If your company handles personal data in China, a new era of scrutiny has begun—and it’s not optional.
As of May 1, 2025, the Cyberspace Administration of China (CAC) enforces the Personal Information Protection Compliance Audit Measures, compelling businesses to conduct regular audits of their data practices. This move underscores the nation’s commitment to data security and personal information protection.
Key Takeaways From This Article
Mandatory audits: Companies processing over 10 million individuals’ data must audit every two years.
Compliance officers required: Firms handling data of over 1 million individuals must appoint a dedicated compliance officer.
Independent oversight: Major platforms with significant user bases need external supervisory bodies.
Penalties for non-compliance: Fines can reach up to RMB 50 million or 5% of annual turnover.
Understanding the New Compliance Landscape
The Personal Information Protection Law (PIPL), effective since 2021, laid the groundwork for data protection in China. The recent Audit Measures build upon this, providing detailed requirements for compliance audits. Companies are now obligated to assess their data handling practices, ensuring alignment with national standards.
For instance, a multinational corporation operating in China must now evaluate its data processing activities, ensuring that consent mechanisms, data storage, and transfer protocols meet the stipulated guidelines. Failure to do so could result in significant penalties and reputational damage.
Who Must Comply?
The Audit Measures apply to a broad spectrum of entities:
-
Large Data Handlers: Companies processing personal information of over 10 million individuals are required to conduct compliance audits at least once every two years.
-
Mid-Sized Firms: Those handling data of more than 1 million individuals must designate a person responsible for overseeing personal information protection compliance audits.
-
Major Platforms: Companies providing significant internet platform services, with over 50 million registered users or more than 10 million monthly active users, are required to establish an independent organization, primarily composed of external members, to supervise compliance audits.
These requirements ensure that entities of varying sizes and scopes maintain robust data protection practices.
Conducting the Audit
Companies have the flexibility to choose between internal and external audits:
-
Internal Audits: Firms can appoint internal departments to assess compliance, provided they adhere to the guidelines released with the measures.
-
Third-Party Audits: Engaging external professional institutions is an option, especially when internal expertise is lacking. However, under certain circumstances, cybersecurity protection authorities may require a company to engage a professional institution to conduct a compliance audit.
In both scenarios, auditors must evaluate various aspects, including consent mechanisms, data storage practices, and cross-border data transfers.
Penalties for Non-Compliance
Non-adherence to China’s compliance audit measures isn’t a matter of internal risk—it’s a legal liability with consequences that can cripple operations, reputations, and investor confidence.
Under the Personal Information Protection Law (PIPL):
If a company fails to meet basic data protection obligations—such as collecting consent, securing data, or enabling user rights like access and deletion—it could face fines of up to RMB 1 million (approximately USD 137,000). That might seem manageable to some businesses. But in cases where violations are deemed serious, the penalty jumps significantly: up to RMB 50 million (about USD 6.9 million) or 5% of the previous year’s turnover—whichever is higher.
These serious violations include repeated non-compliance, unlawful cross-border data transfers, or incidents that lead to large-scale data breaches affecting national security or public interest. Fines are not the only concern. Regulators may also suspend operations, revoke licences, or blacklist entities from government procurement channels. Public disclosures of non-compliance also damage brand trust—especially in sensitive sectors like finance, health, and e-commerce.
Under the Network Data Security Management Regulations (NDSMR):
This law, which complements PIPL, targets broader data security practices—like system vulnerabilities, reporting mechanisms, and risk assessments. General infractions here attract fines up to RMB 1 million. However, serious violations—such as failing to notify authorities of a data breach, ignoring mandated audits, or failing to implement recommended improvements—can result in fines ranging from RMB 1 million to RMB 10 million (roughly USD 137,000 to USD 1.4 million).
What’s more, key individuals responsible—such as the compliance officer, CTO, or even board members—can be held personally liable. These individuals could face additional administrative sanctions, including travel restrictions or bans from holding executive roles in similar industries.
Public example:
In 2023, ride-hailing giant Didi was fined over USD 1.2 billion by the CAC for multiple violations, including unlawful data collection and failure to complete a security review before IPO filing. The case sent shockwaves through global firms with operations in China—and highlighted that non-compliance isn’t a theoretical risk.
These measures are not symbolic. They’re designed to ensure companies take personal information protection as seriously as financial reporting or taxation. And the penalties—whether financial, operational, or reputational—send a clear message: you are expected to build compliance into the core of your business model.
Preparing for Compliance
To navigate the new regulatory landscape effectively:
-
Assess Data Processing Activities: Understand the volume and nature of personal data handled.
-
Appoint Compliance Officers: Designate responsible individuals to oversee data protection measures.
-
Engage External Auditors: Consider third-party (JET IT Services) assessments to ensure objectivity and thoroughness.
-
Review Consent Mechanisms: Ensure that data collection and processing are based on informed and voluntary consent.
-
Evaluate Cross-Border Data Transfers: Comply with regulations concerning data exported outside China.
By taking these steps, companies can align with China’s data protection expectations and mitigate potential risks.
China’s enhanced data protection regulations signify a shift towards greater accountability and transparency in personal information handling. Businesses operating within the country must adapt to these changes, ensuring that their data practices meet the stipulated standards. Proactive compliance not only avoids penalties but also fosters trust among consumers and stakeholders.
Need Help Ensuring Your Company Stays Compliant?
Navigating China’s complex data protection landscape can be challenging. If you’re unsure whether your company is fully aligned with the latest regulatory requirements, or if you need help preparing for an audit, JET IT Services is here to help.
Our team of experts specialises in guiding businesses through the intricacies of compliance, ensuring you understand and implement the necessary protocols. From conducting comprehensive audits to advising on best practices for data protection, JET IT Services can provide the support you need to avoid penalties and maintain business continuity.
Don’t leave your company’s future to chance—contact JET IT Services today to ensure that you’re fully prepared for China’s data protection laws.
About JET IT Services
JET helps businesses in China overcome IT challenges with reliable, compliant, and secure solutions. From network optimization to cybersecurity, we ensure your IT systems run smoothly so you can focus on what matters most—growing your business!