Whether you are a small business that uses a single database, or a large enterprise that manages numerous databases and systems, data governance programs can be challenging. Many factors must be taken into account, and the process can take considerable time. But it is a vital step in ensuring that your data is secure and used only for its intended purposes. If you are a newcomer to data governance, it may be helpful to understand the process and its pitfalls before you start.

The definition of personal data under the PDPO is broad, and can include any information that can be used to identify an individual. This can include a person’s name; identification number; location data; online identifiers; and any factor that relates to the physical, physiological, genetic, mental, economic, cultural or social identity of an individual. This definition is similar to that under the GDPR, and is designed to protect individuals from invasive data processing. The PCPD has issued guidance that reflects this extension of the definition, and recommends that data users include provisions in contracts that protect personal data in cross-border transfers. These arrangements can be included in separate agreements or as schedules within a commercial agreement.

A key aspect of the PDPO is its regulation of cross-border data transfers. This includes an explicit prohibition on the transfer of personal data outside Hong Kong unless certain conditions are fulfilled. There is also a requirement that the data user implements supplementary measures to bring the level of protection in the foreign jurisdiction up to the standards required under the PDPO. This can include technical measures, such as encryption or anonymisation; contractual measures, such as audit, inspection and reporting, beach notification and compliance support and cooperation.

Another important aspect of the PDPO is its stance on extra-territorial application. Several other data privacy regimes have some element of extra-territorial application, but the PDPO does not. The jurisdiction of the PDPO is determined by whether or not a data user has any operations controlling collection, holding, processing or use of personal data in or from Hong Kong.

This means that a photograph of a crowd at a concert, or a log of persons entering and leaving car parks does not constitute the collection of personal data under Hong Kong law, as long as the photographs or logs are not used to identify specific individuals. This is very different from, for example, the UK’s “right to be forgotten” law, where specific information about an individual must be removed from public view.

One of the most important aspects of data governance is communication. A successful data governance program requires significant input from a wide range of stakeholders. This can include employees, customers and partners. To ensure that everyone has a voice, and that their input is taken into consideration, organizations should utilize a responsibility assignment matrix like RACI (responsible, accountable, consulted, informed). This will help to define the roles and responsibilities of each party.