中岛观点丨个人信息保护合规审计实务
发布时间:2025-03-03    浏览量:147

我在中岛律师事务所《数据合规资讯月报》上一期(Vol.13)的“实务之声”中刚刚提及“预见紧跟着会在上半年出台的个人信息保护合规审计的相关规则”,紧随其后就在这个月(2025年2月)的14日,国家互联网信息办公室正式发布了《个人信息保护合规审计管理办法》。作为由中国网络安全审查认证和市场监管大数据中心认证的“个人信息保护合规审计师”,我想我们对于政策趋势的判断和解读还是准确的。借此机会,我将以面向可能存在审计义务的企业的角度,结合新出台的《个人信息保护合规审计管理办法》,厘清个人信息保护合规审计的诸多实务性问题。

In the "Practice Insights" section of the previous issue (Vol. 13) of I-Land Law Offices’s Data Compliance and Regulatory Update Monthly Newsletter, I mentioned that "we can anticipate the imminent release of rules related to personal information protection compliance audits in the first half of the year." True to this prediction, on February 14, 2025, the Cyberspace Administration of China (CAC) officially promulgated the “Administrative Measures for Personal Information Protection Compliance Audits”. As a certified "Personal Information Protection Compliance Auditor" accredited by the China Cybersecurity Review Certification and Market Regulation Big Data Center, I believe our judgment and interpretation of policy trends remain accurate. Taking this opportunity, I will address practical issues in personal information protection compliance audits from the perspective of enterprises potentially subject to audit obligations, in light of the newly enacted “Administrative Measures for Personal Information Protection Compliance Audits”.


一、了解个人信息保护合规审计的法律依据

I.Understanding the Legal Basis for Personal Information Protection Compliance Audits

法律依据就是一个法律义务的合法性基础,而个人信息保护合规审计的合法性基础,早在2021年8月颁布的《个人信息保护法》中就已经有相关规定,这是中国关于个人信息保护制度的一部根本性法律。在《个人信息保护法》第五十四条规定了:

“个人信息处理者应当定期对其处理个人信息遵守法律、行政法规的情况进行合规审计。”

The legal basis refers to the legitimacy of legal obligations. The legitimacy of personal information protection compliance audits was established in the Personal Information Protection Law (PIPL) enacted in August 2021, a fundamental law governing China’s personal information protection regime.

Article 54 of the PIPL stipulates:

"Personal information handlers shall conduct regular compliance audits on their processing of personal information to ensure compliance with laws and administrative regulations."


同时,在该法的第六十四条还进一步规定了:

“履行个人信息保护职责的部门在履行职责中,发现个人信息处理活动存在较大风险或者发生个人信息安全事件的,可以按照规定的权限和程序对该个人信息处理者的法定代表人或者主要负责人进行约谈,或者要求个人信息处理者委托专业机构对其个人信息处理活动进行合规审计。”

Article 64 of the PIPL further specifies:

"When fulfilling their duties, departments responsible for personal information protection may, upon identifying significant risks or security incidents in personal information processing activities, summon the legal representative or principal responsible person of the handler for discussions or require the handler to engage a professional institution to conduct a compliance audit on its processing activities."


2024年9月24日,中国国务院为了规范网络数据处理活动,促进网络数据依法合理有效利用,同时保护个人、组织的合法权益,又颁布了《网络数据安全管理条例》。这是关于网络数据合规管理的第一个行政法规,在中国数据合规和个人信息保护领域具有非常重要的地位。该条例第二十七条再一次将个人信息保护合规审计确定为网络数据处理者的必须义务,它规定:

“网络数据处理者应当定期自行或者委托专业机构对其处理个人信息遵守法律、行政法规的情况进行合规审计。”

On September 24, 2024, the State Council of China promulgated the Regulations on Network Data Security Management to regulate network data processing activities, promote lawful and effective use of network data, and safeguard the legitimate rights and interests of individuals and organizations. As the first administrative regulation on network data compliance, it holds significant importance in China’s data compliance and personal information protection landscape. Article 27 reaffirms the mandatory obligation for network data handlers to conduct compliance audits:

"Network data handlers shall regularly conduct compliance audits, either independently or through professional institutions, to verify their adherence to laws and administrative regulations in processing personal information."


虽然国家在2021年通过《个人信息保护法》明确了个人信息处理者的个保合规审计义务,但对于如何开展个人信息保护合规审计工作,具体的流程和细则一直缺乏具有实操性的规定。但我们同时关注到主管部门正在不断积极推进相关配套制度的落地。2023年8月,国家互联网信息办公室发布《个人信息保护合规审计管理办法(征求意见稿)》;2024年7月12日,全国信息安全标准化技术委员会发布国家标准《数据安全技术 个人信息保护合规审计要求(征求意见稿)》。两份征求意见稿对于审计义务、审计流程、审计关注点和审计方法等规定了翔实的落地细则,这也是我们判断个人信息保护合规审计相关制度即将在2025年初就会出台的依据。但仅截止到本文发表之日,目前全国信息安全标准化技术委员会发布国家标准《数据安全技术 个人信息保护合规审计要求》仍处于征求意见稿阶段,尚未正式发布。

“个人信息处理者应当定期对其处理个人信息遵守法律、行政法规的情况进行合规审计。”

Although the PIPL in year 2021 established the obligation for personal information handlers to conduct compliance audits, practical guidelines on audit procedures and implementation remained lacking. However, regulatory authorities have actively advanced supporting rules. In August 2023, the Cyberspace Administration of China (CAC) released the Administrative Measures for Personal Information Protection Compliance Audits (Draft for Comments). On July 12, 2024, the National Information Security Standardization Technical Committee (TC260) issued the national standard Data Security Technology – Requirements for Personal Information Protection Compliance Audits (Draft for Comments). These drafts provide detailed rules on audit obligations, procedures, key focus areas, and methodologies, forming the basis for our prediction that the formal audit framework would be finalized by early 2025. As of the publication of this article, however, the national standard Data Security Technology – Requirements for Personal Information Protection Compliance Audits remains in the draft stage and has not yet been officially released.


因此,作为本小结的结论,个人信息保护合规审计的法律依据主要是《个人信息保护法》、《网络数据安全管理条例》和最新发布的《个人信息保护合规审计管理办法》。同时我们建议以《数据安全技术 个人信息保护合规审计要求(征求意见稿)》作为审计技术参考。

In conclusion, the legal basis for personal information protection compliance audits primarily includes the Personal Information Protection Law(PIPL), the Regulations on Network Data Security Management, and the newly enacted Administrative Measures for Personal Information Protection Compliance Audits. We recommend referencing the Data Security Technology – Requirements for Personal Information Protection Compliance Audits (Draft for Comments) as a technical guide for audit implementation.


二、判断企业是否负有个人信息保护合规审计义务

II.Determining Whether an Enterprise Bears Personal Information Protection Compliance Audit Obligations

根据上述的法律规定,我们可以得出这样的结论,几乎所有企业都负有个人信息保护合规审计义务。由于信息化和数据化已经覆盖到所有企业的方方面面,企业无论是业务拓展、生产管理、客户管理还是人事管理,都会通过信息网络方式进行,因而,“个人信息处理者”或者“网络数据处理者”已经不再是一种群体的分类、而是在不同场景下承担不同义务身份的却别表述。

Based on the aforementioned legal provisions, we can conclude that almost all enterprises bear personal information protection compliance audit obligations. As informatization and digitization have permeated every aspect of business operations—whether in business expansion, production management, customer management, or human resources management—enterprises inevitably rely on information networks. Therefore, the terms "personal information handler" or "network data handler" no longer represent a classification of specific groups but rather describe different roles and obligations in various scenarios.


如果企业是一家面向终端客户的销售型企业(线下销售)、互联网平台企业,电商企业、医疗企业、教育行业,那么企业当然会面临大量的个人信息处理,当然地成为“个人信息处理者”或者“网络数据处理者”,负有个人信息保护合规审计义务。

If an enterprise is a consumer-facing sales company (offline sales), an internet platform, an e-commerce business, a medical institution, or an educational organization, it will inevitably process a significant amount of personal information, thereby qualifying as a "personal information handler" or "network data handler" and bearing personal information protection compliance audit obligations.


如果企业是一家ToC的生产型企业呢,由于存在企业的客户数据、销售数据、企业自身人力资源管理等,也会使之成为“个人信息处理者”或者“网络数据处理者”。

What if the enterprise is a B2C manufacturing company? Due to the existence of customer data, sales data, and internal human resources management, it will also qualify as a "personal information handler" or "network data handler."


因而,在是否负有个人信息保护合规审计义务的问题上,所有企业都负有该等义务。重要的区别在于,针对不同类型的企业,《个人信息保护合规审计管理办法》所规定的审计要求有所不同。有关于此,我们将在下面的内容中进一步详细说明。

Thus, in terms of whether an enterprise bears personal information protection compliance audit obligations, all enterprises are subject to such obligations. The key distinction lies in the varying audit requirements stipulated by the Administrative Measures for Personal Information Protection Compliance Audits for different types of enterprises. We will elaborate on this further in the following sections.


三、应当如何开展实施个人信息保护合规审计

III.How to Conduct and Implement Personal Information Protection Compliance Audits

既然所有的企业都负有个人信息保护合规审计义务,那么对于如何开展实施个人信息保护合规审计,我们在本小节中进行详细的介绍。本节内容包含了针对不同类型的企业,应当承担怎样的审计义务(包括强制审计的发起、审计机构的确定、以及审计实施的频次要求),以及企业应当怎样实施开展审计,在审计前、审计过程中以及审计结束后又应当采取哪些对应的行动。

Since all enterprises bear personal information protection compliance audit obligations, this section provides a detailed introduction on how to conduct and implement such audits. It covers the specific audit obligations for different types of enterprises (including the initiation of mandatory audits, the selection of audit institutions, and the frequency requirements for audits), as well as the steps enterprises should take before, during, and after the audit process.


(一)审计的发起——监管审计和自主审计(Initiation of Audits – Regulatory Audits and Voluntary Audits)


虽然我们说个保合规审计义务是每一个企业负有的义务,但在具体到个保审计如何发起时,针对不同的情况,仍然有所区别——这就是监管审计和自主审计。我们从《个人信息保护合规审计管理办法》的规定来进行理解,如果由“保护部门”(国家网信部门和其他履行个人信息保护职责的部门)提出要求进行个保合规审计,那么这种情况就属于“监管审计”。

While we emphasize that personal information protection compliance audit obligations apply to every enterprise, the initiation of such audits varies depending on the circumstances—namely, regulatory audits and voluntary audits. Based on the provisions of the Administrative Measures for Personal Information Protection Compliance Audits, if a "protection department" (such as the CAC or other departments fulfilling personal information protection duties) requests a compliance audit, this constitutes a "regulatory audit."


根据《个人信息保护合规审计管理办法》第五条的规定,在以下这些情况下,保护部门可能会对企业发起监管审计:

Article 5 of the Administrative Measures for Personal Information Protection Compliance Audits specifies the following scenarios in which protection departments may initiate regulatory audits:


(1) 发现个人信息处理活动存在严重影响个人权益或者严重缺乏安全措施等较大风险的;

(1) When personal information processing activities are found to pose significant risks, such as severely impacting individual rights or lacking adequate security measures;


(2) 个人信息处理活动可能侵害众多个人的权益的;

(2) When personal information processing activities are likely to infringe upon the rights of a large number of individuals;


(3) 发生个人信息安全事件,导致100万人以上个人信息或者10万人以上敏感个人信息泄露、篡改、丢失、毁损的。

(3) When a personal information security incident results in the leakage, alteration, loss, or damage of personal information involving more than 1 million individuals or sensitive personal information involving more than 100,000 individuals.


由于上述监管审计发起条件的第(一)、第(二)项并没有一个明确的定量标准,因此我们建议企业结合国家标准化管理委员会颁布的《信息安全技术 信息安全风险评估方法》(GB/T 20984-2022)等相关标准予以参考,对个人信息活动存在的风险进行评估参照。

Since the first two scenarios lack clear quantitative criteria, we recommend that enterprises refer to relevant standards, such as the Information Security Technology – Information Security Risk Assessment Methods (GB/T 20984-2022) issued by the National Standardization Management Committee, to assess risks in personal information processing activities.


除了上述由保护部门发起的监管审计以外,其他情况下由企业自行发起的审计就均属于自主审计。

Apart from regulatory audits initiated by protection departments, all other audits initiated by enterprises themselves fall under the category of voluntary audits.



(二)明确审计频次——需要多久开展一次合规审计(Determining Audit Frequency – How Often Should Compliance Audits Be Conducted)


在审计的频次上,结合《个人信息保护合规审计管理办法》和相关的法律法规,总共存在三种不同的情况:

Regarding audit frequency, based on the Administrative Measures for Personal Information Protection Compliance Audits and related laws and regulations, there are three distinct scenarios:


(1) 监管审计,须限时开展限时完成——根据《个人信息保护合规审计管理办法》第九条的规定,“个人信息处理者按照保护部门要求开展个人信息保护合规审计的,应当按照保护部门要求选定专业机构,在限定时间内完成个人信息保护合规审计”。也就是说,在监管审计的情况下,必须立即根据监管部门的要求开展审计工作,且还需要在限定的期限内完成。

(1) Regulatory Audits: Must Be Conducted and Completed Within a Specified Timeframe: According to Article 9 of the Administrative Measures for Personal Information Protection Compliance Audits:"When personal information handlers are required by protection departments to conduct personal information protection compliance audits, they shall select a professional institution as required and complete the audit within the specified timeframe."In other words, in the case of regulatory audits, enterprises must immediately initiate the audit as required by the regulatory authorities and complete it within the stipulated deadline.


(2) 定期审计,符合特定条件的须定期开展审计——对于符合特定条件的个人信息处理者,需要根据法定期限定期对其个人信息处理活动进行合规审计,其中包括:

(2) Periodic Audits: Required for Specific Categories of Personal Information Handlers: For personal information handlers meeting specific conditions, periodic compliance audits must be conducted within statutory intervals, including:


①处理超过1000万人个人信息的个人信息处理者,应当每两年至少开展一次(《个人信息保护合规审计管理办法》第四条);

Handlers processing personal information of more than 10 million individuals: Shall conduct audits at least once every two years (Article 4 of the Administrative Measures for Personal Information Protection Compliance Audits).


处理未成年人个人信息的个人信息处理者,应当每年开展一次(《未成年人网络保护条例》第三十七条)。

Handlers processing personal information of minors: Shall conduct audits annually (Article 37 of the Regulations on the Protection of Minors in Cyberspace).


(3) 合理期限审计,根据业务具体情况确定——对于除上述两种情况以外的个人信息处理者,那么可以根据自身情况合理确定定期开展个人信息保护合规审计的频率。对于此类情况,相关规定并没有进行一个明确的限制,我们建议企业结合自身的合规需求以及业务场景,每2-3年开展一次针对个人信息保护的合规审计。

(3) Reasonable Interval Audits: Determined Based on Business Circumstances: For personal information handlers not falling under the above two categories, the frequency of compliance audits may be reasonably determined based on their specific circumstances. While there are no explicit regulatory restrictions for such cases, we recommend that enterprises conduct personal information protection compliance audits every 2-3 years, taking into account their compliance needs and business scenarios.


(三)确定审计机构——内部审计或外部审计的选择(Determining the Audit Institution – Choosing Between Internal and External Audits)


审计机构的确定主要包含两个内容,一个是企业应当由谁来负责审计工作的开展实施,另一个是审计机构如何组成。

The determination of the audit institution primarily involves two aspects: who should be responsible for conducting the audit and how the audit institution should be composed.

《个人信息保护合规审计管理办法》仅对两种情况下的审计负责人提出了要求,处理100万人以上个人信息的个人信息处理者应当指定个人信息保护负责人,负责个人信息处理者的个人信息保护合规审计工作(《个人信息保护合规审计管理办法》第十二条第一款),提供重要互联网平台服务、用户数量巨大、业务类型复杂的个人信息处理者,应当成立主要由外部成员组成的独立机构对个人信息保护合规审计情况进行监督(《个人信息保护合规审计管理办法》第十二条第二款)。其他企业,我们建议由该企业的数据合规部门来负责审计工作的开展实施。

The Administrative Measures for Personal Information Protection Compliance Audits specifies requirements for audit responsibilities in two scenarios: Personal information handlers processing personal information of more than 1 million individuals shall designate a personal information protection officer responsible for conducting compliance audits (Article 12, Paragraph 1 of the Administrative Measures for Personal Information Protection Compliance Audits). Personal information handlers providing major internet platform services, with a large user base and complex business types, shall establish an independent body composed mainly of external members to oversee compliance audits (Article 12, Paragraph 2 of the Administrative Measures for Personal Information Protection Compliance Audits). For other enterprises, we recommend that the data compliance department be responsible for conducting the audits.


除此以外,企业往往更关心的一个问题是审计机构的选择,因为是否必须聘用外部机构进行个保合规审计会直接对企业的合规成本产生重要影响。我们对此问题做一个详细的说明,以便企业更清晰准确地做出决策。

In addition, enterprises often focus on the selection of audit institutions, as whether an external institution must be engaged directly impacts compliance costs. We provide a detailed explanation below to help enterprises make clear and accurate decisions.


首先需要明确的是,对于监管审计,企业必须委托专业机构开展,而不得自行组织人员进行审计或仅仅进行内部审计。

First, it is important to clarify that for regulatory audits, enterprises must engage professional institutions and cannot conduct audits internally or solely with their own personnel.


《个人信息保护合规审计管理办法》并没有对专业机构具体包括哪些类型做出明确规定,仅规定“专业机构应当具备开展个人信息保护合规审计的能力,有与服务相适应的审计人员、场所、设施和资金等。鼓励相关专业机构通过认证。专业机构的认证按照《中华人民共和国认证认可条例》的有关规定执行”(《个人信息保护合规审计管理办法》第七条)。值得注意的是,《认证认可条例》关于认证的定义是指由认证机构证明产品、服务、管理体系符合相关技术规范、相关技术规范的强制性要求或者标准的合格评定活动。专业机构的合规审计服务是否符合相关技术规范、相关技术规范的强制性要求或者标准将成为专业机构的认证评价标准。但截至目前,尚未有针对性地对开展合规审计的服务能力进行认证评价的标准或规范。因此,后续可能会出台针对合规审计的规范或者明确合规审计的认证依据包含哪些现有规范、标准。

The Administrative Measures for Personal Information Protection Compliance Audits does not explicitly define the types of professional institutions but states: "Professional institutions shall possess the capability to conduct personal information protection compliance audits, including appropriate personnel, facilities, and funding. Certification of relevant professional institutions is encouraged, and such certification shall follow the provisions of the Regulations on Certification and Accreditation" (Article 7 of the Administrative Measures for Personal Information Protection Compliance Audits). Notably, the mentioned Regulations on Certification and Accreditation define certification as the process by which a certification body verifies that products, services, or management systems comply with relevant technical specifications, mandatory requirements, or standards. Whether a professional institution's compliance audit services meet these requirements will serve as the evaluation criteria for certification. However, as of now, there are no specific standards or norms for certifying the service capabilities of compliance audit institutions. Therefore, future regulations may introduce specific norms for compliance audits or clarify which existing standards apply.


由于监管审计的强制性要求是委托专业机构开展,而目前并没有针对专业机构的评判标准,因此我们建议企业在受到保护部门监管审计要求时,请求保护部门提供其认可的机构名录予以选用,以符合监管的强制性要求。随着个保合规审计认证评价标准的后续出台,未来市场上将会出现大量持有持有认证资质的机构供企业选择。

Given the mandatory requirement to engage professional institutions for regulatory audits and the lack of evaluation criteria, we recommend that enterprises request a list of institutions recognized by the protection department when subject to regulatory audit requirements. This ensures compliance with regulatory mandates. As certification standards for compliance audits are introduced in the future, a larger pool of certified institutions will become available for enterprises to choose from.


除了监管审计之外,自主审计情况下,企业均可以选择通过内部机构或者委托专业机构任一方式进行个保合规审计。

For voluntary audits, enterprises may choose to conduct audits either through internal departments or by engaging professional institutions.


我们提醒企业须充分注意审计的“专业性”、“独立性”、和“全面性”要求。显然专业机构作为外部独立审计单位能够满足上述要求,而企业通过内部机构进行审计时,则应当对于予以充分注意,以确保审计的有效性。为满足审计要求,我们建议企业可以采用内部机构与外部专业人士相结合组成审计机构来进行审计的方式,来协助企业共同完成内部审计工作。这样做的好处是显而易见的:一方面,在缺乏认证的情况下,单独聘请的外部机构未必能够满足未来监管对于专业机构的评价条件,该等机构是否适格存有疑问;另一方面,由于外部机构不熟悉企业业务属性,会增加审计所耗费的沟通成本、时间成本等合规成本;最后,外部机构的审计费用会增加企业的合规负担。而采用外部专业人员与企业内部合规人员相结合的方式,恰恰能解决上述问题。目前,由中国国家市场监督管理总局和国家互联网信息办公室共同指导和支持的中国网络安全审查认证和市场监管大数据中心已经开展了“个人信息保护合规审计师”的个人专业资质认证工作,持有此类认证资质的专业人员,能够满足企业在个保合规审计过程中需要外部专业人员支持的需求。

We remind enterprises to pay close attention to the requirements of professionalism, independence, and comprehensiveness in audits. While professional institutions, as external independent auditors, naturally meet these requirements, enterprises conducting internal audits must ensure these criteria are satisfied to guarantee audit effectiveness. To meet audit requirements, we recommend that enterprises adopt a hybrid approach, combining internal departments with external professionals to form the audit team. This approach offers several advantages: First of all, in the absence of certification, solely engaging external institutions may not meet future regulatory evaluation criteria, raising questions about their suitability. Secondly, external institutions unfamiliar with the enterprise's business may increase communication and time costs, adding to compliance burdens. Finally, the fees charged by external institutions may further increase compliance costs. On the other hand, by combining external professionals with internal compliance personnel, enterprises can address these issues effectively. Currently, the China Cybersecurity Review Certification and Market Regulation Big Data Center, guided and supported by the State Administration for Market Regulation and the Cyberspace Administration of China, has launched the "Personal Information Protection Compliance Auditor" certification program. Professionals holding this certification can meet enterprises' needs for external expertise in compliance audits.


(四)审计前准备——为合规审计创造便利实施条件(Pre-Audit Preparation – Creating Favorable Conditions for Compliance Audits)


审计前的准备工作是为了给审计工作创造足够的便利条件,确保审计工作的顺利开展。我们以企业内部结合外部专业人士进行的自行审计为例,其主要包括:确定本次审计的目标和范围,编制审计计划,组成审计团队并确定审计工作组长(审计工作组长通常为本次审计工作的负责人),开展审计前的基础调查工作,并且需要明确本次审计需要进行的资源协调。

Pre-audit preparation aims to create sufficient favorable conditions to ensure the smooth conduct of the audit. Taking the example of an enterprise conducting an internal audit combined with external professionals, the preparation mainly includes: determining the objectives and scope of the audit, drafting an audit plan, forming an audit team and designating a team leader (usually the person in charge of the audit), conducting preliminary investigations, and clarifying the resources required for coordination.


这里需要重点提示的建议企业在审计工作开始前,先进行一次个保合规的前置性强制条件是否满足的梳理。比如企业是否有确保个人信息得到有效保护的制度体系、内部政策、流程和规范,又或者根据相关规定需要进行个人信息保护影响评估(PIA)的事项是否已经完成了相关评估并留存报告。之所以要预先进行此类梳理,是因为这些合规内容都必定会纳入个保合规审计的审查范围之内,而如果在审计期间发现这些缺漏,本次审计将有可能被中断而被迫需要耗费大量的时间将此类缺漏予以补足,导致审计周期被迫延长。前置梳理工作可以由企业数据合规相关部门负责,也可以聘用外部个保合规审计专家提前介入协助企业进行。

A key recommendation is for enterprises to conduct a pre-audit review to ensure that mandatory compliance prerequisites are met. For instance, does the enterprise have a system, internal policies, procedures, and standards in place to ensure effective protection of personal information? Have necessary personal information protection impact assessments (PIA) been completed and reports retained as required by relevant regulations? The reason for conducting such a review in advance is that these compliance elements will inevitably be included in the scope of the personal information protection compliance audit. If deficiencies are discovered during the audit, the audit may be interrupted, requiring significant time to address these gaps, thereby prolonging the audit cycle. This pre-audit review can be conducted by the enterprise's data compliance department or with the assistance of external personal information protection compliance audit experts.

此外还需提示的是,由于个保合规审计的覆盖范围包括了个人信息处理的全生命周期,因而审计将会涉及到企业各个生产经营的环节和领域,因此在审计工作开始前,必须为其准备相关的资源配置,包括但不限于:准备审计的预算,各个部门的配合协调,系统的访问权限,审计工作的专属办公场地等。

Additionally, it is important to note that since personal information protection compliance audits cover the entire lifecycle of personal information processing, the audit will involve various operational and production aspects of the enterprise. Therefore, before the audit begins, relevant resources must be prepared, including but not limited to: budgeting for the audit, coordination across departments, system access permissions, and dedicated office space for the audit team.


(五)审计方式——了解一般审计工作方式(Audit Methods – Understanding General Audit Practices)


通常,审计人员在个保合规审计中采取的方式包括但不限于以下这些:

Generally, auditors adopt the following methods in personal information protection compliance audits, including but not limited to:


(1) 文件的审查。包括但不限于检查公司相关的政策和制度是否完善、操作流程是否清晰、客户许可同意的文件是否完备、各项评估报告、培训记录、日志是否留存、是否具备各项资质证书。

(1) Document Review: This involves examining whether the company's relevant policies and systems are comprehensive, whether operational procedures are clear, whether customer consent documents are complete, whether various assessment reports, training records, and logs are retained, and whether the necessary certifications are in place.


(2) 系统测试。采用各类技术手段对系统进行测试,以检查是否满足信息安全要求。审查人员甚至有可能通过虚拟账户访问、虚拟客户电话联系等方式,检查各项合规义务是否得到满足。

(2) System Testing: This involves using various technical means to test systems and verify whether they meet information security requirements. Auditors may even simulate access through virtual accounts or contact via virtual customer calls to check whether compliance obligations are fulfilled.


(3)人员访谈。通过访谈的方式了解在各个工作流程中的个人信息保护实际实施情况。

(3) Personnel Interviews: This involves conducting interviews to understand the actual implementation of personal information protection across various workflows.


由于企业可能存在不同场景下针对不同类别的个人信息的差异化处理流程,因此法定的个人信息保护合规审计一般而言需要针对所有的个人信息处理活动进行审查,并不能仅就个别场景进行单独审查,因而具体采取的审计方式将根据具体场景由审计团队在确定审计方案时予以确定。

Given that enterprises may have differentiated processing procedures for different categories of personal information across various scenarios, statutory personal information protection compliance audits generally require a review of all personal information processing activities. Audits cannot be limited to individual scenarios. Therefore, the specific audit methods will be determined by the audit team when formulating the audit plan, based on the specific scenarios.


(六)审计报告与整改——持续的合规注意义务(Audit Reports and Remediation – Ongoing Compliance Obligations)


在审计工作结束以后,审计工作提交的成果是《审计报告》。监管审计的情况下,审计报告应当报送保护部门。同时,如果保护部门针对审计报告所发现的合规问题要求企业进行整改的,那么企业应当按照保护部门的要求进行整改,并在整改完成后15个工作日内将整改情况报告报送保护部门(《个人信息保护合规审计管理办法》第十一条)。为保证整改效果,我们建议企业在专业机构或专业人士的协助下完成整改、核验效果。

Upon completion of the audit, the deliverable is the Audit Report. In the case of regulatory audits, the audit report must be submitted to the protection department. If the protection department requires the enterprise to address compliance issues identified in the audit report, the enterprise must implement the necessary rectifications and submit a remediation report to the protection department within 15 working days after completing the rectifications (Article 11 of the Administrative Measures for Personal Information Protection Compliance Audits). To ensure the effectiveness of the rectifications, we recommend that enterprises complete the remediation and verify the results with the assistance of professional institutions or experts.


自主审计的情况下,并未要求向监管部门提交审计报告,但企业应当以成文方式留存审计结果和整改结果,以此作为受到保护部门监管审查时提交的合规证明。

For voluntary audits, there is no requirement to submit the audit report to regulatory authorities. However, enterprises should document and retain the audit results and remediation outcomes as evidence of compliance for potential regulatory inspections by the protection department.


同时,企业应当非常清楚地认识到,个保合规审计是针对企业个人信息保护是否合规的一项强制性义务,如果企业发生生产经营方式、产品或服务、业务流程、市场等诸多因素的变化导致个人信息处理活动发生重大变化,那么此前进行的合规审查并不能就此成为企业合规永久有效的“保护伞”,仍应就该等行为采取必要的合规措施(如PIA、合规审计等)。

Additionally, enterprises must clearly understand that personal information protection compliance audits are a mandatory obligation to verify whether the enterprise complies with personal information protection requirements. If significant changes occur in the enterprise's production and operations, products or services, business processes, or market conditions, leading to substantial changes in personal information processing activities, previous compliance audits cannot serve as a permanent "umbrella" for compliance. Necessary compliance measures (such as PIAs or compliance audits) must still be taken for such changes.


作者简介

微信图片_20250305141222.jpg


朱凯(Kai ZHU)


管理合伙人、TMT&数据合规专业委员会主任

执业领域:股权治理、M&A、企业合规、数据合规和个人信息保护

专业认证:数据保护官DPO(EXIN),个人信息保护合规审计师(CCRC)

工作语言:中文、英文、沪语

zhukai@ilandlaw.com

电话:(021)80379999

邮箱:liubin@ilandlaw.com

地址:上海市浦东新区银城中路68号时代金融中心27层

加入我们:liubin@ilandlaw.com