Search

Follow us on social media and share your feedback

App store Google play
Hong Kong
  1. East river Blog Hong Kong
  2. Is It Necessary for My Company To Have a Data Protection Officer

Renee Yang

7 min read
Running My Business

Is It Necessary for My Company To Have a Data Protection Officer

Is It Necessary for My Company To Have a Data Protection OfficerIs It Necessary for My Company To Have a Data Protection Officer

Hong Kong is also a fantastic place to base e-commerce businesses as it is well-connected with the rest of the world. This means that personal data will be collected, used and processed during the business transactions.

So what does that mean for new and existing businesses registered in Hong Kong? How does a business owner help to prevent data breach and protect an individual's personal data? Perhaps, many business owners who are planning to base their businesses in Hong Kong have this question in their mind: is it necessary for my company to appoint a data protection officer (DPO)? In this article, we will share about Personal Data (Privacy) Ordinance (PDPO) and General Data Protection Regulation (GDPR) and how these regulations affect Hong Kong companies.

We will cover:

How Does GDPR Apply to Hong Kong Companies?
GDPR vs PDPO
Is It a Mandatory Requirement To Appoint a Data Protection Officer for My Company?
What Are the Main Responsibilities of a DPO if I Were To Appoint One?
What Qualifications Does My Data Protection Officer Need?
What if My Company Fails To Comply With the PDPO or GDPR?
Key Takeaways

How Does GDPR Apply to Hong Kong Companies?

In Hong Kong, individuals’ privacy is governed by the Personal Data (Privacy) Ordinance (PDPO). It is applicable to both private and public sectors. The purpose of PDPO is to protect the individuals’ personal data from being compromised, and at the same time, provide a framework for companies that are processing data. So how does GDPR apply to Hong Kong companies?

When the PDPO was first drafted, it drew references from OECD Privacy Guidelines 1980 and the EU Directive. As such, the PDPO and GDPR share similar features. Given that GDPR was adopted in 2016, significant developments have since been made towards the data protection law.

Even though GDPR is usually applied to EU countries, it has extended to companies in Hong Kong. In other words, it applies to non-EU companies that collect and process personal data relating to goods and services sold to individuals in EU countries.

With more companies trading globally, it is important for Hong Kong companies to check if GDPR is applicable to them. This means if your company has business clients or customers who are based in EU countries, you will need to comply with GDPR and keep informed of new developments of the regulations.

Oak Health Supplement Company sells their health supplements to their local residents and also supplies their products to overseas customers. Some of the customers who purchased their products are based in EU countries such as France and Germany. Since they offer products to customers in the EU countries, the personal data they have collected have to comply with the GDPR.

Likewise, if your e-commerce business has a website that allows customers to place orders and ships products to your customers in the EU, it will fall within the GDPR’s scope. But it will not fall within the GDPR’s scope if you explicitly explain on your website that you do not intend to ship goods to EU countries or are not applicable to people living in those countries.

GDPR vs PDPO

At this point, you might be wondering if there is any major difference betweenPersonal Data (Privacy) Ordinance (PDPO) and General Data Protection Regulation (GDPR). To understand these regulations better, here are the major differences:

GDPR PDPO
Application
Companies that collect or process the data are based in the EU, or non-EU companies that offer services and goods to EU customers. Companies control the collection, processing and use of the personal data in Hong Kong.
Personal Data
Personal data refers to any information which relates to an identified or identifiable living person. Information also includes location, race, health and religion. Personal data refers to any information which relates to a living individual and can be used as identification. It must exist in a form that is accessible and practicable.
Accountability & Governance
Companies are required to implement technical and organisational measures to ensure compliance. They are also required to conduct data protection impact assessment (DPIA) for high-risk data processing. Appointment for Data Protection is mandatory for certain companies. It does not offer any accountability principle and privacy management tools. But they have issued a Privacy Management Programme to encourage Hong Kong companies to adopt accountability for data privacy compliance.
Sensitive Personal Data
There are different categories of sensitive personal data. Processing of such sensitive information is only allowed under special circumstances. There is no distinction between sensitive and non-sensitive personal data.
Consent
The GDPR has listed specific requirements for companies to obtain an individual’s consent before they can use their personal data. Getting consent should be separated from other terms, and in clear and plain language. Consent is not a prerequisite for the collection of personal data, unless the data is used for a new purpose. Aside from marketing, businesses need to provide notice of the purpose of collecting the data. There is also no requirement for parental consent. The PDPO allows parents or legal guardians to give consent on their child’s behalf if they are given proper evidence that the purpose of using the data might be in the child’s interest.
Data Breach Notification
Companies are required to notify the authority of any data breach. Subsequently, they need to inform affected individuals if it poses a high risk to their rights and privacy. If there is a data breach, companies are advised to notify the Privacy Commissioner and affected individuals.
Data Processors
Data processors who are processing data on behalf of the companies are obliged to maintain records of processing. They have to ensure the security and report data breaches and designate Data Protection Officers. Data processors are not directly regulated, and they are required to adopt contractual or other means to ensure data compliances.

Is It a Mandatory Requirement To Appoint a Data Protection Officer for My Company?

Under the PDPO, there is no mandatory requirement for companies to appoint a data protection officer in Hong Kong. However, in March 2019, PCPD revised and released a guide entitled, Privacy Management Programme: A Best Practice Guide (PMP). This guide encourages companies to develop their own Privacy Management Programme, based on these three important components:

  • Organisational commitment
  • Programme controls
  • Ongoing assessment and revision

It also encourages companies to appoint a designated DPO to oversee the company's compliance with the PDPO and the implementation of PMP. For big companies, the DPO should be a senior executive. For a smaller company, such as a small medium enterprise (SME), the officer should be the owner.

Adrian runs a training consultancy firm in Hong Kong, which has an approximately 15 full-time staff. His customer base is mainly based in Hong Kong, and others are from other countries. Since his company is considered a SME, Adrian will be the DPO for his company.

What Are the Main Responsibilities of a DPO if I Were To Appoint One?

The job of a DPO is to ensure that companies comply with PDPO and GDPR, if they have customer bases in the EU.

Aside from the above, their main responsibilities include:

  1. Establish and implement the PMP programme controls such as:
  • Keep a record of the company’s personal data inventory, conduct periodic risk assessment to all departments and handle data breach incidents.
  • Initiate the periodic risk assessment to all departments.
  • Monitor, review and provide advice to all risk assessment reports and privacy impact reports.
  • Conduct training and promote staff awareness on data protection by circulating data privacy policies, guidelines and privacy-related information.
  • Coordinate and monitor the handling of data breach incidents and provide advice to departments on conducting investigations.
  • Monitor, review and provide advice on preparing Personal Information Collection Statement.
  1. Review the effectiveness of the PMP.
  1. Prepare oversight plans and review plans for PMP, and revising the programme controls, if necessary.
  1. Report to senior management periodically about the company’s compliance issues, problems encountered and any complaints received regarding an individual’s personal data privacy.

What Qualifications Does My Data Protection Officer Need?

Though the PDPO does not indicate any specific qualification needed for a DPO, the designated officer should have a clear understanding of the company’s business industry and the methods of handling the personal data. He or she is also required to have some knowledge of PDPC and GDPR. The officer must be an excellent communicator who is able to work with various departments to report potential compliance issues and handle complaints from the public.

What if My Company Fails To Comply With the PDPO or GDPR?

We understand that sometimes companies may get too overwhelmed with work that they neglect on improving their data processing system. Likewise, there are some companies that may not consider appointing a DPO to oversee the implementation of PMP. Given the amount of data handled by a company, it is important to ensure that your company complies with PDPO or GDPR to prevent any data breach. Failure to comply with PDPO or GDPR will lead to heavy fines.

If your company fails to comply with the PDPO, the Office of the Privacy Commissioner for Personal Data (PCPD) will first issue an enforcement notice to the affected company to provide information requested by PCPD during the investigation. However, if the company fails to comply with the enforcement notice, the statutory fine will be from HK$50,000 to HK$100,000. For direct marketing offences, the penalties are much higher with fines up to HK$1 million, and five years imprisonment.

On the other hand, if your company fails to comply with GDPR, the fines for infringements will be 4% of annual worldwide turnover or €20 million.

In June 2017, a director of a Hong Kong company was found transferring personal data without consent after a complaint was filed against the company. Despite repeated requests to get necessary information that was required for the investigation, the director failed to supply sufficient information. The PCPD then issued an enforcement notice to the director, asking him to attend the office for examination. However, the director failed to attend the office without any lawful excuse. As a result, the director was fined HK$3,000.

Key Takeaways

  1. In Hong Kong, individuals’ privacy is governed by the Personal Data (Privacy) Ordinance (PDPO).
  2. The GDPR might apply to EU countries, but it has extended to companies in Hong Kong. It also applies to non-EU companies that handle the amount of data collected relating to goods and services sold to individuals in EU countries.
  3. Although the GDPR and PDPO regulations share certain similarities, there are major differences between the two of them.
  4. Under the PDPO, there is no mandatory requirement for companies to appoint a data protection officer in Hong Kong. But in 2019, PDPC revised and released a Privacy Management Programme (PMP), which encourages companies to appoint DPO to oversee the company’s compliance and develop their own PMP.
  5. For big companies, a DPO should be a senior executive. For a smaller company such as SME, the DPO should be the owner.
  6. Your DPO should have a clear understanding of the company’s industry and the amount of sensitive personal data the company handles. The DPO should also have some knowledge of PDPC and GDPR.
  7. If your company fails to comply with PDPO, the statutory fines will be from HK$50,000 to HK$100,000.
  8. Likewise, if your company fails to comply with GDPR, the fines for infringements will be 4% of annual worldwide turnover or €20 million.

This clearly shows that the Hong Kong government takes individuals’ personal data and holds companies accountable for the amount of data they handle daily. As such, it is important to appoint a DPO to oversee and review data protection policies.

Have more questions about other aspects of compliance that a company has to maintain in Hong Kong? Get in touch with our experienced Corporate Secretaries today!

Tags:

Tips to run your business smarter.
Delivered to you monthly.

Subscribe

You might like it

Tax

A Guide to Reducing Taxable Income for Small Businesses

As a business owner, you can’t escape paying taxes. But what kind of taxes would you have to pay, and how are you taxed?

6 min read
E-commerce

5 Profitable E-Commerce Niches Worth Looking At

If you’re just starting or looking to go in a new direction, finding a lucrative niche will make every part of running your e-commerce business easier. This article will look at trending e-commerce niches to consider.

8 min read
Customer Stories

How RoyalKey Saved 4h/day & Reduced Stress with East river

For Denis Andrei Valcu, setting up his own business was his dream and passion. Fast forward to today, the company he set up, RoyalKey, gets most of their business through gaming channels, honing their reputation as a go-to for gamers’ software needs.

2 min read
Entrepreneur's Bootcamp

What Are Directors' Duties In Hong Kong?

We bring you through what kind of directors there are, who can become a company director, a director’s duties and what the role entails.

6 min read
Running My Business

Cryptocurrency: What Does It Mean to Your Business Operations?

There are more than 4,000 cryptocurrencies that exist. Before you jump on the bandwagon, assess whether cryptocurrencies are suitable to be used in your business.

8 min read
E-commerce

Customer Retention: How To Keep Customers Coming Back

Every business likes new customers, especially when the customer uses their services again and again. Existing customers help in creating a solid foundation of your business that provides a steady revenue stream that costs less than acquiring new customers.

9 min read
Payroll

Streamlining Payroll Process for SMEs: 5 Tips

For a business to run smoothly, the payroll process must be streamlined and error-free. It is easy to streamline and optimize your payroll and other back-office processes within your SMB. Did you know that this can improve your cash flow?

5 min read
E-commerce

A Guide to Offering Free Shipping Profitably

Have you ever wondered who pays for the free shipping when you shop online? Turns out, it is possible to offer free shipping and have a profit margin at the same time.

7 min read
E-commerce

A Guide to the Top e-Commerce Payment Gateways in Hong Kong

Other than branding and marketing, these technologically savvy consumers are well acquainted with the Internet and convenient payment gateways and demand nothing less than a seamless e-commerce transaction.

8 min read
E-commerce

8 Photography Tips for Your E-commerce Store

Want to kickstart your start-up or bolster an existing online business? These 8 e-commerce photography tips could have a direct impact on small businesses owners in Hong Kong, take a look.

6 min read
Secretary

What To Do If I Want To Change My Company Name And Information?

If you want to change your company name, it’s relatively easy to do so in Hong Kong. And if there are other changes happening in your company - such as change in registered office address, new company director or secretary - you have 15 days to report these changes to the Companies Registry.

6 min read
Secretary

How To Hold Annual General Meeting

The phrase “annual general meeting” (AGM) may conjure in your head an image of a hall filled with agitated shareholders grilling a row of executives seated on stage with difficult questions about the business, thanks to media coverage of AGMs in listed companies.

6 min read

✉️ Industry insights you won’t delete. Delivered to your inbox weekly.

Subscribe

You'll receive a verification email you'll have to open and confirm the subscription.