In the words of Jack Ma, “We collect data from selling things. Data is the most valuable asset of Alibaba.”
With the exponential growth of digitalization in the past decade, the collection and use of personal data has become of unprecedented importance for most businesses, and particularly those that provide online services and products. It is self-evident that the importance and priority that a company places on the handling of personal data privacy directly affects the confidence and trust that customers have in the company and, in turn, its competitive edge.
Against this background, my office, the Office of the Privacy Commissioner for Personal Data (PCPD), advocates that companies should develop their own Personal Data Privacy Management Programme (PMP) and appoint a data protection officer in order to institutionalize a proper system for the responsible use of personal data that is in compliance with the Personal Data (Privacy) Ordinance (the ordinance). A PMP can help companies gain trust from customers and other stakeholders. With trust garnered, companies will be rewarded with loyalty from their customers and business partners, which is all the more important in a fast-changing business environment.
Directors have a unique and pivotal role in implementing the PMP as an essential part of their companies’ commitment to good corporate governance. Indeed, in the Guide for Independent Non-Executive Directors, newly published by the Hong Kong Institute of Directors, companies are encouraged to implement a PMP as one of the drivers for the adoption of environmental, social and governance management.
Benefits of implementing a PMP
With a PMP in place, companies can:
- Minimize the risks of incidents in relation to data security;
- Handle privacy breaches effectively with established procedures and protocol to minimize the damage arising;
- Manage collected personal data effectively;
- Ensure compliance with the ordinance;
- Demonstrate the companies’ commitment to good corporate governance and building trust with customers and relevant stakeholders; and
- Enhance corporate reputation, competitive advantage and potential business opportunities.
What are the components of a PMP?
A PMP should consist of the following three sets of components at the minimum:
- Organizational commitment
- Programme controls (for example, personal data inventory, internal policies on personal data handling, etc.)
- Ongoing assessment and revision (for example, development of an oversight and review plan)
Establishing organizational commitment is vital to a PMP
“Organizational commitment,” as a key component of a PMP, is of particular relevance and importance to directors, as directors are effectively the stewards for promoting the success and good governance of their companies. This is explained below.
To enhance accountability, a top-down approach is necessary for companies to demonstrate their commitment to fostering a respectful culture of privacy and determination to protect personal data privacy. It is recommended that directors work with the management to ensure that internal policies and procedures on the protection of personal data are followed.
The PCPD also recommends that companies appoint a data protection officer to oversee the companies’ compliance with the ordinance and implementation of the PMP. For a large corporation, the data protection officer should be a senior executive, whereas for a small business, this can be the owner or manager.
Resources should be allocated to training and developing the data protection officer in the protection of personal data privacy.
Reporting mechanisms are indispensable for oversight by the company’s board. In this regard, companies should establish internal reporting mechanisms, stating clearly the structure and procedures for reporting the overall compliance situation, the problems encountered, the complaints in relation to personal data privacy received and incidents of possible data breaches.
An effective reporting mechanism is imperative at times when the escalation of personal data issues is needed, such as when a major data breach takes place or a large number of complaints relating to data privacy are received.
With the ever-rising expectation of customers and stakeholders on the responsible use of personal data by companies, the protection of personal data privacy should no longer be seen and merely managed as a compliance issue. After all, doing the least to comply with the legal requirements is no longer the cure nor the global trend. The commitment of directors and management is paramount in building and maintaining a PMP so as to ensure that privacy is built in by design in initiatives, programmes or services, and data protection is practised throughout the company. Such a proactive approach can lead to a win-win outcome for companies, their customers as well as other stakeholders.
For examples and practical guidance on how to devise and implement a comprehensive PMP, please refer to the Best Practice Guide on Privacy Management Programme issued by the PCPD.