DCC summary, not a translation. TC260 practice guides are copyright-protected and the Secretariat prohibits unauthorized translation. The structured summary below is DCC’s own paraphrase grounded in the guide’s title and the underlying audit regime; specific clauses should be checked against the published guide.
Scope
This practice guide provides requirements and a reference framework for the personal-information-protection compliance audit — the periodic audit of whether a handler’s personal-information processing complies with laws and administrative regulations. It is intended to support handlers conducting internal self-audits and professional bodies conducting entrusted audits, by enumerating the audit matters and expectations across the personal-information lifecycle.
It is a practice guide issued by the TC260 Secretariat — advisory, not a mandatory standard.
Key contents
At a structural level the guide is expected to cover:
- Audit objectives and principles — independence, objectivity and full coverage of personal-information processing activities.
- Audit scope and matters — the obligations to be examined, mapped to PIPL: lawful basis and consent; notice and transparency; minimum necessity; sensitive-PI handling; automated decision-making; entrusted processing and sharing; cross-border transfer; data-subject rights; security measures; impact assessments; and governance (responsible person, incident response, recordkeeping).
- Audit method and evidence — how to plan, gather evidence, test controls and document findings.
- Audit reporting — the content and form of the audit report and follow-up on rectification.
Editor: verify specific clauses against the published guide.
How it fits the regime
The guide operationalizes the compliance-audit duty in PIPL Article 54, which requires personal-information handlers to periodically audit their compliance with laws and administrative regulations, and Article 64, under which regulators may require an audit where processing poses significant risk or an incident occurs. The Administrative Measures for Personal Information Protection Compliance Audits flesh out when self-audits versus regulator-mandated audits apply, the cadence, and the use of professional auditing bodies.
This practice guide supplies the audit content and method that those instruments assume — the checklist auditors work through. For overseas compliance teams, it is the reference for scoping and running a PIPL compliance audit (or preparing to be audited), and it complements the impact-assessment standard (GB/T 39335), GB/T 35273 and the sensitive-PI standards.