Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · TC260 PI AUDIT GUIDE

Cybersecurity Standards Practice Guide — Personal Information Protection Compliance Audit Requirements.

网络安全标准实践指南 — 个人信息保护合规审计要求

DCC summary, not a translation. TC260 practice guides are copyright-protected and the Secretariat prohibits unauthorized translation. The structured summary below is DCC’s own paraphrase grounded in the guide’s title and the underlying audit regime; specific clauses should be checked against the published guide.

Scope

This practice guide provides requirements and a reference framework for the personal-information-protection compliance audit — the periodic audit of whether a handler’s personal-information processing complies with laws and administrative regulations. It is intended to support handlers conducting internal self-audits and professional bodies conducting entrusted audits, by enumerating the audit matters and expectations across the personal-information lifecycle.

It is a practice guide issued by the TC260 Secretariat — advisory, not a mandatory standard.

Key contents

At a structural level the guide is expected to cover:

  • Audit objectives and principles — independence, objectivity and full coverage of personal-information processing activities.
  • Audit scope and matters — the obligations to be examined, mapped to PIPL: lawful basis and consent; notice and transparency; minimum necessity; sensitive-PI handling; automated decision-making; entrusted processing and sharing; cross-border transfer; data-subject rights; security measures; impact assessments; and governance (responsible person, incident response, recordkeeping).
  • Audit method and evidence — how to plan, gather evidence, test controls and document findings.
  • Audit reporting — the content and form of the audit report and follow-up on rectification.

Editor: verify specific clauses against the published guide.

How it fits the regime

The guide operationalizes the compliance-audit duty in PIPL Article 54, which requires personal-information handlers to periodically audit their compliance with laws and administrative regulations, and Article 64, under which regulators may require an audit where processing poses significant risk or an incident occurs. The Administrative Measures for Personal Information Protection Compliance Audits flesh out when self-audits versus regulator-mandated audits apply, the cadence, and the use of professional auditing bodies.

This practice guide supplies the audit content and method that those instruments assume — the checklist auditors work through. For overseas compliance teams, it is the reference for scoping and running a PIPL compliance audit (or preparing to be audited), and it complements the impact-assessment standard (GB/T 39335), GB/T 35273 and the sensitive-PI standards.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →