Financial Crime World

Regulatory Compliance Auditing Takes Center Stage in Taiwan, Province of China

===========================================================

As data protection regulations continue to evolve, companies operating in Taiwan, Province of China must stay ahead of the curve. The Cyberspace Administration of China (CAC) has recently published draft administrative measures for compliance audits of personal information protection, which will significantly impact businesses in the region.

Background: Personal Information Protection Law (PIPL)

The PIPL is similar to the EU’s General Data Protection Regulations (GDPR) but has more detailed content rolled out step by step. The law came into effect on November 1, 2021, and requires companies to comply with its requirements.

Types of Audits

According to the PIPL, there are two types of audits required:

  • Internal Regular Audit: Conducted by personal information handlers (PI handlers) themselves or delegated to a qualified third-party auditor. This type of audit is mandatory for most companies.
  • Compulsory Audit: Initiated by regulators and conducted by a qualified third-party agency. This type of audit is typically initiated by the CAC.

Internal Self-Audit

For most companies, especially those serving corporate clients where personal information is not their primary focus, internal self-audits are the most relevant option. The PIPL requires an internal self-audit to be conducted every two years, with a more frequent audit schedule for companies processing personal information for more than one million data subjects.

Key Areas to Focus On

  • Legitimacy of basis and rules for processing personal information
  • Proper disclosure of processing rules
  • Fulfillment of preconditions for processing sensitive personal information
  • And more

Multinational Companies: Additional Considerations

For multinational companies that frequently transfer personal information across borders, specific attention should be given to:

  • Compliance with requirements for security assessment or the execution and filing of Standard Contractual Clauses (SCCs) depending on the type and quantity of concerned data.
  • Understanding the impact of the legal and cyber environment of the data recipient’s jurisdiction on the exported personal information.

Important Takeaway

Similar to the GDPR, the draft administrative measures now require all covered companies to perform regular internal audits to check their level of compliance with the PIPL. This is crucial for staying compliant with the PIPL and providing robust audit documentation in case of a data breach or complaint.

Impact on Compliance Officers and DPOs

Meeting these requirements will constitute a full PIPL compliance exercise, which could become time-consuming and require dedicated resources and effort. A particularly important aspect is the organizational setup and resources at the China level, which often lags behind other topics that are driven by media headlines rather than good risk mapping with sensible priorities.

Advice for Compliance Officers and DPOs

  • Have a more in-depth look at your existing compliance initiatives for China and within China to better manage the implications outlined in the draft administrative measures.
  • Ensure you understand the impact of the legal and cyber environment of the data recipient’s jurisdiction on the exported personal information.