China’s approach to data protection is entering a more assertive phase. While the legislative framework has been largely in place for several years, enforcement is now becoming more structured, more frequent, and more closely tied to corporate governance expectations.

For businesses operating in or entering China, this shift is not simply about compliance with data rules. It reflects a broader regulatory position where data management, internal controls, and board-level oversight are increasingly treated as indicators of how well a company is governed.

From Regulation to Enforcement

China’s core data protection regime is built around three key laws:

• The Personal Information Protection Law (PIPL)

• The Data Security Law (DSL)

• The Cybersecurity Law (CSL)

These laws define how personal data, important data, and network infrastructure must be handled. What has changed is the intensity and sophistication of enforcement.

Regulators are now moving beyond reactive investigations. Instead, they are proactively auditing businesses, particularly those with cross-border data flows, large datasets, or strategic industry exposure.

This shift means that compliance can no longer rely on documentation alone. Authorities increasingly expect to see how policies operate in practice.

The Rise of Data Compliance Audits

Recent developments indicate a clear move towards formalised data compliance audits as a standard regulatory tool.

These audits are no longer limited to high-risk sectors. They are expanding across industries and are often triggered by:

• Cross-border data transfers

• Use of cloud infrastructure or offshore storage

• Large-scale processing of personal information

• Integration of AI or automated decision-making systems

Audit expectations are becoming more detailed and operational. Regulators are not just reviewing whether policies exist. They are assessing whether:

• Data classification frameworks are actively maintained

• Access controls are enforced and monitored

• Data minimisation principles are applied in real scenarios

• Incident response processes are tested and documented

In practice, this means businesses must demonstrate control, not just intent.

Cross-Border Data Scrutiny Is Intensifying

One of the most significant enforcement trends is the tightening of cross-border data transfer requirements.

Companies transferring data out of China are expected to:

• Conduct security assessments or file standard contractual clauses where required

• Map data flows with precision

• Justify the necessity of transferring specific datasets

• Maintain clear records of approvals and internal reviews

Regulators are placing particular focus on whether companies understand exactly what data leaves China, where it goes, and why.

Gaps in this visibility are increasingly seen as governance failures rather than technical oversights.

Corporate Governance Is Now Directly in Scope

A key development is the way data compliance is being linked to corporate governance.

Regulators are no longer treating data protection as a purely technical or IT function. Instead, they are examining:

• Whether senior management is accountable for data compliance

• How responsibilities are allocated across departments

• Whether internal reporting structures allow risks to be escalated effectively

• How frequently compliance is reviewed at leadership level

In some cases, enforcement actions have highlighted failures in oversight rather than failures in policy design.

This reflects a wider expectation that data protection should sit alongside financial compliance and internal audit within the governance framework.

Internal Controls and Documentation Are Under Review

Audit activity is also focusing heavily on internal controls and documentation standards.

Businesses are expected to maintain:

• Clear data inventories and classification registers

• Documented processing activities

• Up-to-date consent and authorisation records

• Logs of data access and transfer activities

However, documentation alone is not sufficient. Regulators increasingly test whether:

• Records match actual system behaviour

• Staff follow documented procedures

• Controls are consistently applied across business units

Discrepancies between policy and practice are a common source of enforcement risk.

Sector-Specific Pressure Is Increasing

Certain industries are facing more intense scrutiny due to the sensitivity or volume of data involved.

These include:

• Technology and platform businesses

• Healthcare and life sciences

• Financial services

• Manufacturing with cross-border supply chains

Companies in these sectors are more likely to encounter targeted audits, particularly where data intersects with national security, public interest, or large-scale consumer activity.

What This Means for Businesses

The direction of travel is clear. Data protection in China is evolving into a governance issue that requires structured oversight, not just technical compliance.

Businesses should be focusing on several key areas:

1. Operationalising Data Policies

Policies must be translated into day-to-day processes that can be demonstrated during an audit.

2. Strengthening Data Visibility

Companies need a clear and accurate understanding of what data they hold, how it is used, and where it flows.

3. Embedding Accountability

Responsibility for data compliance should be clearly assigned, with senior management actively involved.

4. Preparing for Audit Scenarios

Internal reviews should mirror regulatory audits, testing both documentation and real-world execution.

5. Aligning Data and Corporate Governance

Data protection should be integrated into broader governance frameworks, alongside finance, risk, and compliance functions.

A Shift That Requires Structural Change

The current enforcement environment signals a move away from checkbox compliance towards demonstrable control and accountability.

For many businesses, this requires structural adjustments rather than incremental fixes. Data governance must be embedded across the organisation, supported by systems, processes, and leadership engagement.

Companies that treat data protection as a core governance function will be better positioned to manage regulatory risk, maintain operational continuity, and support long-term growth in the Chinese market.

In contrast, those relying on static policies or fragmented controls are likely to face increasing pressure as audit expectations continue to evolve.

Woodburn Accountants & Advisors is one of China and Hong Kong’s most trusted business setup advisory firms.

Woodburn Accountants & Advisors is specialized in inbound investment to China and Hong Kong. We focus on eliminating the complexities of corporate services and compliance administration. We help clients with services ranging from trademark registration and company incorporation to the full outsourcing solution for accounting, tax, and human resource services. Our advisory services can be tailor-made based on the companies’ objectives, goals and needs which vary depending on the stage they are at on their journey.