Data Governance in Hong Kong

Data governance programs involve a lot of people. Even if your actual team is small, your project will impact many employees, customers and partners who depend on your data. As a result, it’s important to create a clear structure for your governance program and communicate it well. Use a responsibility assignment matrix like RACI (responsible, accountable, consulted and informed) to help you organize your team and make sure everyone understands their role.

The first step in any data transfer is to determine whether the transferred information constitutes personal data under the PDPO. If not, the statutory obligations under the PDPO will not be triggered. Then, the next step is to verify whether the transferring entity has a lawful basis for the transfer. If not, the transferring entity may be required to take steps to obtain the prescribed consent of the data subjects for the transfer before it can be carried out (DPP 3).

The PCPD has published two sets of recommended model contractual clauses, addressing transfers between a Hong Kong data user and its own data processor; or between entities both of which are outside Hong Kong when the transfer is controlled by a Hong Kong data user. These provisions differ from those under the GDPR in some significant respects, but also include many of the same fundamental concepts. For example, they both require the data user to undertake not to transfer any personal data to a non-EEA destination that does not provide an adequate level of protection. Also, they both require the data user to ensure that the processing of the transferred personal data is limited to what is necessary for the purpose of the transfer (DPP 2).