Companies in China to conduct regular personal data compliance audits under new rules
- Internet regulator’s draft regulation requires all firms to carry out the audits
- They include security checks for personal information being sent overseas
China’s internet regulator will require all companies dealing with personal data to conduct regular compliance audits, including security checks for data provided to overseas entities.
All companies with more than 1 million users will have to carry out at least one audit a year on their compliance with rules on managing users’ personal data, according to a draft regulation released on Thursday by the Cyberspace Administration of China.
Service providers with less than 1 million users will have to conduct an audit every two years.
The CAC is seeking public feedback on the draft regulation for a month until September 2.
Audits on data being sent overseas will include checking whether personal information is provided to overseas judicial or law enforcement agencies, and if that is being done after receiving the required approval from Chinese authorities.
Companies will also have to review whether people handling data understand the personal information protection policy and cybersecurity environment of the country or region the data is sent to.