As Hong Kong enters a new phase in its development as a Special Administrative Region of China, it must embrace the challenges and opportunities presented by the digital economy. One of those challenges is how to balance the protections afforded to personal data with the need for business to collect, use and share data. This is a complex issue that requires a holistic approach to data governance that addresses both business and legal considerations.
A good starting point is to understand who and what is a “data user”. The definition in the PDPO is broad: it includes any person who controls the collection, holding, processing or use of personal data. It applies not just to data users who collect and process the information of Hong Kong residents but also to those who transfer that information abroad. It is important to identify and document all data processing activities. This is the basis for conducting a Data Protection Impact Assessment (DPIA) and establishing compliance measures.
The next step is to identify a data governance framework that fits your business requirements. This will include a clear set of roles and responsibilities, an accountability framework, policies and procedures, and a data management lifecycle. It is also necessary to define a role for the data governance leader, who will act as the communication bridge between business and IT. This role should be a strong mix of business and IT skills, with the ability to translate how the data governance framework impacts business processes and decisions. Typically, senior business systems analysts and data and information architects are the best candidates.
Once a data governance framework is established, it’s time to start implementing it. This will involve identifying and communicating with key stakeholders to ensure that the framework is understood and accepted. The most effective way to do this is through a “business case” which describes how the data governance framework will help the organization achieve its business goals. It should be backed up with an evidence-based assessment, including the cost of implementing and maintaining the framework.
A final consideration is the need to implement the PDPO’s provisions on cross-border transfers of personal data. The PDPO’s section 33 prohibits the transfer of personal data outside Hong Kong without the prior consent of the data subject unless certain conditions are fulfilled. In contrast, the European Union’s GDPR imposes an adequacy requirement and a number of other restrictions on international data transfers.