Ada Chung FCG FCS, Privacy Commissioner for Personal Data, Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD), advocates for the implementation a Privacy Management Programme as a vital part of a company’s commitment to good corporate governance and to gain customers’ trust.

With the exponential growth of digitalisation in the past decade, the collection and use of personal data has become of unprecedented importance for most businesses, especially those who provide online services and products. As Jack Ma, co-founder of Alibaba Group, puts it, ‘We collect data from selling things. Data is the most valuable asset of Alibaba (With the exponential growth of digitalisation in the past decade, the collection and use of personal data has become of unprecedented importance for most businesses, especially those who provide online services and products. As Jack Ma, co-founder of Alibaba Group, puts it, ‘We collect data from selling things. Data is the most valuable asset of Alibaba (我們是通過賣東西收集數據，數據是阿里最值錢的財富).’

Other than requesting greater transparency, customers nowadays expect companies to clearly inform them of how their personal data, once collected, will be used and for what purpose. It is self-evident that the importance and priority that a company places on the handling of personal data privacy directly affects the confidence and trust that customers have in the company and, in turn, the competitive edge of the company.

Against this background, my office, PCPD, advocates that companies should develop their own Privacy Management Programme (PMP) and appoint a Data Protection Officer in order to institutionalise a proper system for the responsible use of personal data that is in compliance with the Personal Data (Privacy) Ordinance (the Ordinance), Cap 486 of the Laws of Hong Kong. Starting from the boardroom, companies should embrace personal data protection as part of their corporate policies and culture, and apply it as a business imperative throughout the company. A PMP can help companies gain trust from customers and other stakeholders. With trust garnered, companies will be rewarded with loyalty from their customers and business partners, which is all the more important in a fast-changing business environment.

Directors have a unique and pivotal role in implementing a PMP as an essential part of their company’s commitment to good corporate governance. Implementing a PMP involves fostering a culture of respecting and protecting personal data privacy, which cannot be made possible without the guidance and leadership of the directors. Indeed, in the Guide for Independent Non-Executive Directors, newly published by the Hong Kong Institute of Directors, companies are encouraged to implement a PMP as one of the drivers for the adoption of environmental, social and governance (ESG) management.

Benefits of implementing a PMP

Characterised by the accountability principle, a PMP is a management framework for the responsible collection, holding, processing and use of personal data. With a PMP in place, companies can:

• minimise the risks of incidents in relation to data security
• handle privacy breaches effectively with established procedures and protocol to minimise the damage arising from those breaches
• manage collected personal data effectively
• ensure compliance with the Ordinance
• demonstrate the company’s commitment to good corporate governance and building trust with customers and relevant stakeholders, and
• enhance corporate reputation, competitive advantage and potential business opportunities.

What are the components of a PMP?

A comprehensive PMP requires companies to adopt a top-down approach, strengthen staff awareness of data privacy protection, and devise policies and procedures in relation to the collection, holding, processing and use of personal data so as to ensure compliance with the Ordinance, including the Data Protection Principles specified in the Ordinance. 

A PMP should consist of the following three sets of components at the minimum:

1. Organisational commitment

• buy-in from the top
• appointment of a Data Protection Officer/establishment of a Data Protection Office, and
• establishment of a reporting mechanism.

2. Programme controls

• personal data inventory with information on the kinds of personal data the company holds and how the personal data is processed
• internal policies on personal data handling
• risk assessment tools
• training, education and promotion
• handling of data breach incidents
• data processor management, and
• communication with employees, customers and stakeholders

3. Ongoing assessment and revision

• development of an oversight and review plan, and
• assessment and revision of programme controls.

Establishing organisational commitment is vital 

‘Organisational commitment’, as a key component of a PMP, is of particular relevance and importance to directors. Directors are effectively the stewards of promoting the success and good governance of their companies, and this includes ensuring data accountability. This key component of a PMP is explained in more detail below.

Buy-in from the top

To enhance accountability, a top-down approach is necessary for companies to demonstrate their commitment to fostering a respectful culture for privacy and a determination to protect personal data privacy. Under the stewardship of directors, the PCPD recommends that the top management should:

convey to all staff their support to cultivate a respectful culture for personal data privacy and a commitment to the implementation of the PMP through staff meetings or internal circulars

• appoint a Data Protection Officer
• endorse the programme controls and the whole PMP
• allocate adequate resources, including, but not limited to, finance and manpower, to implement the PMP
• actively participate in the assessment and review of the PMP, and
• report the progress of the implementation of the programme to the board of directors regularly.

It is recommended that directors work with management to ensure that internal policies and procedures on the protection of personal data are followed.

Appointment of a Data Protection Officer/establishment of a Data Protection Office

The PCPD recommends that companies appoint a designated officer as the Data Protection Officer to oversee the company’s compliance with the Ordinance and implementation of the PMP. For a large corporation, the Data Protection Officer should be a senior executive, whereas for a small business this can be the owner or manager.

The Data Protection Officer is responsible for structuring, designing and managing the PMP, which involves all relevant procedures, training, monitoring or auditing, documenting, evaluating and other follow-up actions in relation to the collection, holding, processing and use of personal data. In large corporations, understandably more personal data is collected and used by various departments and business units. It is therefore recommended that departmental coordinators be appointed to support the Data Protection Officer. Resources should be channelled to train and develop the Data Protection Officer as a professional in the protection of personal data privacy.

Establishment of a reporting mechanism

Reporting mechanisms are indispensable for oversight by the board. In this regard, companies should establish internal reporting mechanisms, stating clearly the structure and procedures for reporting the overall compliance situation, the problems encountered, the complaints in relation to personal data privacy received and incidents of possible data breaches. Other than regular reports, the management should also provide exceptional reports on major risks and anomalies to the board of directors.

An effective reporting mechanism would be imperative at times when escalation of personal data issues is needed, such as when a major data breach takes place, or a large number of complaints relating to data privacy are received. The mechanism would also help determine who should be involved, their respective responsibilities and where the ultimate decisions should be made. These personnel could be representatives from technical, operational, legal and corporate communications streams. To successfully implement the reporting mechanism as one of the key attributes of the PMP, how and when to escalate should be clearly defined and explained to employees. Companies should also document all of their reporting procedures.

Conclusion

With the ever-rising expectation of customers and stakeholders regarding the responsible use of personal data by companies, taking a ‘box ticking’ attitude to compliance is not sufficient. The protection of personal data privacy should no longer be seen and merely managed as a compliance issue. After all, doing the least to comply with the legal requirements is not the cure, nor is it the global trend anymore. Instead, companies should also observe good data ethics and should consider the subject from a broader perspective, bringing the concept of customer centricity into the business equation. The commitment of directors and management is paramount in building and maintaining a PMP so as to ensure that privacy is built in by design in initiatives, programmes or services, and data protection is practised throughout the company. Such a proactive approach would lead to a win-win outcome for companies, their customers as well as other stakeholders.

Ada Chung FCG FCS

Privacy Commissioner for Personal Data, PCPD

For examples and practical guidance on how to devise and implement a comprehensive PMP, please refer to the Best Practice Guide on Privacy Management Programme issued by the PCPD.