Governance professionals in Hong Kong share some tips on how organisations can build the necessary governance culture and internal controls to guard against data privacy risks.

The legislative and regulatory landscape for data privacy is changing fast. The introduction by the European Union (EU) of its General Data Protection Regulation (GDPR) back in May 2018 heralded a shift towards tougher data protection standards globally.

‘Regulators have responded to the increasing concerns over the need to protect personal data with a convergence towards more robust regulation that has been gathering momentum across the world,’ says Neil McNamara FCIS FCS, Institute Past President and Corporate Secretary of one of Hong Kong’s first virtual banks, livi bank. He adds that locally both Hong Kong and the Mainland have been a part of this trend. ‘In Hong Kong we saw the review of the Personal Data (Privacy) Ordinance (PDPO), while in the Mainland there was the introduction of the Personal Information Security Specification, which took effect on May 2018,’ he says.

Navigating the compliance risks

For governance professionals, the management of data privacy risks has become a lot more complex since the introduction of the GDPR, which has extraterritorial application. Ensuring compliance now requires practitioners to keep in touch with developments in data protection and privacy risk management globally.

‘While enforcement actions under the GDPR have mostly been taken against businesses with permanent establishments in the EU, this is likely to change over time as regulators test their extraterritorial powers. Hong Kong businesses need to understand their obligations and ensure that they are in compliance if they fall within the jurisdiction of the law – even if they do not have a physical presence in the EU. After all, compliance with applicable laws is an obligation as well as an essential part of corporate governance,’ Mr McNamara says.

Mark Parsons, Partner at law firm Hogan Lovells, says that businesses are now more aware of data privacy compliance risks, both because of the extraterritorial aspect of the GDPR and also the very large potential fines and penalties under the law.

‘Even if you don’t have a business presence in the EU, you can still be required to comply with the GDPR if you’re selling goods and services into the EU, or if you’re monitoring the behaviour of individuals in the EU. Because the fines are heavy and the standard of compliance is very high, there’s often a strategic question of whether companies should structure their business to reduce their exposure to the GDPR,’ Mr Parsons, who is also Hogan Lovells’ Head of Corporate Practice in Hong Kong, says.

The GDPR has been followed by similar laws in other jurisdictions, some of which also have extraterritorial aspects. This has prompted companies to look at how to set a common standard across their operations to ensure compliance. Jennifer Ho, Global Risk Assurance Leader, PricewaterhouseCoopers, advises her clients to set a benchmark at the highest compliance level – using something like the GDPR – when setting standards. ‘For companies in the region, assuming they have different business units, if you take something like the GDPR as a baseline then you can dial up or down depending on which country you are operating in,’ Ms Ho says. This, she adds, may have cost-saving benefits for companies able to reduce compliance costs in business divisions not subject to high compliance requirements.

Proposed changes to the PDPO

In Hong Kong, the trend towards tougher data privacy requirements can be seen in the proposed changes to the PDPO put forward by the Privacy Commissioner for Personal Data (PCPD) last year. The government plans to submit to the Legislative Council six of the proposals seeking to amend the PDPO to introduce:

1. a mandatory data breach notification requirement
2. a data retention policy requirement
3. provisions for the PCPD to be able to impose direct administrative fines
4. provisions for the PCPD to regulate data processors
5. an expanded definition of personal data, and
6. new provisions to regulate the disclosure of other data subjects’ personal data.
7. The first of these proposals has received a lot of attention from the market. A high-profile data breach involved Cathay Pacific in October 2018, with the personal data of more than nine million customers falling into the hands of hackers. The airline was also found to have delayed disclosure of the breach for about seven months, drawing a rebuke from the Privacy Commissioner.

The PCPD has also reported an increase in the proportion of privacy complaints relating to inadequate data security in fiscal 2018/2019 compared with the two previous fiscal years. Data breaches reported to the PCPD have also consistently increased, from 61 cases in 2013 to 129 cases in 2018.

There are still issues that need to be decided, however, regarding how the data breach notification requirement can be implemented. ‘The devil is in the details,’ Mr Parsons says. He points out that setting the right materiality threshold for notifications will be key – the proposal talks about setting a threshold of ‘a real risk of significant harm’. ‘If the Privacy Commissioner is inundated with unimportant notifications, this will not really serve the purposes of the law,’ he says.

The proposals to increase the powers of the PCPD are generally welcomed, including the proposal for the PCPD to be able to impose direct administrative fines. The current penalties in the PDPO for compliance breaches are low by international standards. The law has a maximum fine of HK$50,000, while the GDPR sanctions fines of up to 4% of turnover. Mr McNamara points out, however, that tougher penalties will not be effective alone – they need to be part of a regulatory system that should also focus on helping companies become better at data protection and privacy management.

Fabrizio Rosina, CEO of 7Layers, a cybersecurity and information management firm with headquarters in Europe and a Hong Kong branch, agrees. ‘It is much more effective and important to use the regulatory system as an incentive for companies to act correctly. For example, in the GDPR environment, taking steps to build an “adequate” security programme means being more protected from a legal point of view in case the company is a victim of a data breach. This way, everyone benefits in the end,’ he says.

Mr Parsons welcomes the approach taken by the Privacy Commissioner to engage with companies, focusing on training and best practice advocacy, rather than solely relying on enforcement. ‘I’ve had plenty of situations where this approach has been very positive for compliance. I can call the PCPD and ask them for their advice. There are benefits to having a very constructive regulator prepared to work with an industry that wants to find ways to comply,’ he says.

The role of governance professionals

Now that the importance of effectively managing data privacy risks is better recognised by companies, the focus is switching to how their governance of these risks can be improved. Ms Ho recommends an approach that involves looking at companies’ data protection governance framework from strategy to operation, as well as clearly defining the roles of those tasked to assess, design, implement and monitor data protection controls, including the escalation process. This involves looking at whether there is someone in the organisation who has overall responsibility for data protection, like a Data Protection Officer (DPO), as well as whether there are mechanisms in place to support the compliance processes and role of the DPO.

‘The whole framework is very important, whether it’s on the technology, the operations or legal side, because each person in the framework has a role to play,’ Ms Ho says.

Mr McNamara emphasises that, while in a bank data privacy compliance is very much driven by its stringent regulatory obligations, in other companies the company secretary can be key to ensuring that the board and senior management are well informed about the risks involved. He points out that if the board is not aware and doesn’t understand the implications of these risks, it will be very hard to drive down the processes and roles through the company that are needed to build an effective privacy risk governance framework.

Ms Ho adds that company secretaries need to look beyond the local regulatory regime. ‘It is advisable for company secretaries to have a broad view of what is happening in the data protection landscape across the globe so that they can be in a better position to help their organisations,’ she says.

Mr Parsons points to the Privacy Management Programme (PMP) (see end note for more details) advocated by the Privacy Commissioner since 2014 as a framework organisations can use to get started. ‘The PMP provides an accountability model to ensure that management is aware, at all levels, of the importance of data protection. It helps organisations recognise data as an important asset and an important human responsibility, but also the importance of allocating resources to it and managing it sensibly,’ he says.

Future-proofing data privacy risks

As stated at the outset, the compliance requirements relating to data privacy are changing fast. ‘I think there is a very apparent forward momentum towards increasing compliance requirements, so it is definitely advisable to anticipate that trend and implement a programme that is catching where the direction is heading,’ Mr Parsons says.

He adds that organisations need to be thinking about how technological change will impact this space. New technology, for example, may provide opportunities to use existing data in new ways, but organisations need to consider the issue of data users’ consent. ‘If you are looking at new technology that enables you to use existing data for another purpose, you need to make sure that you’re getting the right consent now and stepping up cybersecurity planning if you anticipate that in a few years that you will be using that technology,’ he says.

Managing cybersecurity risks also needs to be a major part of any future-proofing exercise. ‘Cyber risk must be assessed in the context of the specific circumstances of businesses – where and how they store their data, whether they have policies relating to remote working, whether they use cloud services, whether they have in-house servers, etc,’ Mr Rosina says. ‘Once we have obtained and documented all the relevant information, we map the “as-is” situation, and then we evaluate and provide advice on whether that particular technological setup is adequate to their industry and to the specific way that company manages data. Solutions must be tailor-made to each situation and you can’t copy and paste the same solution to everyone,’ he says.

Poo Yee Kai

Journalist

More information on the Privacy Management Programme mentioned in this article is available at: www.pcpd.org.hk/pmp/pmp.html.

SIDEBAR: Data protection and COVID-19

A day for remote workers in the COVID-19 era might begin with a teleconference with their colleagues. When a stranger shows up ‘Zoom-bombing’ the meeting with obscene images, the risks of this new work arrangement become very apparent.

Jennifer Ho, Global Risk Assurance Leader, PricewaterhouseCoopers (PwC), points out that organisations need to get to grips with these risks since remote working could well become a much more permanent feature for organisations in the post-COVID-19 world. At PwC, for example, there is no need for 9-5 working hours. ‘We have a culture of “WeFlex”, which is a reimagined way of working, offering our people the flexibility in when, where and how we work each day. It allows our people the flexibility to better meet the demands of our clients as a team, while respecting and understanding our people’s personal priorities. I think this is something, going forward, that organisations are going to have to reassess because COVID-19 has changed the whole working landscape,’ she says.

Data protection is one of the top risks facing organisations that have embraced remote working practices. Fabrizio Rosina, CEO of 7Layers, points out that organisations should be updating their software – to use advanced endpoint protection and data leak protection software for example – but that effective staff training is also key. ‘Organisations can minimise the privacy risks associated with remote working by ensuring adequate training of staff on the correct use of the company’s systems. Organisations need to build awareness of the risks and enable safe access to the company’s network and systems,’ he says.