我在中島律師事務(wù)所《數(shù)據(jù)合規(guī)資訊月報》上一期(Vol.13)的“實(shí)務(wù)之聲”中剛剛提及“預(yù)見緊跟著會在上半年出臺的個人信息保護(hù)合規(guī)審計的相關(guān)規(guī)則”�,緊隨其后就在這個月(2025年2月)的14日��,國家互聯(lián)網(wǎng)信息辦公室正式發(fā)布了《個人信息保護(hù)合規(guī)審計管理辦法》��。作為由中國網(wǎng)絡(luò)安全審查認(rèn)證和市場監(jiān)管大數(shù)據(jù)中心認(rèn)證的“個人信息保護(hù)合規(guī)審計師”,我想我們對于政策趨勢的判斷和解讀還是準(zhǔn)確的�����。借此機(jī)會�����,我將以面向可能存在審計義務(wù)的企業(yè)的角度���,結(jié)合新出臺的《個人信息保護(hù)合規(guī)審計管理辦法》�,厘清個人信息保護(hù)合規(guī)審計的諸多實(shí)務(wù)性問題���。
In the "Practice Insights" section of the previous issue (Vol. 13) of I-Land Law Offices’s Data Compliance and Regulatory Update Monthly Newsletter, I mentioned that "we can anticipate the imminent release of rules related to personal information protection compliance audits in the first half of the year." True to this prediction, on February 14, 2025, the Cyberspace Administration of China (CAC) officially promulgated the “Administrative Measures for Personal Information Protection Compliance Audits”. As a certified "Personal Information Protection Compliance Auditor" accredited by the China Cybersecurity Review Certification and Market Regulation Big Data Center, I believe our judgment and interpretation of policy trends remain accurate. Taking this opportunity, I will address practical issues in personal information protection compliance audits from the perspective of enterprises potentially subject to audit obligations, in light of the newly enacted “Administrative Measures for Personal Information Protection Compliance Audits”.
一、了解個人信息保護(hù)合規(guī)審計的法律依據(jù)
I.Understanding the Legal Basis for Personal Information Protection Compliance Audits
法律依據(jù)就是一個法律義務(wù)的合法性基礎(chǔ),而個人信息保護(hù)合規(guī)審計的合法性基礎(chǔ)�,早在2021年8月頒布的《個人信息保護(hù)法》中就已經(jīng)有相關(guān)規(guī)定����,這是中國關(guān)于個人信息保護(hù)制度的一部根本性法律。在《個人信息保護(hù)法》第五十四條規(guī)定了:
“個人信息處理者應(yīng)當(dāng)定期對其處理個人信息遵守法律、行政法規(guī)的情況進(jìn)行合規(guī)審計���?�!?/em>
The legal basis refers to the legitimacy of legal obligations. The legitimacy of personal information protection compliance audits was established in the Personal Information Protection Law (PIPL) enacted in August 2021, a fundamental law governing China’s personal information protection regime.
Article 54 of the PIPL stipulates:
"Personal information handlers shall conduct regular compliance audits on their processing of personal information to ensure compliance with laws and administrative regulations."
同時�,在該法的第六十四條還進(jìn)一步規(guī)定了:
“履行個人信息保護(hù)職責(zé)的部門在履行職責(zé)中���,發(fā)現(xiàn)個人信息處理活動存在較大風(fēng)險或者發(fā)生個人信息安全事件的,可以按照規(guī)定的權(quán)限和程序?qū)υ搨€人信息處理者的法定代表人或者主要負(fù)責(zé)人進(jìn)行約談��,或者要求個人信息處理者委托專業(yè)機(jī)構(gòu)對其個人信息處理活動進(jìn)行合規(guī)審計����?���!?/em>
Article 64 of the PIPL further specifies:
"When fulfilling their duties, departments responsible for personal information protection may, upon identifying significant risks or security incidents in personal information processing activities, summon the legal representative or principal responsible person of the handler for discussions or require the handler to engage a professional institution to conduct a compliance audit on its processing activities."
2024年9月24日�����,中國國務(wù)院為了規(guī)范網(wǎng)絡(luò)數(shù)據(jù)處理活動�,促進(jìn)網(wǎng)絡(luò)數(shù)據(jù)依法合理有效利用�,同時保護(hù)個人��、組織的合法權(quán)益���,又頒布了《網(wǎng)絡(luò)數(shù)據(jù)安全管理條例》。這是關(guān)于網(wǎng)絡(luò)數(shù)據(jù)合規(guī)管理的第一個行政法規(guī)�,在中國數(shù)據(jù)合規(guī)和個人信息保護(hù)領(lǐng)域具有非常重要的地位。該條例第二十七條再一次將個人信息保護(hù)合規(guī)審計確定為網(wǎng)絡(luò)數(shù)據(jù)處理者的必須義務(wù)���,它規(guī)定:
“網(wǎng)絡(luò)數(shù)據(jù)處理者應(yīng)當(dāng)定期自行或者委托專業(yè)機(jī)構(gòu)對其處理個人信息遵守法律��、行政法規(guī)的情況進(jìn)行合規(guī)審計?���!?/em>
On September 24, 2024, the State Council of China promulgated the Regulations on Network Data Security Management to regulate network data processing activities, promote lawful and effective use of network data, and safeguard the legitimate rights and interests of individuals and organizations. As the first administrative regulation on network data compliance, it holds significant importance in China’s data compliance and personal information protection landscape. Article 27 reaffirms the mandatory obligation for network data handlers to conduct compliance audits:
"Network data handlers shall regularly conduct compliance audits, either independently or through professional institutions, to verify their adherence to laws and administrative regulations in processing personal information."
雖然國家在2021年通過《個人信息保護(hù)法》明確了個人信息處理者的個保合規(guī)審計義務(wù),但對于如何開展個人信息保護(hù)合規(guī)審計工作���,具體的流程和細(xì)則一直缺乏具有實(shí)操性的規(guī)定�。但我們同時關(guān)注到主管部門正在不斷積極推進(jìn)相關(guān)配套制度的落地���。2023年8月��,國家互聯(lián)網(wǎng)信息辦公室發(fā)布《個人信息保護(hù)合規(guī)審計管理辦法(征求意見稿)》����;2024年7月12日����,全國信息安全標(biāo)準(zhǔn)化技術(shù)委員會發(fā)布國家標(biāo)準(zhǔn)《數(shù)據(jù)安全技術(shù) 個人信息保護(hù)合規(guī)審計要求(征求意見稿)》�。兩份征求意見稿對于審計義務(wù)�、審計流程�、審計關(guān)注點(diǎn)和審計方法等規(guī)定了翔實(shí)的落地細(xì)則�,這也是我們判斷個人信息保護(hù)合規(guī)審計相關(guān)制度即將在2025年初就會出臺的依據(jù)。但僅截止到本文發(fā)表之日�,目前全國信息安全標(biāo)準(zhǔn)化技術(shù)委員會發(fā)布國家標(biāo)準(zhǔn)《數(shù)據(jù)安全技術(shù) 個人信息保護(hù)合規(guī)審計要求》仍處于征求意見稿階段�,尚未正式發(fā)布。
“個人信息處理者應(yīng)當(dāng)定期對其處理個人信息遵守法律�����、行政法規(guī)的情況進(jìn)行合規(guī)審計?��!?/em>
Although the PIPL in year 2021 established the obligation for personal information handlers to conduct compliance audits, practical guidelines on audit procedures and implementation remained lacking. However, regulatory authorities have actively advanced supporting rules. In August 2023, the Cyberspace Administration of China (CAC) released the Administrative Measures for Personal Information Protection Compliance Audits (Draft for Comments). On July 12, 2024, the National Information Security Standardization Technical Committee (TC260) issued the national standard Data Security Technology – Requirements for Personal Information Protection Compliance Audits (Draft for Comments). These drafts provide detailed rules on audit obligations, procedures, key focus areas, and methodologies, forming the basis for our prediction that the formal audit framework would be finalized by early 2025. As of the publication of this article, however, the national standard Data Security Technology – Requirements for Personal Information Protection Compliance Audits remains in the draft stage and has not yet been officially released.
因此�����,作為本小結(jié)的結(jié)論��,個人信息保護(hù)合規(guī)審計的法律依據(jù)主要是《個人信息保護(hù)法》��、《網(wǎng)絡(luò)數(shù)據(jù)安全管理條例》和最新發(fā)布的《個人信息保護(hù)合規(guī)審計管理辦法》����。同時我們建議以《數(shù)據(jù)安全技術(shù) 個人信息保護(hù)合規(guī)審計要求(征求意見稿)》作為審計技術(shù)參考��。
In conclusion, the legal basis for personal information protection compliance audits primarily includes the Personal Information Protection Law(PIPL), the Regulations on Network Data Security Management, and the newly enacted Administrative Measures for Personal Information Protection Compliance Audits. We recommend referencing the Data Security Technology – Requirements for Personal Information Protection Compliance Audits (Draft for Comments) as a technical guide for audit implementation.
二����、判斷企業(yè)是否負(fù)有個人信息保護(hù)合規(guī)審計義務(wù)
II.Determining Whether an Enterprise Bears Personal Information Protection Compliance Audit Obligations
根據(jù)上述的法律規(guī)定,我們可以得出這樣的結(jié)論����,幾乎所有企業(yè)都負(fù)有個人信息保護(hù)合規(guī)審計義務(wù)��。由于信息化和數(shù)據(jù)化已經(jīng)覆蓋到所有企業(yè)的方方面面,企業(yè)無論是業(yè)務(wù)拓展����、生產(chǎn)管理�����、客戶管理還是人事管理����,都會通過信息網(wǎng)絡(luò)方式進(jìn)行�����,因而����,“個人信息處理者”或者“網(wǎng)絡(luò)數(shù)據(jù)處理者”已經(jīng)不再是一種群體的分類����、而是在不同場景下承擔(dān)不同義務(wù)身份的卻別表述�。
Based on the aforementioned legal provisions, we can conclude that almost all enterprises bear personal information protection compliance audit obligations. As informatization and digitization have permeated every aspect of business operations—whether in business expansion, production management, customer management, or human resources management—enterprises inevitably rely on information networks. Therefore, the terms "personal information handler" or "network data handler" no longer represent a classification of specific groups but rather describe different roles and obligations in various scenarios.
如果企業(yè)是一家面向終端客戶的銷售型企業(yè)(線下銷售)����、互聯(lián)網(wǎng)平臺企業(yè)�,電商企業(yè)�����、醫(yī)療企業(yè)����、教育行業(yè)�,那么企業(yè)當(dāng)然會面臨大量的個人信息處理��,當(dāng)然地成為“個人信息處理者”或者“網(wǎng)絡(luò)數(shù)據(jù)處理者”,負(fù)有個人信息保護(hù)合規(guī)審計義務(wù)��。
If an enterprise is a consumer-facing sales company (offline sales), an internet platform, an e-commerce business, a medical institution, or an educational organization, it will inevitably process a significant amount of personal information, thereby qualifying as a "personal information handler" or "network data handler" and bearing personal information protection compliance audit obligations.
如果企業(yè)是一家ToC的生產(chǎn)型企業(yè)呢���,由于存在企業(yè)的客戶數(shù)據(jù)、銷售數(shù)據(jù)��、企業(yè)自身人力資源管理等,也會使之成為“個人信息處理者”或者“網(wǎng)絡(luò)數(shù)據(jù)處理者”�。
What if the enterprise is a B2C manufacturing company? Due to the existence of customer data, sales data, and internal human resources management, it will also qualify as a "personal information handler" or "network data handler."
因而,在是否負(fù)有個人信息保護(hù)合規(guī)審計義務(wù)的問題上����,所有企業(yè)都負(fù)有該等義務(wù)���。重要的區(qū)別在于����,針對不同類型的企業(yè)���,《個人信息保護(hù)合規(guī)審計管理辦法》所規(guī)定的審計要求有所不同�����。有關(guān)于此��,我們將在下面的內(nèi)容中進(jìn)一步詳細(xì)說明����。
Thus, in terms of whether an enterprise bears personal information protection compliance audit obligations, all enterprises are subject to such obligations. The key distinction lies in the varying audit requirements stipulated by the Administrative Measures for Personal Information Protection Compliance Audits for different types of enterprises. We will elaborate on this further in the following sections.
三、應(yīng)當(dāng)如何開展實(shí)施個人信息保護(hù)合規(guī)審計
III.How to Conduct and Implement Personal Information Protection Compliance Audits
既然所有的企業(yè)都負(fù)有個人信息保護(hù)合規(guī)審計義務(wù)��,那么對于如何開展實(shí)施個人信息保護(hù)合規(guī)審計���,我們在本小節(jié)中進(jìn)行詳細(xì)的介紹。本節(jié)內(nèi)容包含了針對不同類型的企業(yè)���,應(yīng)當(dāng)承擔(dān)怎樣的審計義務(wù)(包括強(qiáng)制審計的發(fā)起���、審計機(jī)構(gòu)的確定��、以及審計實(shí)施的頻次要求)�����,以及企業(yè)應(yīng)當(dāng)怎樣實(shí)施開展審計�,在審計前、審計過程中以及審計結(jié)束后又應(yīng)當(dāng)采取哪些對應(yīng)的行動�。
Since all enterprises bear personal information protection compliance audit obligations, this section provides a detailed introduction on how to conduct and implement such audits. It covers the specific audit obligations for different types of enterprises (including the initiation of mandatory audits, the selection of audit institutions, and the frequency requirements for audits), as well as the steps enterprises should take before, during, and after the audit process.
(一)審計的發(fā)起——監(jiān)管審計和自主審計(Initiation of Audits – Regulatory Audits and Voluntary Audits)
雖然我們說個保合規(guī)審計義務(wù)是每一個企業(yè)負(fù)有的義務(wù)�,但在具體到個保審計如何發(fā)起時�,針對不同的情況�,仍然有所區(qū)別——這就是監(jiān)管審計和自主審計����。我們從《個人信息保護(hù)合規(guī)審計管理辦法》的規(guī)定來進(jìn)行理解���,如果由“保護(hù)部門”(國家網(wǎng)信部門和其他履行個人信息保護(hù)職責(zé)的部門)提出要求進(jìn)行個保合規(guī)審計�����,那么這種情況就屬于“監(jiān)管審計”。
While we emphasize that personal information protection compliance audit obligations apply to every enterprise, the initiation of such audits varies depending on the circumstances—namely, regulatory audits and voluntary audits. Based on the provisions of the Administrative Measures for Personal Information Protection Compliance Audits, if a "protection department" (such as the CAC or other departments fulfilling personal information protection duties) requests a compliance audit, this constitutes a "regulatory audit."
根據(jù)《個人信息保護(hù)合規(guī)審計管理辦法》第五條的規(guī)定��,在以下這些情況下,保護(hù)部門可能會對企業(yè)發(fā)起監(jiān)管審計:
Article 5 of the Administrative Measures for Personal Information Protection Compliance Audits specifies the following scenarios in which protection departments may initiate regulatory audits:
(1) 發(fā)現(xiàn)個人信息處理活動存在嚴(yán)重影響個人權(quán)益或者嚴(yán)重缺乏安全措施等較大風(fēng)險的;
(1) When personal information processing activities are found to pose significant risks, such as severely impacting individual rights or lacking adequate security measures;
(2) 個人信息處理活動可能侵害眾多個人的權(quán)益的;
(2) When personal information processing activities are likely to infringe upon the rights of a large number of individuals;
(3) 發(fā)生個人信息安全事件����,導(dǎo)致100萬人以上個人信息或者10萬人以上敏感個人信息泄露、篡改��、丟失、毀損的��。
(3) When a personal information security incident results in the leakage, alteration, loss, or damage of personal information involving more than 1 million individuals or sensitive personal information involving more than 100,000 individuals.
由于上述監(jiān)管審計發(fā)起條件的第(一)、第(二)項并沒有一個明確的定量標(biāo)準(zhǔn)���,因此我們建議企業(yè)結(jié)合國家標(biāo)準(zhǔn)化管理委員會頒布的《信息安全技術(shù) 信息安全風(fēng)險評估方法》(GB/T 20984-2022)等相關(guān)標(biāo)準(zhǔn)予以參考,對個人信息活動存在的風(fēng)險進(jìn)行評估參照����。
Since the first two scenarios lack clear quantitative criteria, we recommend that enterprises refer to relevant standards, such as the Information Security Technology – Information Security Risk Assessment Methods (GB/T 20984-2022) issued by the National Standardization Management Committee, to assess risks in personal information processing activities.
除了上述由保護(hù)部門發(fā)起的監(jiān)管審計以外,其他情況下由企業(yè)自行發(fā)起的審計就均屬于自主審計�。
Apart from regulatory audits initiated by protection departments, all other audits initiated by enterprises themselves fall under the category of voluntary audits.
(二)明確審計頻次——需要多久開展一次合規(guī)審計(Determining Audit Frequency – How Often Should Compliance Audits Be Conducted)
在審計的頻次上���,結(jié)合《個人信息保護(hù)合規(guī)審計管理辦法》和相關(guān)的法律法規(guī),總共存在三種不同的情況:
Regarding audit frequency, based on the Administrative Measures for Personal Information Protection Compliance Audits and related laws and regulations, there are three distinct scenarios:
(1) 監(jiān)管審計��,須限時開展限時完成——根據(jù)《個人信息保護(hù)合規(guī)審計管理辦法》第九條的規(guī)定,“個人信息處理者按照保護(hù)部門要求開展個人信息保護(hù)合規(guī)審計的���,應(yīng)當(dāng)按照保護(hù)部門要求選定專業(yè)機(jī)構(gòu)����,在限定時間內(nèi)完成個人信息保護(hù)合規(guī)審計”。也就是說����,在監(jiān)管審計的情況下�����,必須立即根據(jù)監(jiān)管部門的要求開展審計工作�����,且還需要在限定的期限內(nèi)完成�。
(1) Regulatory Audits: Must Be Conducted and Completed Within a Specified Timeframe: According to Article 9 of the Administrative Measures for Personal Information Protection Compliance Audits:"When personal information handlers are required by protection departments to conduct personal information protection compliance audits, they shall select a professional institution as required and complete the audit within the specified timeframe."In other words, in the case of regulatory audits, enterprises must immediately initiate the audit as required by the regulatory authorities and complete it within the stipulated deadline.
(2) 定期審計�����,符合特定條件的須定期開展審計——對于符合特定條件的個人信息處理者��,需要根據(jù)法定期限定期對其個人信息處理活動進(jìn)行合規(guī)審計����,其中包括:
(2) Periodic Audits: Required for Specific Categories of Personal Information Handlers: For personal information handlers meeting specific conditions, periodic compliance audits must be conducted within statutory intervals, including:
①處理超過1000萬人個人信息的個人信息處理者,應(yīng)當(dāng)每兩年至少開展一次(《個人信息保護(hù)合規(guī)審計管理辦法》第四條)�;
①Handlers processing personal information of more than 10 million individuals: Shall conduct audits at least once every two years (Article 4 of the Administrative Measures for Personal Information Protection Compliance Audits).
②處理未成年人個人信息的個人信息處理者,應(yīng)當(dāng)每年開展一次(《未成年人網(wǎng)絡(luò)保護(hù)條例》第三十七條)�。
②Handlers processing personal information of minors: Shall conduct audits annually (Article 37 of the Regulations on the Protection of Minors in Cyberspace).
(3) 合理期限審計�,根據(jù)業(yè)務(wù)具體情況確定——對于除上述兩種情況以外的個人信息處理者,那么可以根據(jù)自身情況合理確定定期開展個人信息保護(hù)合規(guī)審計的頻率�。對于此類情況��,相關(guān)規(guī)定并沒有進(jìn)行一個明確的限制�,我們建議企業(yè)結(jié)合自身的合規(guī)需求以及業(yè)務(wù)場景,每2-3年開展一次針對個人信息保護(hù)的合規(guī)審計�。
(3) Reasonable Interval Audits: Determined Based on Business Circumstances: For personal information handlers not falling under the above two categories, the frequency of compliance audits may be reasonably determined based on their specific circumstances. While there are no explicit regulatory restrictions for such cases, we recommend that enterprises conduct personal information protection compliance audits every 2-3 years, taking into account their compliance needs and business scenarios.
(三)確定審計機(jī)構(gòu)——內(nèi)部審計或外部審計的選擇(Determining the Audit Institution – Choosing Between Internal and External Audits)
審計機(jī)構(gòu)的確定主要包含兩個內(nèi)容����,一個是企業(yè)應(yīng)當(dāng)由誰來負(fù)責(zé)審計工作的開展實(shí)施����,另一個是審計機(jī)構(gòu)如何組成�����。
The determination of the audit institution primarily involves two aspects: who should be responsible for conducting the audit and how the audit institution should be composed.
《個人信息保護(hù)合規(guī)審計管理辦法》僅對兩種情況下的審計負(fù)責(zé)人提出了要求�����,處理100萬人以上個人信息的個人信息處理者應(yīng)當(dāng)指定個人信息保護(hù)負(fù)責(zé)人,負(fù)責(zé)個人信息處理者的個人信息保護(hù)合規(guī)審計工作(《個人信息保護(hù)合規(guī)審計管理辦法》第十二條第一款)����,提供重要互聯(lián)網(wǎng)平臺服務(wù)���、用戶數(shù)量巨大、業(yè)務(wù)類型復(fù)雜的個人信息處理者�,應(yīng)當(dāng)成立主要由外部成員組成的獨(dú)立機(jī)構(gòu)對個人信息保護(hù)合規(guī)審計情況進(jìn)行監(jiān)督(《個人信息保護(hù)合規(guī)審計管理辦法》第十二條第二款)�。其他企業(yè)��,我們建議由該企業(yè)的數(shù)據(jù)合規(guī)部門來負(fù)責(zé)審計工作的開展實(shí)施。
The Administrative Measures for Personal Information Protection Compliance Audits specifies requirements for audit responsibilities in two scenarios: Personal information handlers processing personal information of more than 1 million individuals shall designate a personal information protection officer responsible for conducting compliance audits (Article 12, Paragraph 1 of the Administrative Measures for Personal Information Protection Compliance Audits). Personal information handlers providing major internet platform services, with a large user base and complex business types, shall establish an independent body composed mainly of external members to oversee compliance audits (Article 12, Paragraph 2 of the Administrative Measures for Personal Information Protection Compliance Audits). For other enterprises, we recommend that the data compliance department be responsible for conducting the audits.
除此以外,企業(yè)往往更關(guān)心的一個問題是審計機(jī)構(gòu)的選擇�����,因?yàn)槭欠癖仨毱赣猛獠繖C(jī)構(gòu)進(jìn)行個保合規(guī)審計會直接對企業(yè)的合規(guī)成本產(chǎn)生重要影響�����。我們對此問題做一個詳細(xì)的說明,以便企業(yè)更清晰準(zhǔn)確地做出決策���。
In addition, enterprises often focus on the selection of audit institutions, as whether an external institution must be engaged directly impacts compliance costs. We provide a detailed explanation below to help enterprises make clear and accurate decisions.
首先需要明確的是��,對于監(jiān)管審計�,企業(yè)必須委托專業(yè)機(jī)構(gòu)開展����,而不得自行組織人員進(jìn)行審計或僅僅進(jìn)行內(nèi)部審計���。
First, it is important to clarify that for regulatory audits, enterprises must engage professional institutions and cannot conduct audits internally or solely with their own personnel.
《個人信息保護(hù)合規(guī)審計管理辦法》并沒有對專業(yè)機(jī)構(gòu)具體包括哪些類型做出明確規(guī)定��,僅規(guī)定“專業(yè)機(jī)構(gòu)應(yīng)當(dāng)具備開展個人信息保護(hù)合規(guī)審計的能力,有與服務(wù)相適應(yīng)的審計人員�、場所���、設(shè)施和資金等���。鼓勵相關(guān)專業(yè)機(jī)構(gòu)通過認(rèn)證。專業(yè)機(jī)構(gòu)的認(rèn)證按照《中華人民共和國認(rèn)證認(rèn)可條例》的有關(guān)規(guī)定執(zhí)行”(《個人信息保護(hù)合規(guī)審計管理辦法》第七條)�。值得注意的是��,《認(rèn)證認(rèn)可條例》關(guān)于認(rèn)證的定義是指由認(rèn)證機(jī)構(gòu)證明產(chǎn)品��、服務(wù)、管理體系符合相關(guān)技術(shù)規(guī)范�����、相關(guān)技術(shù)規(guī)范的強(qiáng)制性要求或者標(biāo)準(zhǔn)的合格評定活動�����。專業(yè)機(jī)構(gòu)的合規(guī)審計服務(wù)是否符合相關(guān)技術(shù)規(guī)范、相關(guān)技術(shù)規(guī)范的強(qiáng)制性要求或者標(biāo)準(zhǔn)將成為專業(yè)機(jī)構(gòu)的認(rèn)證評價標(biāo)準(zhǔn)���。但截至目前,尚未有針對性地對開展合規(guī)審計的服務(wù)能力進(jìn)行認(rèn)證評價的標(biāo)準(zhǔn)或規(guī)范���。因此,后續(xù)可能會出臺針對合規(guī)審計的規(guī)范或者明確合規(guī)審計的認(rèn)證依據(jù)包含哪些現(xiàn)有規(guī)范�����、標(biāo)準(zhǔn)�����。
The Administrative Measures for Personal Information Protection Compliance Audits does not explicitly define the types of professional institutions but states: "Professional institutions shall possess the capability to conduct personal information protection compliance audits, including appropriate personnel, facilities, and funding. Certification of relevant professional institutions is encouraged, and such certification shall follow the provisions of the Regulations on Certification and Accreditation" (Article 7 of the Administrative Measures for Personal Information Protection Compliance Audits). Notably, the mentioned Regulations on Certification and Accreditation define certification as the process by which a certification body verifies that products, services, or management systems comply with relevant technical specifications, mandatory requirements, or standards. Whether a professional institution's compliance audit services meet these requirements will serve as the evaluation criteria for certification. However, as of now, there are no specific standards or norms for certifying the service capabilities of compliance audit institutions. Therefore, future regulations may introduce specific norms for compliance audits or clarify which existing standards apply.
由于監(jiān)管審計的強(qiáng)制性要求是委托專業(yè)機(jī)構(gòu)開展��,而目前并沒有針對專業(yè)機(jī)構(gòu)的評判標(biāo)準(zhǔn),因此我們建議企業(yè)在受到保護(hù)部門監(jiān)管審計要求時��,請求保護(hù)部門提供其認(rèn)可的機(jī)構(gòu)名錄予以選用,以符合監(jiān)管的強(qiáng)制性要求����。隨著個保合規(guī)審計認(rèn)證評價標(biāo)準(zhǔn)的后續(xù)出臺�����,未來市場上將會出現(xiàn)大量持有持有認(rèn)證資質(zhì)的機(jī)構(gòu)供企業(yè)選擇��。
Given the mandatory requirement to engage professional institutions for regulatory audits and the lack of evaluation criteria, we recommend that enterprises request a list of institutions recognized by the protection department when subject to regulatory audit requirements. This ensures compliance with regulatory mandates. As certification standards for compliance audits are introduced in the future, a larger pool of certified institutions will become available for enterprises to choose from.
除了監(jiān)管審計之外����,自主審計情況下�,企業(yè)均可以選擇通過內(nèi)部機(jī)構(gòu)或者委托專業(yè)機(jī)構(gòu)任一方式進(jìn)行個保合規(guī)審計����。
For voluntary audits, enterprises may choose to conduct audits either through internal departments or by engaging professional institutions.
我們提醒企業(yè)須充分注意審計的“專業(yè)性”�����、“獨(dú)立性”��、和“全面性”要求。顯然專業(yè)機(jī)構(gòu)作為外部獨(dú)立審計單位能夠滿足上述要求���,而企業(yè)通過內(nèi)部機(jī)構(gòu)進(jìn)行審計時,則應(yīng)當(dāng)對于予以充分注意�,以確保審計的有效性���。為滿足審計要求,我們建議企業(yè)可以采用內(nèi)部機(jī)構(gòu)與外部專業(yè)人士相結(jié)合組成審計機(jī)構(gòu)來進(jìn)行審計的方式���,來協(xié)助企業(yè)共同完成內(nèi)部審計工作。這樣做的好處是顯而易見的:一方面����,在缺乏認(rèn)證的情況下�,單獨(dú)聘請的外部機(jī)構(gòu)未必能夠滿足未來監(jiān)管對于專業(yè)機(jī)構(gòu)的評價條件�����,該等機(jī)構(gòu)是否適格存有疑問����;另一方面����,由于外部機(jī)構(gòu)不熟悉企業(yè)業(yè)務(wù)屬性���,會增加審計所耗費(fèi)的溝通成本����、時間成本等合規(guī)成本����;最后,外部機(jī)構(gòu)的審計費(fèi)用會增加企業(yè)的合規(guī)負(fù)擔(dān)����。而采用外部專業(yè)人員與企業(yè)內(nèi)部合規(guī)人員相結(jié)合的方式����,恰恰能解決上述問題��。目前�����,由中國國家市場監(jiān)督管理總局和國家互聯(lián)網(wǎng)信息辦公室共同指導(dǎo)和支持的中國網(wǎng)絡(luò)安全審查認(rèn)證和市場監(jiān)管大數(shù)據(jù)中心已經(jīng)開展了“個人信息保護(hù)合規(guī)審計師”的個人專業(yè)資質(zhì)認(rèn)證工作,持有此類認(rèn)證資質(zhì)的專業(yè)人員���,能夠滿足企業(yè)在個保合規(guī)審計過程中需要外部專業(yè)人員支持的需求。
We remind enterprises to pay close attention to the requirements of professionalism, independence, and comprehensiveness in audits. While professional institutions, as external independent auditors, naturally meet these requirements, enterprises conducting internal audits must ensure these criteria are satisfied to guarantee audit effectiveness. To meet audit requirements, we recommend that enterprises adopt a hybrid approach, combining internal departments with external professionals to form the audit team. This approach offers several advantages: First of all, in the absence of certification, solely engaging external institutions may not meet future regulatory evaluation criteria, raising questions about their suitability. Secondly, external institutions unfamiliar with the enterprise's business may increase communication and time costs, adding to compliance burdens. Finally, the fees charged by external institutions may further increase compliance costs. On the other hand, by combining external professionals with internal compliance personnel, enterprises can address these issues effectively. Currently, the China Cybersecurity Review Certification and Market Regulation Big Data Center, guided and supported by the State Administration for Market Regulation and the Cyberspace Administration of China, has launched the "Personal Information Protection Compliance Auditor" certification program. Professionals holding this certification can meet enterprises' needs for external expertise in compliance audits.
(四)審計前準(zhǔn)備——為合規(guī)審計創(chuàng)造便利實(shí)施條件(Pre-Audit Preparation – Creating Favorable Conditions for Compliance Audits)
審計前的準(zhǔn)備工作是為了給審計工作創(chuàng)造足夠的便利條件�,確保審計工作的順利開展����。我們以企業(yè)內(nèi)部結(jié)合外部專業(yè)人士進(jìn)行的自行審計為例���,其主要包括:確定本次審計的目標(biāo)和范圍,編制審計計劃��,組成審計團(tuán)隊并確定審計工作組長(審計工作組長通常為本次審計工作的負(fù)責(zé)人)����,開展審計前的基礎(chǔ)調(diào)查工作��,并且需要明確本次審計需要進(jìn)行的資源協(xié)調(diào)�。
Pre-audit preparation aims to create sufficient favorable conditions to ensure the smooth conduct of the audit. Taking the example of an enterprise conducting an internal audit combined with external professionals, the preparation mainly includes: determining the objectives and scope of the audit, drafting an audit plan, forming an audit team and designating a team leader (usually the person in charge of the audit), conducting preliminary investigations, and clarifying the resources required for coordination.
這里需要重點(diǎn)提示的建議企業(yè)在審計工作開始前����,先進(jìn)行一次個保合規(guī)的前置性強(qiáng)制條件是否滿足的梳理�。比如企業(yè)是否有確保個人信息得到有效保護(hù)的制度體系����、內(nèi)部政策�����、流程和規(guī)范,又或者根據(jù)相關(guān)規(guī)定需要進(jìn)行個人信息保護(hù)影響評估(PIA)的事項是否已經(jīng)完成了相關(guān)評估并留存報告��。之所以要預(yù)先進(jìn)行此類梳理���,是因?yàn)檫@些合規(guī)內(nèi)容都必定會納入個保合規(guī)審計的審查范圍之內(nèi),而如果在審計期間發(fā)現(xiàn)這些缺漏����,本次審計將有可能被中斷而被迫需要耗費(fèi)大量的時間將此類缺漏予以補(bǔ)足��,導(dǎo)致審計周期被迫延長�����。前置梳理工作可以由企業(yè)數(shù)據(jù)合規(guī)相關(guān)部門負(fù)責(zé)�����,也可以聘用外部個保合規(guī)審計專家提前介入?yún)f(xié)助企業(yè)進(jìn)行。
A key recommendation is for enterprises to conduct a pre-audit review to ensure that mandatory compliance prerequisites are met. For instance, does the enterprise have a system, internal policies, procedures, and standards in place to ensure effective protection of personal information? Have necessary personal information protection impact assessments (PIA) been completed and reports retained as required by relevant regulations? The reason for conducting such a review in advance is that these compliance elements will inevitably be included in the scope of the personal information protection compliance audit. If deficiencies are discovered during the audit, the audit may be interrupted, requiring significant time to address these gaps, thereby prolonging the audit cycle. This pre-audit review can be conducted by the enterprise's data compliance department or with the assistance of external personal information protection compliance audit experts.
此外還需提示的是,由于個保合規(guī)審計的覆蓋范圍包括了個人信息處理的全生命周期��,因而審計將會涉及到企業(yè)各個生產(chǎn)經(jīng)營的環(huán)節(jié)和領(lǐng)域����,因此在審計工作開始前���,必須為其準(zhǔn)備相關(guān)的資源配置,包括但不限于:準(zhǔn)備審計的預(yù)算���,各個部門的配合協(xié)調(diào),系統(tǒng)的訪問權(quán)限�,審計工作的專屬辦公場地等����。
Additionally, it is important to note that since personal information protection compliance audits cover the entire lifecycle of personal information processing, the audit will involve various operational and production aspects of the enterprise. Therefore, before the audit begins, relevant resources must be prepared, including but not limited to: budgeting for the audit, coordination across departments, system access permissions, and dedicated office space for the audit team.
(五)審計方式——了解一般審計工作方式(Audit Methods – Understanding General Audit Practices)
通常,審計人員在個保合規(guī)審計中采取的方式包括但不限于以下這些:
Generally, auditors adopt the following methods in personal information protection compliance audits, including but not limited to:
(1) 文件的審查。包括但不限于檢查公司相關(guān)的政策和制度是否完善���、操作流程是否清晰、客戶許可同意的文件是否完備����、各項評估報告��、培訓(xùn)記錄、日志是否留存���、是否具備各項資質(zhì)證書。
(1) Document Review: This involves examining whether the company's relevant policies and systems are comprehensive, whether operational procedures are clear, whether customer consent documents are complete, whether various assessment reports, training records, and logs are retained, and whether the necessary certifications are in place.
(2) 系統(tǒng)測試。采用各類技術(shù)手段對系統(tǒng)進(jìn)行測試�����,以檢查是否滿足信息安全要求��。審查人員甚至有可能通過虛擬賬戶訪問、虛擬客戶電話聯(lián)系等方式�,檢查各項合規(guī)義務(wù)是否得到滿足����。
(2) System Testing: This involves using various technical means to test systems and verify whether they meet information security requirements. Auditors may even simulate access through virtual accounts or contact via virtual customer calls to check whether compliance obligations are fulfilled.
(3)人員訪談��。通過訪談的方式了解在各個工作流程中的個人信息保護(hù)實(shí)際實(shí)施情況���。
(3) Personnel Interviews: This involves conducting interviews to understand the actual implementation of personal information protection across various workflows.
由于企業(yè)可能存在不同場景下針對不同類別的個人信息的差異化處理流程,因此法定的個人信息保護(hù)合規(guī)審計一般而言需要針對所有的個人信息處理活動進(jìn)行審查�����,并不能僅就個別場景進(jìn)行單獨(dú)審查��,因而具體采取的審計方式將根據(jù)具體場景由審計團(tuán)隊在確定審計方案時予以確定。
Given that enterprises may have differentiated processing procedures for different categories of personal information across various scenarios, statutory personal information protection compliance audits generally require a review of all personal information processing activities. Audits cannot be limited to individual scenarios. Therefore, the specific audit methods will be determined by the audit team when formulating the audit plan, based on the specific scenarios.
(六)審計報告與整改——持續(xù)的合規(guī)注意義務(wù)(Audit Reports and Remediation – Ongoing Compliance Obligations)
在審計工作結(jié)束以后,審計工作提交的成果是《審計報告》�����。監(jiān)管審計的情況下,審計報告應(yīng)當(dāng)報送保護(hù)部門���。同時,如果保護(hù)部門針對審計報告所發(fā)現(xiàn)的合規(guī)問題要求企業(yè)進(jìn)行整改的�,那么企業(yè)應(yīng)當(dāng)按照保護(hù)部門的要求進(jìn)行整改����,并在整改完成后15個工作日內(nèi)將整改情況報告報送保護(hù)部門(《個人信息保護(hù)合規(guī)審計管理辦法》第十一條)��。為保證整改效果,我們建議企業(yè)在專業(yè)機(jī)構(gòu)或?qū)I(yè)人士的協(xié)助下完成整改�����、核驗(yàn)效果�����。
Upon completion of the audit, the deliverable is the Audit Report. In the case of regulatory audits, the audit report must be submitted to the protection department. If the protection department requires the enterprise to address compliance issues identified in the audit report, the enterprise must implement the necessary rectifications and submit a remediation report to the protection department within 15 working days after completing the rectifications (Article 11 of the Administrative Measures for Personal Information Protection Compliance Audits). To ensure the effectiveness of the rectifications, we recommend that enterprises complete the remediation and verify the results with the assistance of professional institutions or experts.
自主審計的情況下�,并未要求向監(jiān)管部門提交審計報告,但企業(yè)應(yīng)當(dāng)以成文方式留存審計結(jié)果和整改結(jié)果��,以此作為受到保護(hù)部門監(jiān)管審查時提交的合規(guī)證明����。
For voluntary audits, there is no requirement to submit the audit report to regulatory authorities. However, enterprises should document and retain the audit results and remediation outcomes as evidence of compliance for potential regulatory inspections by the protection department.
同時,企業(yè)應(yīng)當(dāng)非常清楚地認(rèn)識到���,個保合規(guī)審計是針對企業(yè)個人信息保護(hù)是否合規(guī)的一項強(qiáng)制性義務(wù)�����,如果企業(yè)發(fā)生生產(chǎn)經(jīng)營方式��、產(chǎn)品或服務(wù)����、業(yè)務(wù)流程�����、市場等諸多因素的變化導(dǎo)致個人信息處理活動發(fā)生重大變化����,那么此前進(jìn)行的合規(guī)審查并不能就此成為企業(yè)合規(guī)永久有效的“保護(hù)傘”�,仍應(yīng)就該等行為采取必要的合規(guī)措施(如PIA��、合規(guī)審計等)。
Additionally, enterprises must clearly understand that personal information protection compliance audits are a mandatory obligation to verify whether the enterprise complies with personal information protection requirements. If significant changes occur in the enterprise's production and operations, products or services, business processes, or market conditions, leading to substantial changes in personal information processing activities, previous compliance audits cannot serve as a permanent "umbrella" for compliance. Necessary compliance measures (such as PIAs or compliance audits) must still be taken for such changes.
管理合伙人�����、TMT&數(shù)據(jù)合規(guī)專業(yè)委員會主任
執(zhí)業(yè)領(lǐng)域:股權(quán)治理�、M&A��、企業(yè)合規(guī)���、數(shù)據(jù)合規(guī)和個人信息保護(hù)
專業(yè)認(rèn)證:數(shù)據(jù)保護(hù)官DPO(EXIN),個人信息保護(hù)合規(guī)審計師(CCRC)
工作語言:中文��、英文����、滬語
zhukai@ilandlaw.com
