DayMarch 15, 2024

Data Governance Initiatives in China and Hong Kong

Data hk is an innovative global distributor and solutions aggregator, connecting customers to compelling IT products, services and solutions from 1,500+ best-in-class technology vendors. We help organizations maximize the value of their technology investments, demonstrate business outcomes and unlock growth opportunities.

A cross-border data transfer deal between Hong Kong and mainland China could create a lot of business opportunities, but it won’t be successful unless the two governments can solve differences in their regulatory frameworks. That’s according to an EY partner involved in the project.

The Personal Data (Privacy) Ordinance (“PDPO”) governs data protection in the Hong Kong Special Administrative Region. It outlines data subject rights and specific obligations for data controllers through six data protection principles. The PDPO was first enacted in 1996 and has since been amended several times.

If the PDPO is amended to expand the definition of personal data, it would have significant implications for businesses that process information that could identify an individual. For example, the combination of data contained on a staff card, including an employee’s name, HKID number, job title and company logo, could be considered personal data under the PDPO. This kind of information would need to be protected under the PDPO, even if it is not transferred outside of Hong Kong.

Similarly, an identifier of an individual that is publicly displayed with the intention to harm their reputation could also be considered a breach of the PDPO. Such a use of data would likely require explicit consent from the individual and additional compliance measures.

In addition to ensuring the PDPO is adhered to, data governance initiatives must also comply with other regulatory regimes. For instance, the Personal Data Protection Act in the mainland, and the GDPR in Europe, contain similar provisions to the PDPO.

Data governance projects involve a wide range of stakeholders, from employees to business partners. It is therefore critical to manage these diverse interests in a way that balances privacy and business value. An important step in doing so is establishing an organizational structure and assigning roles to ensure everyone understands their role in the program. An effective tool to accomplish this is a responsibility assignment matrix, like the RACI model, which stands for Responsible, Accountable, Consulted and Informed. This helps ensure that everyone is informed and aware of the impact their actions may have on others. It also provides a clear point of escalation to the program’s executive sponsor and steering committee. In this way, the entire organization is committed to achieving the goals of the program. This is critical to success and long-term sustainability.