New Audit Requirements for Businesses
to Comply with China’s Data Protection Law
📅 31/03/2025
As China’s data protection regulatory framework evolves further, it has become clear that businesses in China must integrate personal information protection compliance audits (PIPC audits) into their data compliance procedures and maintain records as proof of compliance.
China’s top data protection regulator, the Cyberspace Administration of China (CAC), has recently issued new rules clarifying the personal information processors’ legal obligations to conduct audits demonstrating compliance with the Personal Information Protection Law (PIPL). This obligation, initially established in the PIPL in 2021 and reaffirmed by the Regulations on the Management of Cyber Data Security in 2024, is now further refined in the Administrative Measures for Personal Information Protection Compliance Audits (Audit Measures). These rules will come into effect on 1 May 2025 and provide much-needed clarification on how the legal requirements should be implemented.
This article outlines the essential elements of the PIPC audits under the Audit Measures, and aims to help businesses prepare for the upcoming compliance audits.
Scope of the PIPC audits
The PIPC audit is a statutory obligation for all personal information processors in China, except for state agencies or organisations authorised by laws and regulations to manage public affairs. But there are two sets of standards and requirements that different types of companies need to adhere to.
Companies that pose significant risks in data processing or have the potential to harm the rights of a large number of individuals may be required by the regulators to conduct a more stringent and bespoke PIPC audit. This is known as the “regulatory-required audits”. Without the regulatory request, companies need to conduct the so-called “self-initiated” audit procedure.
The table below sums up the key requirements for both self-initiated and regulatory-required audit procedures.
Specific requirements
The PIPC audits evaluate compliance across the entire data lifecycle, with a focus on several key things. They include legal basis for personal information processing activities, processing rules, personal information processing under special circumstances, protection of data subjects’ rights, performance of personal information processors’ obligations, and response to security incidents.
The appendix of the Audit Measures specifies detailed guidelines for personal information processors to conduct the PIPC audits. In addition to following these guidelines, PIPC audits should consider the business characteristics and scenarios of relevant businesses and align with industry-specific regulatory requirements.
Impact on foreign companies
For foreign businesses operating in China, compliance with the audit requirements is not just a legal obligation, but a strategic necessity. Conducting PIPC audits helps businesses enhance data protection compliance system, because it implements a comprehensive monitoring framework that effectively mitigates the risks of infringing on individuals' data rights.
PIPC audits can serve as critical evidence that companies have taken appropriate measures to protect personal data when facing regulatory scrutiny or legal challenges. They are also essential for establishing a clear foundation for data ownership and for managing data as a valuable business asset.
Conversely, failing to conduct PIPC audits in accordance with the Audit Measures can result in severe legal consequences, including administrative penalties, civil damages and even criminal liability.
How Thornhill Legal can help navigate the Audit Measures
Key contacts / Authors
Yuhua YANG: yuhua.yang@thornhill-legal.com
April XIAO: april.xiao@thornhill-legal.com
Rhea YU: rhea.yu@thornhill-legal.com
At Thornhill Legal, we understand the complexities and challenges these new requirements present. Our team is equipped to guide you through the compliance audit process, ensuring that your business meets China’s evolving data protection standards. The wide range of services we can offer include:
• conducting PIPC audits to help the business comply with mandatory requirements in specific commercial circumstances;
• providing legal opinions and reports to evaluate the company’s compliance;
• offering strategic data governance advice tailored to your business settings; and
• crisis management and incident response in the event of data security incidents.
Standard Terms of Business | Legal Notice | Privacy Policy | Terms & Conditions | Our Compliants Policy | Cookies Policy
© Copyright Thornhill Legal Ltd. All rights reserved.
We need your consent to load the translations
We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.