Data Hk and GDPR
Getting data hk right is critical to ensuring that datasets are fit for purpose, enabling them to be reused and enriched. It is also key to establishing who is responsible for the quality of data and what measures are in place to check this. This includes making employees, such as data stewards, accountable for the quality of the datasets they are responsible for, understanding where they have come from and how they are being maintained and updated. It also involves identifying which systems they are passing through and the impact of these on the data.
A Hong Kong business may be a data exporter under GDPR, depending on the circumstances, if it processes personal data of individuals in the European Economic Area (EEA) and offers them goods or services or monitors their behaviour in the EEA. This could include, for example, a photographer taking a picture of a crowd at an event (where the photograph can be used to identify individual people), CCTV recordings in car parks and logs of persons entering conferences.
The Hong Kong PDPO requires data users to inform individuals of the intended purposes of processing their personal data and the lawful basis upon which that processing is based. This is a similar requirement to that found in the EEA’s GDPR, but less onerous. It is likely to be less onerous than a separate assessment that needs to be undertaken as part of the GDPR consent process, and it should be regarded as a routine requirement as part of an organisation’s commitment to good data ethics.
Another difference between the PDPO and GDPR is in relation to the definition of personal data. The PDPO defines this as information relating to an identifiable person, whereas the definition in GDPR is more wide-ranging and includes sensitive personal data such as health information. This is a significant difference and one which we will be monitoring closely as it develops, because it may have implications for the ability of businesses to transfer data outside of Hong Kong.
On the other hand, there have been significant concerns in the business community about the effect of GDPR on business operations and the difficulties in achieving compliance, particularly in relation to section 33. There has been a movement towards a view that implementation of section 33 should be deferred in favour of a business-friendly approach to cross-border data transfers. This is in line with our own view that the existing PDPO should remain unchanged.