New Guidelines for Personal Information Protection Audits – Clarifying Requirements and Processes

Posted by Written by Arendse Huld Reading Time: 8 minutes

New guidelines for carrying out personal information audits clarify crucial requirements, including the mandatory frequency of audits, the appointment of audit personnel, and documentation and archiving maintenance. As of May 1, 2025, all companies processing certain volumes of personal information are required to conduct regular audits to ensure compliance with China’s personal information protection regulations. The guidelines provide a detailed step-by-step process for carrying out the audits.

On May 26, 2025, the National Cybersecurity Standardization Technical Committee released two guides for carrying out personal information (PI) protection audits.

Find Business Support
Get help conducting compliance audits, penetration tests, security and impact assessments, and training staff to ensure compliance with China's cybersecurity regulations.

Since May 1, 2025, companies handling certain volumes of PI in China are required to conduct regular audits to assess whether their operations comply with China’s data and PI protection regulations, including the Personal Information Protection Law (PIPL) and the Network Data Security Management Regulations. 

The first guide – the Cybersecurity Standard Practice Guide – Personal Information Protection Compliance Audit Requirements – proposes the general principles for conducting compliance audits, clarifying a range of matters such as the required frequency of audits, appointment of personnel for PI audits, and evidence collection and documentation maintenance. It also provides a detailed step-by-step guide for the audit process, from pre-audit preparatory work to audit implementation and archiving management. 

The second guide, titled the Cybersecurity Standard Practice Guide – Service Capability Requirements for Professional Institutions for Personal Information Protection Compliance Audits, is aimed at professional agencies that are hired to conduct audits on behalf of companies. 

In this article, we focus on the former guide that outlines requirements for companies that choose to conduct PI compliance audits by themselves.

DOING BUSINESS IN CHINA EXPLORE IN-DEPTH INVESTMENT AND BUSINESS GUIDES.
Explore vital economic, geographic, and regulatory insights for business investors, managers, or expats to navigate China’s business landscape. Our Online Business Guides offer explainer articles, news, useful tools, and videos from on-the-ground advisors who contribute to the Doing Business in China knowledge. Start exploring

Background: Mandatory PI protection audits 

Article 54 of the PIPL stipulates that PI processors must conduct regular audits to determine whether their handling of PI complies with China’s PI protection laws and regulations. On May 1, 2025, a new set of measures outlining the requirements for conducting these audits came into effect.

These measures (the Measures for the Administration of Compliance Audits on Personal Information Protection) permit companies to either appoint an internal department or a third-party agency to conduct the audit. They also provide more details on which companies are required to carry out compliance audits and how frequently they must be conducted, as well as the required scope of the audit. Under certain circumstances, the cybersecurity authorities may also require companies to appoint a professional institution to conduct the audit on their behalf. 

The measures were released along with a set of guidelines that provide additional details on how to conduct the audits, including the different activities that must be reviewed to assess whether the company complies with requirements on the legal basis for PI processing, PI processing rules, and rules on cross-border data transfer. 

The new guidelines offer more detailed requirements for compliance audits, including audit frequency for companies handling smaller volumes of PI, mandatory appointment of qualified compliance auditors with specified experience levels, and comprehensive evidence and documentation standards. 

General requirements for conducting compliance audits 

Companies that choose to conduct compliance audits on their own must meet certain basic requirements before being able to proceed with conducting the audits. These requirements are higher if the company processes larger volumes of PI, or are otherwise considered to be large-scale or involved in activities of national interest.

Find Business Support
Learn how our virtual CIO service can help you accelerate connectivity between your Asia-based employees and your global organization.

First, if a company processes the PI of more than 1 million people, it must designate a PI protection officer to be responsible for the compliance audit 

Second, companies that are considered “large network platforms” (internet platforms with more than 50 million registered users or more than 10 million monthly active users, complex business types, and conduct internet data processing activities that have a significant impact on national security, economic operation, the national economy, and people’s livelihoods) must establish an independent organization mainly composed of external members to conduct compliance audits.  

Companies that conduct self-audits are also required to formulate a compliance audit management system to clarify the organization, personnel, methods, content basis, scope, and frequency of the protection compliance audits, as well as the responsibilities and powers of compliance auditors. 

Other general requirements for companies are summarized in the table below. 

General Requirements (Applicable to All Self-Auditing Companies)
Category  Requirement 
Personnel independence  Auditors must not be involved in the management or decision-making of the audited object; reports should be submitted directly to the board or compliance committee. 
Internal systems  Must establish PI protection audit systems specifying audit personnel, methods, frequency, content, responsibilities, etc. 
Resources  Ensure necessary budget, personnel plans, facilities, systems, and equipment for audit activities. 
Audit evidence  Must maintain effective audit evidence including system logs, access records, technical reports, certification, and other documentation that reflect true operations. 
Documentation  Must maintain detailed audit plans, working papers, and audit reports with clear conclusions, observations, and recommendations. Templates in Appendices B and C can be referenced. 

Audit frequency and personnel appointment 

The guide also stipulates how often a company must carry out a compliance audit. While the measures stipulate that companies processing the PI of more than 10 million individuals in China are required to conduct a compliance audit at least once every two years, the guide provides a further breakdown of the frequency required based on the volume of PI being processed: 

  • Large entities (those processing the PI of over 10 million people): At least once every two years.
  • Mid-sized entities (those processing the PI of between 1 million and 10 million people): At least once every three to four years, reasonably determining the frequency based on PI compliance risks, the PI volume, business scale, and so on.
  • Small entities (those processing the PI of up to 1 million people): At least once every five years, reasonably determining the frequency based on PI compliance risks, the PI volume, business scale, and so on. 

Companies processing over a certain volume of PI are also required to appoint personnel of varying experience levels to act as compliance auditors.

There are three experience levels: junior (初级), intermediate (中级), and senior (高级). If a company conducts audits by itself, its compliance auditors must meet the following criteria: 

  • For companies that process the PI of more than 10 million people: At least 10 PI compliance auditors, of which at least one must be senior level and at least three intermediate level.
  • For companies that process the PI of between 1 million and 10 million people: At least five PI protection compliance auditors, of which at least two should be intermediate level or above. 

Compliance Audit Requirements by Company Scale and PI Volume
Category  User/PI volume  Service type  Audit personnel requirements  Audit frequency  Other requirements 
Small-scale entities  ≤ 1 million individuals  General  Not specified  At least once every 5 years; based on risk  Audit independence, audit system, tools, and documentation required 
Mid-scale entities  > 1 million and ≤ 10 million individuals  General  ≥ 5 audit personnel, ≥ 2 with intermediate or senior qualification*  At least once every 3-4 years; risk-based  PI protection lead required; internal systems and audit tools needed 
Large-scale entities  > 10 million individuals  General  ≥ 10 audit personnel, ≥ 1 senior and ≥ 3 intermediate  At least once every 2 years  Must have PI protection lead; stricter controls, resource allocation, and independent audit required 
Important internet platforms  ≥ 50 million registered users OR ≥ 10 million MAUs  Complex business, high national impact  Same as large-scale (at minimum) + independent external oversight body required  At least once every 2 years  Independent oversight committee mainly composed of external members; same internal controls and audit independence apply 

The guide also provides a detailed breakdown of the criteria for each of the three experience levels. 

Compliance Audit Personnel Competency Requirements Summary
Criterion  Junior  Intermediate  Senior 
Work experience  ≥ 2 years in PI protection-related work  ≥ 3 years in PI protection-related work, plus recent experience in ≥ 5 major audit projects  ≥ 4 years PI protection-related work, project leader in ≥ 5 audits for entities handling 10 million+ individuals’ PI 
Legal & regulatory knowledge  Basic understanding of laws and standards; can identify common risks under guidance  Proficient with legal texts and standards; able to conduct gap analysis and judge compliance in typical scenarios  Expert-level mastery; can interpret complex laws and independently assess compliance in varied scenarios 
Audit professional skills  Assist in data collection, basic document review, and evidence collation under guidance  Independently conduct audits, manage tasks, analyze issues, and offer initial rectification advice  Design and optimize full audit process; analyze complex contexts; propose actionable, forward-looking recommendations 
Communication & coordination  Basic communication, can work with the team to complete assigned tasks  Good communication with business/technical teams; support senior personnel in coordination  Excellent cross-functional communication, including with executives; resolve disputes during audit 
Team leadership  N/A  Task allocation and time management for projects  Lead, mentor, and supervise the team; elevate overall team capability 
Reporting & documentation  Assist with draft work papers; write basic report parts under supervision  Write structured work papers and reports; manage documentation quality  Write high-quality reports with clear findings and suggestions; review and sign off final reports; ensure traceability 
Project experience  N/A  Involved in ≥ 5 audits (3 years), either as a main member for >10 million PI or leader for 1–10 million  Lead role in ≥ 5 audits (3 years) for entities with >10 million PI records 

Required documents 

Companies are required to maintain document records of the audit process, which must meet certain requirements. These documents are as follows: 

  1. Audit plan: Must clearly define the audit scope, basis, content, methodology, organization, personnel, schedule, and work requirements.
  2. Audit working papers: Compiled during the audit process, must document steps taken, methods used, findings, evidence, and rationale for each audit item. Records should be complete, accurate, objective, and organized.
  3. Audit Report: Based on the working papers, a final audit report should include the audit overview, basis, conclusions, findings, opinions, and recommendations.
  4. Signatures for internal audits: Reports issued by an internal team must be signed by the audit team leader. If the organization processes data of over 1 million individuals, the report must also be signed by the person responsible for personal information protection. 

Process for conducting compliance audits 

The guide outlines five steps for conducting a compliance audit: preparation, implementation, reporting, problem rectification, and archiving management. 

Step 1: Audit preparation. This involves five main steps: 

  1. Define scope and basis: Set the audit’s scope based on objectives and the organization’s data practices, referencing relevant laws and standards.
  2. Form audit team: Build a qualified team based on organizational size, data complexity, and internal or external resources. Appoint a team leader to manage the process.
  3. Pre-audit investigation: Gather background information through questionnaires, interviews, and document reviews to understand the organization’s personal information protection practices.
  4. Select audit methods: Choose appropriate audit methods (on-site, off-site, electronic) based on the nature of the audit and evidence needed.
  5. Develop and review audit plan: Draft a detailed plan covering scope, methods, timeline, team roles, and risk controls. Review and adjust as needed before execution.

Step 2: Audit implementation. This step includes the following tasks: 

  1. Sending notification: Notify the audit target in advance, clarifying audit participants, responsibilities, scope, methods, communication channels, security and confidentiality measures, needed resources, and procedures for feedback and emergency handling.
  2. Collecting evidence: Gather relevant and objective evidence from multiple sources to support audit findings. Ensure evidence is well-organized, securely stored, and compiled into audit working papers.
  3. Verifying and accepting evidence: Only accept credible evidence, such as recent internal assessments or certifications related to cybersecurity or data protection. Use analysis or testing methods if needed to validate evidence before forming audit findings.
  4. Drafting audit working papers: Document the full audit process in detail, including methods, evidence, findings, and conclusions. Include information such as team names, audit dates, procedures followed, and any supporting materials or interviews.
  5. Confirming findings: Analyze evidence to identify compliance issues and validate findings against the audit basis. Present and confirm findings with the audited organization’s management. If disagreements arise, they must be discussed and, if unresolved, recorded. Findings may also be prioritized based on impact and remediation difficulty. 

Step 3: Audit reporting. This step includes the following key activities: 

  1. Dispute resolution: Before drafting the audit report, a mechanism for raising objections should be in place. If the audited organization raises objections to any findings, auditors must promptly communicate and resolve these, documenting both the final conclusions and the resolution process.
  2. Audit report preparation: Auditors prepare a formal written report summarizing the audit process, findings, and recommendations.
  3. Report submission: Deliver to the audited organization within the agreed timeframe. 
Related Reading
Using Facial Recognition in China – New Guide on Filing with Local CAC

Step 4: Problem rectification. After the audit report is delivered, auditors must follow up on identified non-compliance issues. The audited organization is expected to implement corrective measures within a specified timeframe. If necessary, auditors may conduct a follow-up audit to verify whether the corrective actions were completed and effective. 

Step 5: Archiving management. All audit-related materials, including working papers, audit reports, and supporting documents, must be properly archived to ensure traceability and accountability for future reference or review.

About Us

China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.

Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.