Current Issue
January 2024 Issue
Read digital flipbook
Read PDF
Get notified for updates
Past Issues
Read digital flipbook
Read PDF
Get notified for updates
Past Issues
Contents
More
Popular Topics
Digital transformation
ESG
Sustainability
Corporate finance
Work life balance
Metaverse
FinTech
Taxation
Ethics
SMPs
Diversity
Anti-money laundering
Cryptocurrencies
POPULAR READ
A purpose-driven profession: Interview with Roy Leung
From extraneous to essential: Charting the rise of ESG assurance in Hong Kong
Good CG, good ESG: Winners of the Best Corporate Governance and ESG Awards 2023
Columns / Thought leadership

Implementing a Personal Data Privacy Management Programme to gain customers’ trust

Author
Ada Chung

Ada Chung FCPA, Barrister and Privacy Commissioner for Personal Data, on why companies need to demonstrate their commitment to fostering a respectful culture of privacy

Bookmark
Text size: A+A-
Author
Ada Chung
August 2021 issue

Flipbook version
PDF version
Share

In the words of Jack Ma, “We collect data from selling things.  Data is the most valuable asset of Alibaba.”

With the exponential growth of digitalization in the past decade, the collection and use of personal data has become of unprecedented importance for most businesses, and particularly those that provide online services and products. It is self-evident that the importance and priority that a company places on the handling of personal data privacy directly affects the confidence and trust that customers have in the company and, in turn, its competitive edge.

Against this background, my office, the Office of the Privacy Commissioner for Personal Data (PCPD), advocates that companies should develop their own Personal Data Privacy Management Programme (PMP) and appoint a data protection officer in order to institutionalize a proper system for the responsible use of personal data that is in compliance with the Personal Data (Privacy) Ordinance (the ordinance). A PMP can help companies gain trust from customers and other stakeholders. With trust garnered, companies will be rewarded with loyalty from their customers and business partners, which is all the more important in a fast-changing business environment.

Directors have a unique and pivotal role in implementing the PMP as an essential part of their companies’ commitment to good corporate governance. Indeed, in the Guide for Independent Non-Executive Directors, newly published by the Hong Kong Institute of Directors, companies are encouraged to implement a PMP as one of the drivers for the adoption of environmental, social and governance management.

Benefits of implementing a PMP

With a PMP in place, companies can:

  • Minimize the risks of incidents in relation to data security;
  • Handle privacy breaches effectively with established procedures and protocol to minimize the damage arising;
  • Manage collected personal data effectively;
  • Ensure compliance with the ordinance;
  • Demonstrate the companies’ commitment to good corporate governance and building trust with customers and relevant stakeholders; and
  • Enhance corporate reputation, competitive advantage and potential business opportunities.

What are the components of a PMP?

A PMP should consist of the following three sets of components at the minimum:

  1. Organizational commitment
  2. Programme controls (for example, personal data inventory, internal policies on personal data handling, etc.)
  3. Ongoing assessment and revision (for example, development of an oversight and review plan)

Establishing organizational commitment is vital to a PMP

“Organizational commitment,” as a key component of a PMP, is of particular relevance and importance to directors, as directors are effectively the stewards for promoting the success and good governance of their companies. This is explained below.

To enhance accountability, a top-down approach is necessary for companies to demonstrate their commitment to fostering a respectful culture of privacy and determination to protect personal data privacy. It is recommended that directors work with the management to ensure that internal policies and procedures on the protection of personal data are followed.

The PCPD also recommends that companies appoint a data protection officer to oversee the companies’ compliance with the ordinance and implementation of the PMP. For a large corporation, the data protection officer should be a senior executive, whereas for a small business, this can be the owner or manager.

Resources should be allocated to training and developing the data protection officer in the protection of personal data privacy.

Reporting mechanisms are indispensable for oversight by the company’s board. In this regard, companies should establish internal reporting mechanisms, stating clearly the structure and procedures for reporting the overall compliance situation, the problems encountered, the complaints in relation to personal data privacy received and incidents of possible data breaches.

An effective reporting mechanism is imperative at times when the escalation of personal data issues is needed, such as when a major data breach takes place or a large number of complaints relating to data privacy are received.

Conclusion

With the ever-rising expectation of customers and stakeholders on the responsible use of personal data by companies, the protection of personal data privacy should no longer be seen and merely managed as a compliance issue. After all, doing the least to comply with the legal requirements is no longer the cure nor the global trend. The commitment of directors and management is paramount in building and maintaining a PMP so as to ensure that privacy is built in by design in initiatives, programmes or services, and data protection is practised throughout the company. Such a proactive approach can lead to a win-win outcome for companies, their customers as well as other stakeholders.

For examples and practical guidance on how to devise and implement a comprehensive PMP, please refer to the Best Practice Guide on Privacy Management Programme issued by the PCPD.

Data privacy
POPULAR READ
A purpose-driven profession: Interview with Roy Leung
From extraneous to essential: Charting the rise of ESG assurance in Hong Kong
Good CG, good ESG: Winners of the Best Corporate Governance and ESG Awards 2023
Sign up for the e-newsletter and never miss an issue
Add to Bookmark
Text size
A-
A+
August 2021 issue
Read flipbook version
Read PDF version
Related Articles
Artificial Intelligence
Navigating the privacy and ethical challenges of generative AI
October 2023
Ada Chung, Privacy Commissioner for Personal Data, on how the profession could embrace generative artificial intelligence while managing its privacy and ethical risks
cybersecurity
Navigating personal data privacy and security in the age of digitization
April 2023
Ada Chung, Barrister and Privacy Commissioner for Personal Data, on why companies need to proactively safeguard the security of personal data
Data privacy
Protection of personal data on the Companies Register: the new inspection regime
September 2021
Ada Chung FCPA, Privacy Commissioner for Personal Data, on how the new inspection regime will stamp out the unlawful use of personal data
Data privacy
Implementing a Personal Data Privacy Management Programme to gain customers’ trust
August 2021
Ada Chung FCPA, Privacy Commissioner for Personal Data, on why companies must put a Personal Data Privacy Management Programme in place
Data privacy
Home smart home
July 2019
The benefits and risks of owning a smart home
Advertisement
We use cookies to give you the best experience of our website. By continuing to browse the site, you agree to the use of cookies for analytics and personalized content. To learn more, visit our privacy policy page. View more
Accept All Cookies