On May 1, 2025, the Administrative Measures for Compliance Audits on Personal Information Protection (hereinafter referred to as “the Measures”), issued by the Cyberspace Administration of China (CAC), has come into force. As one of the key regulations in China’s data and cybersecurity governance system, two activities took place in the same month to support the implementation:

SAC/TC260 (Cybersecurity) issued Cybersecurity Standard Practice Guideline - Requirements for Compliance Audits on Personal Information Protection on May 26, 2025. (hereinafter referred to as “the Guideline”)

The Guideline is a very practical document for stakeholders of such audits. It contains six chapters that elaborate implementation process, content and methods, evidence required, working paper templates, report templates, etc. for the compliance audit on personal information protection. Personal information processors and professional institutions may refer to this practice guideline to conduct compliance audits for personal information protection.

The Guideline is expected to provide solid and unified approach for relevant stakeholders of such audits. Full text of the Guideline is available in Chinese at: https://www.tc260.org.cn/upload/2025-05-26/1748255158535034574.pdf

CAC official interviewed to further clarify several most frequently asked questions on May 27.

On the next day after the Guideline is issued, CAC officials received an interview to further explain the details on the implementation of the Measures, and the key takeaways include:

·         The Guideline is confirmed by CAC as the practical implementation guide.

·         Provide the name of three agencies that are approved for the compliance audits for now.

·         Clarifies there are three levels of personnel competence for auditors of this types of compliance audits, and put forward further detailed requirements shall subject to the Guideline.

Summary and suggestions

There are two scenarios that would require such compliance audit on personal information protection:

·         When personal information processors need to conduct compliance audit. Personal information processors that handle personal information of more than 10 million people shall conduct a personal information protection compliance audit at least once every two years. Other audits may be carried out but the processors’ internal team or assign a professional agency.

·         When a department responsible for protecting personal information discovers that the processing of personal information poses significant risks, may infringe upon the rights and interests of numerous individuals, or may cause a personal information security incident, it may require the personal information processor to entrust a professional institution to conduct a compliance audit of the personal information processing activities.

Therefore, for foreign stakeholders:

·         If operating in China and handling personal data, ensure that your compliance audit partners (institutions or personnel) meet the certification and competency requirements outlined above.

·         Engage with one of the three accredited certification bodies for compliance audit services or hire auditors certified by CSAC.

·         Monitor updates in the Guideline and CSAC’s official website (www.cybersac.cn) for the latest compliance standards.

If you have any questions or need further assistance, please reach us at: info@bestao-consulting.com.

BESTAO presents free monthly report on China compliance. It offers a comprehensive solution on observing various standards and regulatory activities in China. Sample of the monthly report please refer to:

https://www.bestao-consulting.com/detail?id=1740&status=bestao_library

Subscribe the free monthly report by register as a BESTAO website member at: https://www.bestao-consulting.com/login, or write an email to assistant@bestao-consulting.com.