manage potential risks in personal information processing activities, ensuring that the enterprises operate in compliance with the applicable laws and regulations.
Avista Risk Advisory is aware of the rapid development of the laws and regulations in personal information protection in recent years. By leveraging our deep understanding in the regulatory requirements in personal information protection, Avista can provide enterprises with professional, comprehensive and practical solutions in relation to the Compliance Audit as well as personal information protection governance enhancement to align with the latest regulatory requirements.