Data is a vital resource for businesses, but managing the risk associated with this critical asset is a significant challenge. A data governance program is an effective way to manage the risk of unmanaged data and ensure that data is managed in line with regulatory obligations. The program involves a diverse group of people, including employees, stakeholders and partners who depend on the data. It is important that everyone understands their role and responsibilities in the data governance process. To ensure this, it is best to use a responsibility assignment matrix such as RACI (responsible, accountable, consulted, informed).
A growing number of business transactions involve transferring personal data across international boundaries. Consequently, it is important that Hong Kong companies remain mindful of data transfer requirements and the best practices and ethical standards to which they are bound. Padraig Walsh, a Partner in the Data Privacy practice group at Tanner De Witt, discusses some key points to note on data transfers under Hong Kong law.
The first point to consider is whether or not the PDPO applies to the transfer in question. The PDPO only applies where the data user in question controls the collection, holding or processing of personal data in or from Hong Kong – the concept of control is broadly defined. This differs from the approach taken by many other data protection regimes, which include provisions conferring extra-territorial application.
Whether or not the PDPO applies, it is important to carry out a transfer impact assessment before exporting personal data overseas. This is not mandatory under the PDPO but, as with the obligation to notify data subjects of any intended transfer, it is an important part of a company’s overall commitment to best practice and ethics in its governance of personal data.
A transfer impact assessment will enable the data exporter to identify and adopt supplementary measures necessary to bring the level of protection afforded to the transferred personal data up to Hong Kong standards. This step may involve technical measures such as encryption, anonymisation or pseudonymisation or contractual provisions imposing audit, inspection and reporting, beach notification and compliance support and co-operation obligations.
The PCPD has recently published two sets of recommended model clauses that can be incorporated into contracts dealing with cross-border data transfer. These models cater for the transfer of personal data from a Hong Kong data user to a data exporter in another location, or between two entities both of which are outside of Hong Kong and are controlled by a Hong Kong data user. Both of these scenarios are common in the case of data transfers from EEA countries to Hong Kong.