Data Governance in Hong Kong

Data governance is an integral component of any company’s technology strategy, helping ensure information is stored safely, processed efficiently and used for its intended purposes. Furthermore, it can help reduce data risk while providing a framework for responding to regulatory requests. But in order for any data governance program to succeed successfully it requires more than just vision and business case – it requires the support of relevant people who can champion and execute it successfully.

Data governance relies on assigning clear roles that will implement, manage and oversee its framework and related projects. A RACI matrix (responsible, accountable, consulted and informed) is an ideal way of organizing team member responsibilities; it helps identify who’s accountable for various tasks while simultaneously eliminating duplication of effort and conflicting duties.

As the initial step of any data governance project, creating a vision and business case are essential steps. A vision outlines its overall strategic objectives while the business case details how the program will generate return on investment. Together, these tools form a roadmap that will lead your organization through the complexity of creating an effective data governance program.

Hong Kong’s Personal Data (Privacy) Ordinance (“PDPO”) establishes various rights for data subjects as well as specific obligations on data users through six privacy principles, with one such principle mandating that any entity collecting personal data expressly inform the individual upon collection about the purpose(s) for collecting it and the recipients that may receive or transfer such data.

Many data privacy regimes define personal data to include any information pertaining to an identifiable natural person. This definition was included in the PDPO when it was enacted in 1996 and conforms with other legal norms, such as that found in mainland China Personal Information Protection Law or within European Economic Area’s General Data Protection Regulation.

PDPO applies only to “data users”, who collect, hold, process or use personal data within Hong Kong – unlike some other privacy laws which cover an extraterritorial scope. Tanner De Witt’s Padraig Walsh provides insight into this distinction and explores how they differ between jurisdictions’ approaches to this issue. Subtle differences can have a big effect on cross-border data transfer compliance, and the PDPO requirements become especially relevant given the global nature of businesses today. Thus, effective compliance with its requirements becomes even more crucial.