China’s Personal Information Protection Audit - When Is It Required and How to Conduct It?

BACKGROUND

China has continued to enhance its personal information protection framework by introducing new regulations, measures and guidelines that help organisations navigate the compliance audit process. This article explores (1) when audits are mandated or recommended, (2) the scope of these audits, and (3) practical methodologies for effective implementation.

KEY PROVISIONS AND OBSERVATIONS

1. Regulatory and Legislative Overview

The primary basis for mandatory personal information protection audit requirements is found in Articles 54 and 64 of Personal Information Protection Law of the People’s Republic of China (“PIPL”), which became effective on 1 November 2021. Under these provisions, personal information processors may be required to conduct periodic compliance audits or respond to specific requests from the Cyberspace Administration of China (“CAC”) or other authorities. Article 27 of the Regulations on Network Data Security Management likewise requires network data processors to conduct audits—directly or through a professional institution—to comply with relevant laws and regulations (together as the “Audit Requirement”).

In February 2025, the CAC published the official version of the Measures for the Administration of Compliance Audits on Personal Information Protection (the “Measures”), which took effect on 1 May 2025, nearly two years after the initial draft was released. Alongside the main text, the Measures include an annex — the Personal Information Protection Compliance Audit Guidelines (the “Measures Guidelines”), providing additional clarity on implementing the required audits.

Around the same time, the National Technical Committee 260 on Cybersecurity of the Standardization Administration of China (“TC260”) issued the Cybersecurity Standard Practice Guidelines: Personal Information Protection Compliance Audit Requirements (the “TC260 Guidelines”) on 26 May 2025. While the Measures and Measures Guidelines are legally binding, the TC260 Guidelines are not mandatory unless explicitly incorporated into relevant laws, regulations, or contractual agreements.

Together, these laws, regulations, and guidelines form an integrated framework for personal information protection audits in China. The following sections will address how organisations can implement these requirements effectively.

2. Territorial Application

According to Article 2, the Measures apply to personal information protection compliance audits conducted within the territory of China. Consequently, any personal information processor located in China that is subject to the Audit Requirement falls under the scope of the Measures.

However, questions arise for organisations with no physical presence in China yet subject to the PIPL’s extraterritorial provisions because they:

• Process personal information of individuals located in China to offer products or services to them, or
• Analyse or assess the behaviour of individuals located in China.

It remains unclear whether such organisations can meet the Audit Requirements by referring to the Measures. Further clarification on this point would be valuable for foreign businesses without any presence in China seeking to conform to the Audit Requirements.

3. When Are Audits Mandatory or Recommended?

3.1. Periodic Audits

Personal information processors are required / recommended to conduct periodic audits under certain conditions:

• Processors handling personal information of over 10 million individuals: An audit is required at least once every two years.
• Processors handling personal information of 1 million to 10 million individuals: Audits are recommended every three to four years (not mandatory).
• Processors handling personal information of less than 1 million individuals: Audits are recommended every five years (not mandatory).

A significant challenge is determining when and how to calculate the initial audit period. The Measures do not clarify whether the starting point should be 1 May 2025—the date of their enactment—or another reference date, potentially causing inconsistent practices. In the meantime, organisations may need to rely on self-assessment or professional guidance until formal clarification is provided.

3.2. Authority-Mandated Audits

The CAC or other personal information protection authorities (collectively, “Protection Authorities”) can require an audit if:

• Personal information processing poses major risks, such as seriously affecting personal rights and interests or severely lacking security measures.
• The processing may infringe upon the rights and interests of a large number of individuals.
• A personal information security incident has occurred, resulting in leakage, alteration, loss, or damage involving over 1 million individuals’ personal information or over 100,000 individuals’ sensitive personal information.

However, the thresholds for terms like “major,” “seriously,” and “a large number” lack precise definitions, adding ambiguity to these requirements. The most relevant legal reference to interpret such terms might be Administrative Measures for the Reporting of Cybersecurity Incidents (Draft for Comment) published in 2023.

If mandated by a Protection Authority, the audit must be carried out by professional institutions rather than internal departments. Processors must bear the related costs, complete within the specified time frame (which may be extended with approval from the Protection Authority), submit the resulting audit report to the relevant authority, and submit a report on the rectification status to the Protection Authority within 15 working days of completing the rectification. There are also formatting requirements for the report, such as signature by the head of the professional organisation and the compliance audit officer, and stamp with the professional organisation’s official seal.

4. Additional Requirements for Specific Entities

4.1. Appointment of a Personal Information Protection Officer

A personal information processor that processes personal information of more than 1 million individuals is required by the Measures to appoint a Personal Information Protection Officer. According to the Measures Guidelines:

• The appointed officer(s) should have appropriate expertise and experience in data protection.
• Their responsibilities and authority must be clearly defined, including the right to be involved in major decisions relating to personal information processing.
• They may halt non-compliant practices and enforce corrective measures.
• Their name and contact details should be submitted to the Protection Authorities and made publicly available.

4.2. Independent Oversight Department for Large-Scale Platforms

Personal information processors that offer essential internet platform services, have a large user base, or operate complex business models must establish an independent department—primarily composed of external members—to oversee audits.

The TC260 Guidelines recommend that any “large-scale online platform”—defined in part as having over 50 million registered users or more than 10 million monthly active users—evaluate whether it meets these criteria. While terms like “complex” and “important” remain vague, user thresholds provide helpful guidance for certain businesses.

5. Methodology: How to Conduct an Effective Audit

The Measures do not provide specific guidance on the audit methodology itself. However, the TC260 Guidelines suggest six key steps:

Step One: Develop an Audit Proposal

• Determine the audit goals and scope.
• Determine the audit basis and focus.
• Submit to the person in charge for approval.

Step Two: Prepare for the Audit

• Define the target of the audit, objectives, and scope.
• Form an audit group and appoint its leader.
• Conduct pre-audit investigations.
• Determine audit methods and approaches.
• Prepare and review detailed audit work plans.

Step Three: Implement the Audit

• Send audit notifications.
• Collect audit evidence.
• Admit audit evidence.
• Draft audit working papers.
• Confirm audit findings.

Step Four: Compile an Audit Report

• Resolve disagreements before drafting the audit report.
• Draft the audit report.
• Deliver the audit report.

Step Five: Rectify Non-Compliance Items

• Make corrections within the prescribed period.
• If necessary, conduct a follow-up audit on the completion and effectiveness of the correction measures.

Step Six: File and Archive

• Properly store personal information protection compliance audit manuscripts, reports and other archival materials.

Conclusions and recommendations

The framework for personal information protection audits in China has evolved through concerted efforts by various authorities. This system clarifies major audit checkpoints and procedures, assisting businesses in understanding the relevant requirements and expectations. It also underscores the importance of data protection, guiding companies to adopt stronger internal controls and governance protocols. As regulation continues to mature, personal information protection audits will be integral to maintaining a healthy digital economy.

In light of the evolving regulatory landscape, for companies operating within or engaging with China, adhering to these Audit Requirements is crucial. By taking proactive measures and establishing comprehensive audit frameworks, organisations can limit legal liabilities, uphold high standards of data protection, and ensure accountability to regulators and the public alike.