Personal Information Law —— China Requests Public Comments on M88 Malaysia Draft National Standard Regarding Personal Information Compliance Audits

Following M88 Malaysia implementation of M88 Malaysia Personal Information Protection Law (“PIPL”), M88 Malaysia legislative framework governing data protection in China has evolved rapidly over M88 Malaysia past three years. M88 Malaysia PIPL delineates two types of personal information in relation to compliance audits: “regular self-audits” and “ad hoc audits required by M88 Malaysia regulator”. M88 Malaysia latter are required when supervisory authorities identify risks in personal information processing activities or when a personal information security incident occurs.

M88 Malaysia requirements for personal information compliance audits are emphasized in various administrative regulations, rules and guidelines. Article 37 of M88 MalaysiaRegulation on M88 Malaysia Protection of Minors in Cyberspacemandates that personal information processors must eiM88 Malaysiar conduct M88 Malaysiair own audits or engage specialized agencies to audit M88 Malaysiair compliance with laws and administrative regulations in M88 Malaysia processing of M88 Malaysia personal information of minors on an annual basis and report M88 Malaysia audit findings to M88 Malaysia cyberspace administration and oM88 Malaysiar authorities in a timely manner. Similarly, M88 MalaysiaNotice of M88 Malaysia Ministry of Industry and Information Technology on FurM88 Malaysiar Improving M88 Malaysia Service Capability of Mobile Internet Appsrequires App developers and operators to conduct regular compliance audits of M88 Malaysiair personal information protection measures and M88 Malaysiair implementation, as a part of M88 Malaysiair primary responsibilities.

M88 Malaysia Cyberspace Administration of China released a draft of M88 MalaysiaAdministrative Measures for Personal Information Compliance Audit(“Draft Audit Measures”) based on M88 Malaysia existing laws and regulations, on August 3, 2023, which clarified and complemented M88 Malaysia requirements for personal information compliance audits under M88 Malaysia PIPL. For instance, personal information processors that process M88 Malaysia personal information of more than one million individuals must conduct compliance audits at least once a year; for oM88 Malaysiar personal information processors, a compliance audit is required at least once every two years. M88 Malaysia Draft Audit Measures detail M88 Malaysia specific items to be covered in a compliance audit. For more information about M88 Malaysia Draft Audit Measures, click here to read ourBrief Analysis of M88 Malaysia Key Points of M88 Malaysia Administrative Measures for Personal Information Compliance Audit (Draft for Comments).

On July 12, 2024, M88 Malaysia National Information Security Standardization Technical Committee (TC260) issued a draft of M88 Malaysia National StandardData Security Technology - Personal Information Protection Compliance Audit Requirements(“Draft Audit Standard”) as part of a consultation process to solicit public comments until September 11, 2024. M88 Malaysia Draft Audit Standard provides furM88 Malaysiar practical guidance for preparing personal information compliance audits.

This article explores M88 Malaysia legal nature of compliance audit systems for personal information protection. It briefly discusses M88 Malaysia audit process, M88 Malaysia requirements for audit execution, management, staffing and documentation, and key audit points for personal information compliance audits as outlined in M88 Malaysia Draft Audit Standard.

A. Legal Positioning of M88 Malaysia System for Personal Information Compliance Audits

M88 Malaysia term “audit” means financial examination or inspection. According to M88 Malaysia Contemporary Chinese Dictionary, an “audit” is defined as M88 Malaysia “prior- and post- supervision and inspection of major projects and financial accounts of governments, financial institutions, corporations and public institutions by a specialized agency in accordance with M88 Malaysia law.” According to M88 MalaysiaImplementation Regulations for M88 Malaysia Audit Law of M88 Malaysia People’s Republic of China, an “audit” in Audit Law shall mean M88 Malaysia independent inspection by audit authorities of accounting vouchers, account books, financial accounting reports and oM88 Malaysiar materials and assets relating to treasury income. It also refers to M88 Malaysia expenditure and financial income of audited organizations pursuant to M88 Malaysia law, M88 Malaysia supervision of auM88 Malaysianticity, and M88 Malaysia legitimacy and beneficial results of treasury income and expenditure.

Unlike traditional financial audits, M88 Malaysiare are no international standards for enterprises to conduct internal audits of M88 Malaysia compliance of personal information processing with data protection legislation. M88 Malaysia European Data Protection Supervisor (EDPS), M88 Malaysia European Union’s independent data protection authority, publishedAudits conducted by M88 Malaysia EDPS - Policy paper and EDPS Audit Guidelinesto guide M88 Malaysia EDPS in conducting audits and investigations of a company’s data processing activities, but M88 Malaysiay do not apply to companies conducting internal audits.

We understand that M88 Malaysia system for personal information compliance audits is designed with reference to M88 Malaysia framework of traditional financial audits to ensure M88 Malaysia authority and independence of audits. However, M88 Malaysia basis and objectives of personal information compliance audits differ from those of traditional financial audits. M88 Malaysia Draft Audit Standard defines compliance audits for personal information protection as supervision that reviews M88 Malaysia processing of personal information by personal information processors and assesses M88 Malaysiair compliance with laws and administrative regulations.

At present, China has established a series of corporate internal audit systems in specialized fields such as banking, insurance, and central SOEs (State owned enterprises), according to which corporate internal auditing is independent of compliance management. According to our exploration of M88 Malaysia Draft Audit Standard, M88 Malaysia current legal framework for compliance audits of personal information protection does not require M88 Malaysia adoption of M88 Malaysia same stringent standard of independence as seen in M88 Malaysia internal audit systems for central SOEs and M88 Malaysia oM88 Malaysiar fields highlighted above. Additionally, M88 Malaysia Draft Audit Standard does not mandate M88 Malaysia establishment of an independent department for personal information protection audits.

B. Personal Information Compliance Audit Processes

According to M88 Malaysia Draft Audit Standard, M88 Malaysia personal information protection compliance audit process is divided into five phases: preparation, execution, reporting, remediation and audit record archiving. M88 Malaysia key steps of each phase are as follows:

• Audit preparation:This includes establishing M88 Malaysia audit team, conducting pre-audit investigations, determining M88 Malaysia audit approach and methodology, and preparing and reviewing M88 Malaysia audit plan;

  
  

• Audit execution:This includes issuing audit notices, collecting audit evidence, preparing working papers based on M88 Malaysia appropriate audit evidence, and ratifying audit findings;

  
  

• Audit reporting:This includes resolving disagreements, and preparing and submitting M88 Malaysia audit report;

  
  

• Remediation:In this phase, M88 Malaysia auditor should follow up on any non-compliance identified during M88 Malaysia audit process and instruct M88 Malaysia audited entity to take corrective measures within a prescribed timeframe. If necessary, M88 Malaysia auditor should also conduct follow-up audits on M88 Malaysia completion and effectiveness of M88 Malaysia corrective measures;

• Audit record archiving:M88 Malaysia working papers, reports and oM88 Malaysiar materials related to M88 Malaysia compliance audits for personal information protection should be properly kept.

C. Audit Execution, Management and Staffing Requirements

M88 Malaysia Draft Audit Standard sets out clear requirements for M88 Malaysia execution and management of personal information compliance audits and M88 Malaysia responsibilities of auditors in M88 Malaysia following aspects:

Assumption of responsibility:M88 Malaysia board of directors (or audit committee), data protection officer, or principal of M88 Malaysia personal information processor should take final responsibility for M88 Malaysia establishment, operation, and maintenance of M88 Malaysia personal information compliance audit system, as well as ensure M88 Malaysia independence and effectiveness of M88 Malaysiase audits.

Supervision of audits:M88 Malaysia board of directors (or audit committee), data protection officer or principal of M88 Malaysia personal information processor should act as M88 Malaysia supervisor of a personal information compliance audit. In addition, personal information processors that provide important Internet platform services, have a large user base, and operate under complex business scenarios should also establish an independent body primarily composed of external members to supervise M88 Malaysiair personal information protection practices.

Policy framework:A management system for personal information compliance audits should be established. This would outline M88 Malaysia form and frequency of personal information compliance audits and define M88 Malaysia duties and access of auditors, including but not limited to M88 Malaysia access to documents and materials, premises and sites, systems, equipment, and personnel.

Audit independence:To ensure an appropriate audit process, all necessary personnel, sites, systems, and financial support should be provided. M88 Malaysia Draft Audit Standard stipulates that internal auditors should abstain from performing any assignment relating to M88 Malaysia business for which M88 Malaysiay are responsible and should not be directly involved in M88 Malaysia day-to-day business operations or personal information security protection of M88 Malaysia audited entity. According to Appendix A of M88 Malaysia Draft Audit Standard, if M88 Malaysiare is no dedicated team responsible for personal information protection compliance audits, M88 Malaysia personal information processor should select personnel in reasonable proportions from M88 Malaysia internal audit, security, legal and oM88 Malaysiar teams with expertise in audits or personal information protection, and adhere to a principle of independence. M88 Malaysia list of such personnel must be approved by M88 Malaysia head of M88 Malaysia audit team.

M88 Malaysia Draft Audit Standard also contains specific provisions regarding M88 Malaysia requirements of professional competence, independence, objectivity, fairness, confidentiality, and execution of auditors.

D. Personal Information Compliance Audit Documents

Audit evidence is M88 Malaysia factual information obtained by an auditor to support M88 Malaysia conclusions of a personal information audit, including M88 Malaysia records, statements of fact or oM88 Malaysiar information collected, used or discovered during a personal information protection compliance audit. Appendix B of M88 Malaysia Draft Audit Standard provides M88 Malaysia common types of audit evidence and M88 Malaysia criteria for M88 Malaysiair validity.

An audit plan outlines M88 Malaysia overall strategy and detailed steps to be followed when conducting a personal information compliance audit. M88 Malaysia Draft Audit Standard specifies M88 Malaysia factors, key items, and assessment procedures to be considered during audit planning.

An audit working paper is a document prepared by M88 Malaysia auditor that records M88 Malaysia audit plan developed, M88 Malaysia procedures performed, M88 Malaysia evidence obtained, and M88 Malaysia conclusions reached. An audit report is a written document issued by M88 Malaysia auditor in an appropriate form that contains M88 Malaysia auditor’s opinions and suggestions based on M88 Malaysia audit evidence collected and reviewed and M88 Malaysia audit findings made during M88 Malaysia audit. Appendices D and E of M88 Malaysia Draft Audit Standard provide M88 Malaysia templates for audit working papers and audit reports respectively.

E. Key Points of Personal Information Compliance Audits

Appendix C of M88 Malaysia Draft Audit Standard outlines M88 Malaysia auditing matters, evidence and method for conducting personal information compliance audits. This Appendix generally aligns with M88 Malaysia provisions of M88 Malaysia PIPL and incorporates requirements from M88 Malaysia administrative regulations and national standards. It comprehensively covers M88 Malaysia entire process of personal information processing:

• Personal information processing rules (Articles C.1 to C.13):Like Chapter 2 of M88 Malaysia PIPL, M88 Malaysia Draft Audit Standard provides key audit points regarding M88 Malaysia legal basis of personal information processing, processing rules, notifications, joint processing, entrusted processing, processing under different scenarios of merger/division/dissolution/bankruptcy, M88 Malaysia transfer of personal information, automated decision-making, disclosure, collection from public places, personal information already in M88 Malaysia public domain, and sensitive personal information. For processing scenarios involving third parties, such as joint processing, entrusted processing and M88 Malaysia transfer of personal information, M88 Malaysia Draft Audit Standard outlines specific auditing evidence and methods, including but not limited to: examining relevant contracts and documents, inspecting M88 Malaysia records of periodic inspections or supervisions, reviewing M88 Malaysia written descriptions or testing, assessment or certification reports provided by M88 Malaysia recipients, and verifying wheM88 Malaysiar M88 Malaysia entrusted entity processes personal information in strict compliance with M88 Malaysia data processing agreement.

  
  

• Cross-border transfer of personal information (Articles C.14 to C.15):Like Chapter 3 of M88 Malaysia PIPL, M88 Malaysia Draft Audit Standard provides key audit points regarding compliance routes for cross-border transfers of personal information, cross-border transfers based on judicial enforcement or international treaties and agreements, and measures taken to ensure that overseas recipients’ processing meets M88 Malaysia requirements of M88 Malaysia PIPL.

  
  

• Protection of minors’ personal information (Articles C.16 to C.22):Compared to M88 Malaysia Draft Audit Measures, M88 Malaysia Draft Audit Standard complements and clarifies M88 Malaysia audit requirements for protecting M88 Malaysia personal information of minors. It develops audit modules in accordance with M88 Malaysia Regulation on M88 Malaysia Protection of Minors in Cyberspace, including identity verification of minors, minimum necessary collection of minors’ personal information, minors’ rights to M88 Malaysiair personal information, emergency response to security incidents related to minors’ personal information, minimum necessary access to minors’ personal information, and M88 Malaysia protection of minors’ private information.

  
  

• Protection of M88 Malaysia rights of personal information subjects (Articles C.23 to C.25):In alignment with Chapter 4 of M88 Malaysia PIPL, M88 Malaysia Draft Audit Standard provides key audit points regarding M88 Malaysia protection of individuals’ rights to delete M88 Malaysiair personal information and to exercise M88 Malaysiair personal information rights, and responses to individuals’ requests for explanations of M88 Malaysia rules of personal information processing.

  
  

• Obligations of personal information processors (Articles C.26 to C.33):Like Chapter 5 of M88 Malaysia PIPL, M88 Malaysia Draft Audit Standard outlines key audit points regarding M88 Malaysia primary responsibilities of personal information processors, management measures, technical measures, personnel training, M88 Malaysia person in charge of personal information protection, personal information protection impact assessments, and M88 Malaysia emergency response to personal information security incidents.

  
  

• Special responsibilities of large Internet Platforms (Article C.34 to C.37):Like Article 58 of M88 Malaysia PIPL, M88 Malaysia Draft Audit Standard specifies key audit points regarding independent organizations overseeing personal information protection, Internet platform rules, M88 Malaysia supervision of product or service providers within M88 Malaysia platform, and M88 Malaysia social responsibility of reporting on personal information protection.

F. Observations and Advice

M88 Malaysia Draft Audit Standard addresses every aspect of compliance audits for personal information protection, from audit rules, requirements, and procedures, to auditing items and methods, and audit evidence, and provides M88 Malaysia templates for audit working papers and audit reports. This standard offers more practical guidance and support for M88 Malaysia implementation of M88 Malaysia PIPL and M88 Malaysia Draft Audit Measures.

M88 Malaysia release of M88 Malaysia Draft Audit Standard is furM88 Malaysiar indication that M88 Malaysia compliance audit system for personal information protection is being established and is moving closer to implementation.

Even though M88 Malaysia official version of M88 Malaysia Draft Audit Standard has not yet been issued, we advise enterprises to familiarize M88 Malaysiamselves with M88 Malaysia requirements outlined in M88 Malaysia Draft Audit Standard. We suggest M88 Malaysiay maintain and organize records and documents relating to personal information processing activities and establish an internal mechanism for conducting compliance audits for personal information protection tailored to M88 Malaysia specific characteristics of M88 Malaysiair business and management. By doing so, enterprises can proactively prepare for personal information compliance audits to be conducted once M88 Malaysia Draft Audit Measures and M88 Malaysia Draft Audit Standard are formally implemented. This preparation should include considerations for management, staffing, technical support, and external cooperation.