The Cyberspace Administration of China (CAC) has issued new measures for personal information protection compliance audits to take effect on 1 May 2025, which will establish a comprehensive framework for personal information protection audits in China.
Audit requirements
Mandatory audits: the measures mandate audits in two scenarios:
- Regular periodic audits: organisations processing personal information of more than ten million individuals must conduct compliance audits at least once every two years.
- Triggered audits: the CAC and other relevant authorities may require organisations to conduct audits through professional institutions when:
- Serious risks affecting personal rights or significant security deficiencies are identified;
- Processing activities may infringe upon the rights of numerous individuals;
- Security incidents result in the leak, tampering, loss, or damage of:
- Personal information of over 1 million individuals, or
- Sensitive personal information of over 100,000 individuals.
Voluntary Audits: organisations may voluntarily conduct audits through either:
- Internal departments; or
- Professional institutions.
Organisational requirements
- Organisations processing personal information of over one million individuals must designate a personal information protection officer;
- Major internet platform operators with large user bases and complex business types must establish independent oversight bodies primarily composed of external members.
Audit institutions
Professional audit institutions must:
- Possess appropriate capabilities, personnel, facilities, and funding;
- Maintain confidentiality of obtained information;
- Not subcontract audit work;
- Not conduct more than three consecutive audits for the same entity.
Audit scope
All audits must follow the guidelines appended to the measures, which cover:
- Legal basis for processing;
- Processing rules and notification procedures;
- Handling of sensitive information;
- Cross-border data transfers;
- Security measures;
- Internal management systems;
- Emergency response mechanisms.
Compliance and enforcement
Violations may result in penalties under the Personal Information Protection Law and other relevant regulations.
The full text of the measures can be found here.
For more information on these measures and guidelines, contact your CMS client partner or these CMS experts.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.