In the words of Jack Ma: "We collect data from selling things.  Data is the most valuable asset of Alibaba."

With the exponential growth of digitalisation in the past decade, the collection and use of personal data has become of unprecedented importance for most businesses, especially those who provide online services and products. Other than requesting greater transparency, customers nowadays expect companies to clearly inform them of how their personal data, once collected, will be used and for what purpose. It is self-evident that the importance and priority that a company places on the handling of personal data privacy directly affects the confidence and trust that customers have in the company and, in turn, the competitive edge of the company.

Against this background, my office, the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD), advocates that companies should develop their own Personal Data Privacy Management Programme (PMP) and appoint a Data Protection Officer in order to institutionalise a proper system for the responsible use of personal data that is in compliance with Hong Kong's Personal Data (Privacy) Ordinance. 

A PMP can help companies gain trust from customers and other stakeholders. With trust garnered, companies will be rewarded with loyalty from their customers and business partners, which is all the more important in a fast-changing business environment.

Directors have a unique and pivotal role in implementing the PMP as an essential part of their companies' commitment to good corporate governance. Indeed, in the Guide for Independent Non-Executive Directors, newly published by the Hong Kong Institute of Directors, companies are encouraged to implement a PMP as one of the drivers for the adoption of environmental, social and governance (ESG) management.

Benefits of implementing a PMP

Characterised by the accountability principle, a PMP is a management framework for the responsible collection, holding, processing and use of personal data. With a PMP in place, companies can:

• minimise the risks of incidents in relation to data security;
• handle privacy breaches effectively with established procedures and protocol to minimise the damage arising from those breaches;
• manage collected personal data effectively;
• ensure compliance with the Ordinance;
• demonstrate the companies' commitment to good corporate governance and building trust with customers and relevant stakeholders; and
• enhance corporate reputation, competitive advantage and potential business opportunities.

Key components of a PMP

A PMP should consist of the following three sets of components at the minimum:

1. Organisational Commitment

• Buy-in from the top
• Appointment of Data Protection Officer / Establishment of a Data Protection Office
• Establishment of reporting mechanism

2. Programme Controls

• Personal data inventory, with information on the kinds of personal data the company holds and how the personal data is processed
• Internal policies on personal data handling
• Risk assessment tools
• Training, education and promotion
• Handling of data breach incident
• Data processor management
• Communication with employees, customers and stakeholders

3. Ongoing Assessment and Revision

• Development of an oversight and review plan
• Assessment and revision of programme controls

Establishing organizational commitment is vital to PMP

"Organizational commitment" as a key component of PMP is of particular relevance and importance to directors, as directors are effectively the stewards for promoting the success and good governance of their companies, including data accountability. 

Buy-in from the Top

To enhance accountability, a top-down approach is necessary for companies to demonstrate their commitment to fostering a respectful culture for privacy and determination to protect personal data privacy. Under the stewardship of directors, the PCPD recommends that the top management should:

• convey to all staff their support to cultivate a respectful culture for personal data privacy and commitment to the implementation of PMP through staff meetings or internal circulars;
• appoint a Data Protection Officer;
• endorse the programme controls and the whole PMP;
• allocate adequate resources, including finance and manpower, to implement PMP;
• actively participate in the assessment and review of PMP; and
• report the progress of the implementation of the programme to the Board of Directors regularly.

It is recommended that directors work with the management to ensure that internal policies and procedures on the protection of personal data are followed.

Appointment of Data Protection Officer / Establishment of a Data Protection Office

The PCPD recommends that companies appoint a designated officer as the Data Protection Officer to oversee the companies' compliance with the Ordinance and implementation of the PMP. For a large corporation, the Data Protection Officer should be a senior executive, whereas for a small business, this can be the owner or manager.

The Data Protection Officer is responsible for structuring, designing and managing the PMP, which involves all relevant procedures, training, monitoring or auditing, documenting, evaluating, and other follow-up actions in relation to the collection, holding, processing and use of personal data. 

In large corporations, understandably more personal data is collected and used by various departments and business units. It is therefore recommended that departmental coordinators be appointed to support the Data Protection Officer. Resources should be channelled to train and develop the Data Protection Officer as a professional in the protection of personal data privacy.

Establishment of Reporting Mechanisms

Reporting mechanisms are indispensable for oversight by the Board. In this regard, companies should establish internal reporting mechanisms, stating clearly the structure and procedures for reporting the overall compliance situation, the problems encountered, the complaints in relation to personal data privacy received, and incidents of possible data breaches. 

An effective reporting mechanism would be imperative at times when escalation of personal data issues is needed, such as when a major data breach takes place or a large number of complaints relating to data privacy are received. The mechanism would also help determine who should be involved, their respective responsibilities and where the ultimate decisions should be made. Companies should also document all of their reporting procedures.

Conclusion

With the ever-rising expectation of customers and stakeholders on the responsible use of personal data by companies, companies should not stop at just ticking the box. The protection of personal data privacy should no longer be seen as a compliance issue. After all, doing the least to comply with the legal requirements is not the cure nor the global trend anymore. 

Instead, companies should also observe good data ethics and should consider the subject from a broader perspective, bringing the concept of customer centricity into the business equation. The commitment of directors and the management is paramount in building and maintaining a PMP so as to ensure that privacy is built in by design in initiatives, programmes or services, and data protection is practised throughout the company. Such a proactive approach would lead to a win-win outcome for companies, their customers as well as other stakeholders.

For examples and practical guidance on how to devise and implement a comprehensive PMP, members can refer to the Best Practice Guide on Privacy Management Programme issued by the PCPD, www.pcpd.org.hk.

Ada Chung Lai-ling is a Barrister and Privacy Commissioner for Personal Data, Hong Kong