个人信息保护合规审计的理论逻辑与制度构建

Theoretical logic and system construction of personal information protection compliance audit

个人信息保护合规审计制度不仅是个人信息处理者的法定义务,同时其预防型免责的功能也有助于激励个人信息处理者合理规避法律风险、主动提升个人信息保护能力、推动监管模式转型背景下政府监管与企业自律协同进行。《个人信息保护法》规定了“自主审计+强制审计”双层审计模式,《个人信息保护合规审计管理办法(征求意见稿)》为合规审计的落地提供了重要依据,但仍在制度衔接、法律效力、审计工作开展等方面留有空白。个人信息保护合规审计在风险内涵上应兼顾个人信息保护风险和合规风险,并与个人信息保护影响评估、算法审计等制度在适用情形、目的、内容等方面明确区分。为个人信息保护合规审计的有效性,审计制度既需要关注审计原则、审计准备、审计依据、审计方式、审计内容、审计结论等体系化的制度建设,同时也需要考虑审计活动实际开展过程中,审计原则的落实、审计清单的制定、审计依据的选择、审计结论的应用等关键事项。

Personal information protection compliance audit is not only a legal obligation for personal information processors,but also its preventive exemption function helps to incentivize personal information processors to reasonably avoid legal risks,improve personal information protection capabilities proactively,and promote the synergy between government supervision and enterprise self-discipline in the context of regulatory model transformation.The Personal Information Protection Law provides for a two-tier audit model of"autonomous audit+mandatory audit",and the Administrative Measures for Personal Information Protection Compliance Audit(Draft for Comments)provides an important basis for the implementation of compliance audit,but there are still gaps in terms of system connection,legal effect,and the conduct of audit.Personal information protection compliance audit should consider both personal information protection risks and compliance risks,and be clearly differentiated from personal information protection impact assessment,algorithmic auditing and other systems in terms of applicable cases,purpose and content.In order to ensure the effectiveness of personal information protection compliance audit,the audit system needs to focus on the construction of a system of audit principles,audit preparation,audit basis,audit method,audit content,audit conclusion,etc.,and at the same time,it is also necessary to consider key issues such as the implementation of the audit principles,the development of audit checklists,the selection of audit basis,and the application of audit conclusions in the course of the actual implementation of the audit activities.