HK has a unique personal data protection regime. Its six Data Protection Principles (“DPPs”) apply not only in Hong Kong, but also to any transfers of personal data outside its jurisdiction. Data users have significant and onerous obligations under the DPPs. In particular, a data user must expressly inform a data subject on or before the collection of personal data of the purposes for which the information will be used and the classes of persons to whom it may be transferred.
A person is a data user if he controls the collection, holding, processing or use of personal data, whether in Hong Kong or not. The PCPD has published recommended model clauses for use in contractual arrangements governing such transfers, which are less onerous than the GDPR’s clauses. However, a data user must still verify that the transfers meet the PICS and other requirements under the DPPs.
The definition of “personal data” is broad, and includes any information that identifies or can be linked back to an individual. For example, a photograph of a crowd at a musical concert could constitute personal data if the individual can be identified from it. But this is not the case if the photograph is simply taken to show that a large number of people attended the event, rather than to identify particular individuals.
Data governance teams typically include a mix of business and IT professionals. The team’s primary job is to translate how the framework will affect business processes, decisions and interactions. This role is ideally filled by experienced business analysts who can serve as communication bridges between business and IT. Enterprise architects and senior business systems analysts are other strong candidates for this position.
A data governance program is an enterprise-wide initiative, and its success will depend on the support of all business units. To achieve this, the project leader must establish a cross-functional working group to drive the work and provide regular updates to the executive sponsor and steering committee. To help ensure that the working group’s activities are aligned with the organizational priorities, it is important to define clear and measurable success metrics. An effective way to do this is to use a responsibility assignment matrix, such as the RACI model (responsible, accountable, consulted and informed). This helps to clarify responsibilities and reduce redundancies. It also enables the steering committee to track the project’s progress. This will in turn allow the steering committee to measure the program’s return on investment and determine appropriate funding levels. In addition, the working group should consider how the data governance programme will be implemented in line with the organization’s strategic goals. This will be the basis for establishing an overarching roadmap for the program. This will also help to minimize risks and avoid conflicts between the work of the different teams. It is also essential to involve the working group in the decision-making process for the program, as this will help them to feel more ownership of the initiative.