IP

A Brief Analysis of Personal Information Protection Compliance Audits for New Energy Vehicle Enterprises

/
HUANG Qingfeng
32 MIN READ
ABSTRACT

Using new energy vehicle enterprises as an example, this article systematically outlines the practical framework for personal information protection compliance audits in conjunction with the Personal Information Protection Law and the National Cyberspace Administration's Measures for the Administration of Personal Information Protection Compliance Audits (Draft for Comments). The article points out that the law clearly establishes regular audit obligations and circumstances triggering mandatory audits due to risks. The Draft further details audit frequency (annually for processors handling over 1 million individuals' data, or biennially for those handling less), methods (internal or external), time limits (90 working days), and institutional independence requirements. In practice, enterprises need to first determine their data volume to establish the audit cycle, integrate audit procedures into their existing data compliance system, and choose between internal or external audit based on their risk profile and professional capacity. Internal audits should strictly follow the standard process of pre-audit preparation, on-site implementation, report issuance, and follow-up on rectification. Although the Draft provides actionable guidance, certain issues such as audit threshold settings, risk-level considerations, and audit institution qualification requirements still await clarification in formal regulations.

The Personal Information Protection Law clearly establishes that personal information processors have audit obligations. However, as a law, it cannot provide highly detailed provisions on how exactly audit work should be conducted. Therefore, in practice, personal information processors have been conducting personal information protection audits based on their own understanding. On August 3 this year, the National Cyberspace Administration issued the Measures for the Administration of Personal Information Protection Compliance Audits (Draft for Comments) (hereinafter referred to as the “Draft”). Although only a draft for comments, its level of detail and practicality make it suitable for personal information processors to use as guidance for their personal information protection compliance audit activities.

Below, we will combine the Personal Information Protection Law and the Draft to briefly analyze how new energy vehicle enterprises, as personal information processors, should conduct their personal information protection compliance audits.

I. Provisions on Audits in the Personal Information Protection Law

Relevant provisions on audits in the Personal Information Protection Law:

Article 54 “Personal information processors shall regularly conduct compliance audits of their compliance with laws and administrative regulations in processing personal information.” This article stipulates that personal information processors shall conduct regular compliance audits, with the audit content being “compliance with laws and administrative regulations in processing personal information.”

Article 64 “If the department responsible for personal information protection finds significant risks in personal information processing activities or the occurrence of personal information security incidents, it may, in accordance with the prescribed authority and procedures, conduct an interview with the legal representative or principal responsible person of the personal information processor, or require the personal information processor to entrust a professional institution to conduct a compliance audit of its personal information processing activities. The personal information processor shall take measures, carry out rectification, and eliminate risks as required.” This article provides for two circumstances triggering mandatory compliance audits by relevant authorities: “significant risks in personal information processing activities” or “occurrence of personal information security incidents,” and requires that such audits be conducted by “professional institutions.” Notably, this article does not specify that the audit content for mandatory audits of “personal information processing activities” is limited to “compliance with laws and administrative regulations in processing personal information,” thereby providing the regulatory authorities with a basis to expand the audit scope in such circumstances.

Currently, new energy vehicle enterprises’ products invariably involve extensive processing of personal information, and they have control over most personal information processing activities, unquestionably qualifying as personal information processors under the Personal Information Protection Law and having the legal obligation to conduct compliance audits. Additionally, the new energy vehicle industry is under strong regulatory supervision. When regulatory authorities discover significant risks in personal information processing activities during other regulatory scenarios such as submitting automotive data安全管理 reports or conducting data出境 security assessments, mandatory audits may be triggered. From this perspective, compliance audits are also essential.

II. Key Points of the Draft

1. Audit Frequency

Based on the number of individuals whose personal information is controlled by the processor, there are two audit frequency requirements: processors handling personal information of more than 1 million individuals shall conduct at least one personal information protection compliance audit per year; other processors shall conduct at least one such audit every two years.

2. Audit Methods

Based on the institution conducting the audit, there are two types: (1) internal audit conducted by the processor itself; (2) external audit conducted by a professional institution entrusted by the processor.

Based on whether the audit is mandated by regulatory authorities, there are also two types: (1) regular audits voluntarily conducted by processors in accordance with legal requirements; (2) mandatory audits required by regulatory authorities when significant risks in processing activities or personal information security incidents are identified, requiring the processor to entrust a professional institution to conduct the audit.

3. Conducting Body for Mandatory Compliance Audits

Mandatory compliance audits shall be conducted by professional institutions entrusted by the personal information processor.

4. Time Limit for Mandatory Compliance Audits

The audit shall be completed within 90 working days; in complex circumstances, it may be appropriately extended upon approval by the department responsible for personal information protection.

5. Independence of Audit Institutions

Audit institutions shall maintain independence and objectivity and shall not conduct personal information protection compliance audits for the same audited entity consecutively more than three times.

6. Qualifications of Professional Audit Institutions

The Draft does not specify qualifications for professional audit institutions. Which institutions are eligible to conduct personal information protection compliance audit activities awaits further clarification from regulatory authorities.

Additionally, the Draft proposes that the National Cyberspace Administration, together with public security organs and other relevant State Council departments, establish and maintain a recommended directory of professional institutions for personal information protection compliance audits, encouraging processors to优先 select professional institutions from the recommended directory. The details also await further clarification from subsequent regulatory provisions.

7. Audit Reference Points

The Draft includes an appendix titled “Reference Points for Personal Information Protection Compliance Audit” (hereinafter referred to as the “Reference Points”). The Reference Points comprehensively cover compliance items across the entire personal information processing lifecycle. Although they are only reference points without mandatory force, they summarize key points from regulators and, to some extent, represent regulatory attitudes. Additionally, the Reference Points are relatively comprehensive. Therefore, it is recommended that when conducting audits, enterprises refer to this appendix and supplement it based on their business scenarios to form their audit basis documents for conducting audit activities.

III. Conducting Audit Work

1. Determine Enterprise Identity

By identifying the volume of personal information processed by the enterprise, determine whether the enterprise qualifies as a processor handling personal information of more than 1 million individuals, to confirm whether biennial or annual audits apply. Notably, the Draft does not specify whether the 1 million personal information limit is limited to the enterprise’s various products or services’ business scenarios. This means it should include enterprise employees, customer personal information obtained through sales channels, non-owner personal information collected by vehicle-mounted devices, etc. There is a technical issue here: structured data personal information is relatively easy to count, but identifying and counting personal information in massive semi-structured or even unstructured data is not easy, requiring appropriate technical means and the establishment of classification, grading, and other underlying logic and management mechanisms for personal information processing.

2. Establish Audit Systems

According to the Personal Information Protection Law and the Draft, determine the responsible department for internal auditing and incorporate personal information protection compliance audit processes and systems into the enterprise’s data compliance management system.

Neither the Personal Information Protection Law nor the Draft clearly specifies which department within the enterprise should be responsible for personal information protection audits. From a management system integration perspective, the management system and processes for personal information protection compliance audits can be merged into the enterprise’s original data compliance management system. Positions can be established in the enterprise’s existing audit department or institution. Audit department personnel may lack familiarity with the content and rules of personal information protection compliance audits, requiring enhanced training and, when necessary, engagement of external consultants or experts to assist with audits.

3. Choice Between Internal and External Audits

For non-mandatory audits, enterprises can choose between external or internal audits based on their circumstances. Internal audits have cost advantages, and internal personnel are typically more familiar with the enterprise’s situation and business scenarios, with smoother communication channels, making audit work more convenient. However, audit effectiveness may be limited by personnel’s knowledge, experience, objectivity, and professionalism.

If the enterprise self-assesses its personal information protection compliance risk as relatively high or lacks sufficient capability for personal information protection compliance audits, it is recommended to opt for external audits. Professional audit institutions have stronger professional capabilities and better objectivity and authority. During external audits, sufficient support and cooperation should be provided to enable external auditors to thoroughly understand the enterprise’s actual situation, business scenarios, and personal information processing, allowing them to produce sufficiently professional and authoritative audit reports. When contracting with external audit institutions, in addition to traditional contract terms, data processing clauses should be added to ensure data compliance during the audit process.

4. How to Conduct Internal Audits

Personal information protection internal audits can be tailored to each enterprise’s actual situation, generally including the following steps:

(I) Pre-Audit Preparation

(1) Prepare an internal audit plan, setting the audit timeline, objectives, and scope;

(2) Determine the composition of the audit team;

(3) Pre-audit investigation: including investigating the operation of personal information compliance systems, various scenarios involving personal information processing, the previous audit situation, and collecting relevant laws, regulations, policies, standards, and the enterprise’s internal relevant standard documents;

(4) Based on the Reference Points and other relevant laws, regulations, and the enterprise’s standards, develop a detailed audit plan, including specific audit methods, audit content, executor, execution time, etc.;

(5) Issue an audit notice;

(II) Conducting the Audit

(6) Audit methods may include but are not limited to: discussions with auditees, requiring auditees to truthfully complete调查问卷, reviewing documents related to auditees’ personal information processing activities, data processing contracts, on-site inspections of personal information processing in systems, technical testing, etc.;

(7) Audit methods may include: conducting completeness and effectiveness tests on internal control systems, and conducting walk-through tests on the entire lifecycle of personal information processing;

(8) Based on inspection and testing results, conduct personal information protection compliance analysis and prepare an interim audit report;

(9) Convene meetings to communicate the interim audit report to the audited departments, verify problems identified during the audit, and require relevant personnel to rectify within a specified period;

(III) Audit Report

(10) Based on the audit situation, prepare an audit report summarizing the problems and deficiencies in the enterprise’s personal information protection, and propose improvement suggestions and corrective measures;

(11) Issue the audit report;

(IV) Follow-up

(12) Track the implementation of corrective measures;

(13) Archive upon audit completion.

IV. Outlook

The Personal Information Protection Law stipulates that personal information protection compliance audits are a legal obligation that personal information processors must fulfill. The Draft further refines the audit within the framework of the Personal Information Protection Law, providing more specific and practical operational guidance for enterprises’ audit content and rules. However, we believe that the Draft may still have some issues requiring further consideration and clarification. For example, using 1 million personal information records as the dividing line requiring at least annual or biennial audits seems somewhat crude. Whether other factors could be added, such as the sensitivity and risk level of personal information under the processor’s control, or whether the processor is a critical information infrastructure operator, and issues such as the qualification recognition of external audit institutions—which institutions can conduct personal information protection compliance audits and what qualifications are needed—have not been clarified. We look forward to the formal issuance of the Measures for the Administration of Personal Information Protection Compliance Audits to further resolve practical issues enterprises face in conducting compliance audits.

Hillock Team

Small hills accumulate to form heights; rivers converge to form the ocean—Zhuangzi. The Hillock Team of Long An (Guangzhou) Law Firm focuses on personal data compliance, data出境, data transactions, intellectual property compliance and rights protection, new energy vehicle investment and financing law, AI compliance, marketing compliance, and consumer rights protection in the new energy vehicle sector.

KEEP READING

IP

Exploring the Impact of the New Trade Secret Protection Regulations on the Low-Altitude Economy Industry
IP

Trade Secret Analysis Series: Determination of Corresponding Confidentiality Measures (Part I)
IP

Strengthened Judicial Protection of Trade Secrets (Part 1): Expanding Scope and Precisely Targeting Infringement

RESEARCH TEAM

黄庆锋
HUANG Qingfeng Senior Partner

Huang Qingfeng is a Senior Partner at Long An (Guangzhou) Law Firm and Founder of the Shanqu Team. He also serves as Vice Director and Secretary-General of the Long An Bay Area Commercial Arbitration Research Center and Senior Advisor to the Long An Bay Area Artificial Intelligence Research Center. His main research areas are the combination and application of commercial arbitration and AI, and dispute resolution in real estate and construction, finance, corporate, and other commercial matters. With over 20 years of legal work experience, Attorney Huang currently serves as a member of the Arbitration Law Professional Committee of the Guangdong Bar Association, an arbitrator at the Guangzhou Arbitration Commission, the Beihai International Arbitration Court, and multiple other arbitration institutions including Zhaoqing, Heyuan, and Yangjiang, an expert in the Guangzhou Mediation Expert Pool, Vice Chairman of the Digital Commerce Association of Sun Yat-sen University, and an expert in the Legal Professional Committee of the Lingnan Think Tank of Sun Yat-sen University.