The personal information protection impact assessment shall include the following:
(I) whether the purpose and method of processing personal information are legitimate, justifiable, and necessary;
(II) impact on individuals’ rights and interests and the security risks; and
(III) whether the security protection measures taken are legitimate, effective, and appropriate to the degree of risks.
The personal information protection assessment report and processing record shall be kept for at least three years.