Hong Kong: data mapping and incident planning urged

Use of data is at the heart of digital transformation projects, from the development of smart cities and open banking initiatives, to the delivery of investment guidance through artificial intelligence tools and the tailoring of retail promotions.

Organisations that harness the power of data through powerful analytics tools can lead the market in innovating in these areas. However, the transition to becoming a 'data smart' company first depends on getting the data basics right, especially if you are collecting and using a lot of data belonging to an individual that is caught by the definition of 'personal data'. Anonymisation measures are often not sufficient since the current definition of personal data in Hong Kong captures personal data which could be 'indirectly ascertained'.

Businesses need to know what data they collect, where it is stored and whether data subjects are aware of the data being collected about them and how it is being used. This includes facial recognition technology and other means of tracking. Getting a handle on data sharing arrangements and cross border transfers of personal data is also important.

A data mapping exercise can help organisations understand the volume and type of information they collect, including whether the data constitutes personal data and falls subject to data protection law. It will also help identify where data gathered constitutes sensitive personal data – special category data in the EU – that is subject to additional restrictions and safeguards in some jurisdictions.

Data mapping will also help businesses understand the jurisdictions in which data centres are located that host their data or where their data is being processed. This will be particularly important for organisations that give managers or staff scope to procure and use off-the-shelf cloud-based solutions in their everyday work, as well as those that more formally outsource the storage of data to third parties.

Understanding which data is gathered, how it is used and shared makes it easier for businesses to understand whether they are meeting their obligations on transparency under data protection law. It is an essential part of data governance. Data protection laws around the world, including in Hong Kong, require organisations to inform data subjects about the personal data they gather about them and how it is put to use and whom the data may be transferred, which would include the data processor. The onus in Hong Kong is currently on the data user to ensure data is stored securely. The only obligations data processors have are those stated in the contract between the data user and the data processor. These terms are often not sufficient to compensate the data user of its monetary and reputation damage in the event of a data breach. 

Breaches are inevitable in this data-hungry age. Whilst some continue to develop great technology to assist us in our day to day operations, good data stewardship is often forgotten. 

In its annual report for 2018-19, the privacy commissioner for personal data has said: "Companies and organisations in Hong Kong should be well poised to adopt proactive data management as corporate digital values, ethics and responsibilities in this era of data driven economy, translating legal requirements into risk-based, verifiable and enforceable corporate practices and controls, to address regulatory changes worldwide; enable updated business models, digitalisation, globalisation and ensure data protection, sustainability and trust."

Not all organisations are getting data stewardship right. According to the privacy commissioner, there was a 16% increase in data protection complaints notified to the regulator in 2018-19 compared to the previous year. It said banks and finance institutions were among the most complained about.

According to the privacy commissioner, data breach incidents are becoming more complex and severe. This is why we urge companies to develop and test incident response plans so that they are prepared to deal with a data breach should they occur.

In practice this means forming a team of individuals from across different functions of the business to lead the response to data breaches in the event of an incident. Team members might typically comprise a representative from IT, a project manager in the relevant business unit, someone from the legal and comms/PR. This would depend on the structure and size of your business – sometimes even audit functions would be involved.

The incident response plan should be written and should document the roles and responsibilities for each team member in the event of a breach. Each of the team members should familiarise themselves with the plan and it should be regularly tested through scenario planning exercises. The plan should also be underpinned by staff training so employees could identify and expeditiously escalate data breaches. This is important because human error plays a huge part in potential breaches.

Incident response planning on top of data mapping are practical and pre-emptive measures businesses in Hong Kong can take to address increased risks around data and anticipate recommended reforms to Hong Kong's Personal Data (Privacy) Ordinance that are likely to stiffen the requirements facing businesses and increase the potential penalties they could face for non-compliance.