Building a Data Governance Program in Hong Kong
If you’re building a data governance program, you need to have a vision and a business case. Your vision defines the broad strategic objectives of your governance program, and your business case outlines how you plan to get there. While many organizations struggle to define and communicate their vision, they’re much more successful with the business case—a document that clearly articulates the value of a governance program and the return on investment (ROI) that it will deliver.
In Hong Kong, as in most other jurisdictions, personal data means information relating to an identifiable natural person. The definition has not been updated since the PDPO was first enacted in 1996, and remains in line with international norms on the meaning of personal data. However, a number of other legislative regimes have updated their definition in recent years, and some organizations are advocating for change.
A key requirement of the PDPO is that a data user must expressly inform a data subject on or before collecting personal data of the purposes for which it will be used. This obligation extends to the classes of persons to whom the data may be transferred. As a result, many data users comply with the PDPO by providing a PICS to each individual on or before the collection of their personal data.
For example, if you collect personal data to send marketing materials to prospective customers, the PCPD requires that you notify each individual of this purpose. Similarly, if you collect CCTV recordings of persons entering car parks, you must notify each individual of this purpose.
The PDPO also requires that a data user use contractual or other means to ensure that personal data collected in, or transferred into, Hong Kong is protected from unauthorised access, processing, erasure, loss or use. This includes the use of technology solutions, such as Software-Defined Networking or Network AI, to prevent unauthorized access to sensitive data.
A data governance program involves a large number of individuals—including data stewards, data governance leaders and IT professionals. To make sure that everyone has a voice, it’s important to organize your team with a responsibility assignment matrix, like the RACI model (which stands for responsible, accountable, consulted and informed). This will help you avoid bottlenecks, assign tasks efficiently and ensure that all voices are heard.