The Cyberspace Administration of China (CAC) issued the specifications after the administrative measures for personal-information protection compliance audits began implementing on May 1.
Specialized institutions and auditors in China now have a clearer view of the regulatory outlook from the country’s Internet regulator, which has specified the accredited bodies eligible for certification and designated an association to evaluate auditor qualifications
The Cyberspace Administration of China, or CAC, issued the specifications after the administrative measures for personal-information protection compliance audits began implementing on May 1.
The seventh provision of the measures “encourages” specialized institutions to obtain certification and mandates that follow China’s certification and accreditation regulations. However, it falls short of specifying the bodies responsible for certifying professional institutes or those assessing auditor competence.
In its latest announcement, the CAC clarified that three government-affiliated units will certify institutions. These include the Data and Technology Guarantee Center—a technology-support arm of the CAC, the China Cybersecurity Review, Certification and Market Regulation Big Data Center affiliated with the market regulator, and CESI Certification under the MIIT-linked China Electronics Standardization Institute.
According to the CAC, these certified bodies have filed their certification rules with the National Certification and Accreditation Supervision and Administration Commission. They will conduct their activities based on these rules and two newly unveiled guidelines from TC 260, the nation’s cybersecurity standard-setting body.
Meanwhile, the regulator announced that the Cyber Security Association of China, operating under its supervision, will begin evaluating the competence of auditors at various levels. The association has outlined key evaluation criteria based on the guidelines—detailing objectives, methods, and specific requirements for auditors across different tiers.
For companies that self-administer audits, adherence to the measures, accompanying guidance documents, and the TC 260 compliance audit guidelines for personal-information protection is mandatory.
Industry observers note that the stringent audit requirements may compel data handlers to outsource audits to specialized third-party institutions, as meeting the outlined standards internally poses significant challenges. protection audit system with sufficient resources, tools, permissions, and a detailed evidence framework. Those handling data of over one million individuals must appoint a personal data protection officer, and platforms with over 50 million users are required to establish independent supervisory bodies.
The guidelines also mandate rigorous qualifications for auditors. For example, data handlers processing over 10 million individuals’ data must have at least 10 auditors, including one senior and three mid-level auditors. Senior auditors must have led five major data protection projects in the past three years, while mid-level auditors must meet similarly strict standards. These requirements often exceed the capabilities of internal staff at smaller companies, making compliance through internal resources difficult.
Source: MLex
