The European General Data Protection Regulation should already be one of the next items on institutions’ agendas, according to Sia Partners.
GDPR (the European General Data Protection Regulation) aims to protect individuals located in the EU by introducing new binding obligations for data controllers and data processors. This means any company holding the personal data of individuals located in the EU, regardless of its operating location, needs to comply with GDPR. Many institutions in Asia will fall within scope.
With less than seven months to the enforcement date, companies are still unclear about how and when the European Commission will look at extra-territorial enforcement and how it will cooperate with local regulators to enforce GDPR outside of its borders.
The impacts of GDPR on Hong Kong businesses depend on the gap between the local law (Hong Kong’s PDPO, Personal Data Privacy Ordinance) and GDPR.
In Hong Kong, local companies have started to grasp the importance of GDPR since the Special Administrative Region’s privacy commissioner, Stephen Wong, announced a thorough review of the PDPO to identify major gaps and to propose necessary amendments to align with the most stringent standards of GDPR. He noted at the time the current PDPO was enacted in 1995, the same year the EU issued a directive on the issue of personal data protection, and this means the introduction of a new law in Europe warrants reconsideration of the issue here.
This article proposes an overview of the gaps between the EU GDPR and the HK PDPO, depicting the main operational and organisational changes for the potentially impacted Hong Kong companies.
Data breach notification
Under GDPR, any event leading to the destruction, loss/alteration, unauthorised disclosure of/ access to personal data must be notified to the regulator by the organisation holding such data, within 72 hours of the organisation becoming aware of it.
Although PDPO encourages notification of data breaches to the Office of the Privacy Commissioner for Personal Data and relevant parties, there is no binding obligation or stringent timeframe for doing so.
- A substantial impact, and intense time pressure, can be expected on company processes to identify, review and report data breaches. It will be necessary therefore, to implement data breach response plans, incident detection mechanisms and escalation processes.
- We also recommended implementing robust security measures, such as personal data anonymisation or pseudonymisation by hashing data.
Conditions to obtain a valid consent from individuals to use their personal data is stricter under GDPR, as businesses must meet specific requirements to be deemed sufficient. Consent must be given by either a statement or clear affirmative action and can be withdrawn at any time. Under PDPO, a lack of objection to use of personal data can be considered as a consent.
- The information released to and permissioned to be obtained from individuals change with GDPR, which will likely cause organisations to revise their data privacy notices. This means a complete review of the customer consent process (contracts, online forms, etc.) will be necessary.
The Data Protection Officer
Under certain circumstances, GDPR requires the appointment of a DPO (data protection officer) to deal with any matter related to data protection within an organisation and to face data protection authorities if there is a dispute. Meanwhile, the PCPD issued non-binding guidance to advocate the development of a privacy management programme and the appointment of a DPO.
- Even if a company does not fall into the categories mentioned by GDPR, it should still appoint a DPO as best practice for its reputational value and to highlight the company’s engagement with data privacy protection matters.
- The appointment of a DPO will require an overhaul of a company’s internal structure, a review of its current job specifications to ensure its optimal reporting line.
The right to object
Under GDPR, the data subjects have the right to object, regardless of the process purpose, at any time to processing of personal data, unless the data controller can demonstrate the legitimate ground. Such right only applies to direct marketing for PDPO.
- With regards to the consent process mentioned earlier, companies will have to review their privacy notices and implement a more comprehensive process to collect consents and objections.
The right to data portability
GDPR states that the data subject can request to transmit the personal data previously provided from one controller to another controller, without hindrance from the controller. The transmission process should be carried out by automated means if technically feasible.
Although the data subject can request the data controllers to transmit the data to another controller under PDPO, the data controllers are not obligated to address such request.
- To oblige, data controllers will have to restructure data sets and implement processes to enable data exchange upon request.
PIA (Privacy Impact Assessments)
For any processing likely to result in a high risk to an individual’s rights and freedoms, the controller shall, prior to the processing, carry out an impact assessment of the envisaged processing operations on the protection of personal data.
In a guidance note issued by PDPC, PIA is only encouraged, but not obligatory, before collecting biometric data.
- PIA will be an additional compliance step for organisations when they launch new projects or products, requiring extra cost and time to be considered at the budgeting phase.
While the principle of accountability has previously been an implicit requirement, GDPR makes it mandatory thus additional obligations for data controllers.
The privacy regulator in Hong Kong has issued accountability guides and governance frameworks for privacy to embrace the notion of accountability as a vehicle to drive data privacy compliance, but there is no notion of mandatory accountability principle in PDPO.
- As mentioned, the accountability principle implies additional compliance steps as data controllers will need to demonstrate they keep a record of all processing activity; appoint a DPO where necessary; implement measures to secure compliance with data protection principles; and conduct PIA whenever appropriate.
The above gap analysis suggests organisations need to make numerous changes to be compliant with GDPR, with impacts on governance, reporting, processes and information systems.
In addition to more stringent obligations under GDPR, business could be fined up to four percent of their global annual turnover or EUR20 million (USD23.35 million), whichever is higher. Statutory fines in Hong Kong are relatively low at HK$100,000 (US$12,780) – except for direct marketing offences – so do not act as a deterrent in certain circumstances.
Finally, 25 March 2018 is the date to keep in mind, as the data privacy protection landscape will drastically change in the EU when GDPR comes into force, leading to some interesting developments outside the EU.
It is crucial for companies doing business with the EU to start assessing the comprehensiveness of their data privacy frameworks and kick off GDPR compliance exercises.
Justine Laprun is a manager in the financial services practice at Sia Partners in Hong Kong.