Getting started with data governance isn’t easy. There are many facets to consider, including organizational structure, people and processes, and technologies and systems. A key component of any successful data governance program is the leadership team. The leader is responsible for building a vision and business case to support a data governance program. This person also coordinates the tasks of the stewards and helps communicate decisions. This role can be filled by a business or IT subject matter expert. Experienced business analysts make strong business stewards, while senior IT and enterprise architects are good candidates for IT stewards.
The PDPO defines personal data as information that is likely to identify a living individual or is otherwise identifiable from that information. It is important to note that this definition does not include information that is legal entity data, for example, financial transaction records. In addition, the PDPO specifies that use of personal data must be limited to what is necessary for the purpose of the collection. Some common exemptions from this requirement are safeguarding Hong Kong’s security, defence and international relations, crime prevention or detection, assessment or collection of any tax or duty, prevention of unlawful or seriously improper conduct, news activities, due diligence exercises, and life-threatening emergency situations.
When a person becomes a data user, this triggers his obligation to fulfil a range of statutory obligations under the PDPO. Among these are compliance with the six DPPs that form core data obligations, and some of them relate to cross-border transfer issues. For instance, a data user must provide his PICS to the data subject on or before the collection of his personal data (DPP 2(3)).
If he transfers the data outside of Hong Kong, he must comply with the provisions of the PDPO that protects him from unauthorised access or processing and against accidental destruction or loss of the data (DPP 6(2)). He must also ensure that the recipient takes appropriate steps to prevent the unauthorised access or processing or accidental loss of the data when it is in their possession or control (DPP 5(1)).
In some cases, businesses may have to undertake a transfer impact assessment. This is a process that determines whether or not the laws of the destination jurisdiction are sufficient to protect the personal data of data subjects. The impact assessment must be undertaken prior to the transfer of personal data, and it must be documented. The assessment will help to determine the level of protection that is available in the destination country and will identify any risks that need to be mitigated. It will also identify any additional measures that may be required to protect the personal data of data subjects. These measures will typically include the agreement of standard contractual clauses or contribution to a transfer impact assessment. In most cases, the impact assessment will involve consulting with the relevant authorities in the destination country. This will help to avoid any unnecessary delays or cost.