Implementing a Data Governance Program in Hong Kong

Implementing a data governance program involves engaging a diverse set of stakeholders – employees, customers and partners alike. Furthermore, it is vital that everyone involved understands their individual responsibilities and impacts – one way of organizing this group may be using a responsibility assignment matrix such as RACI which stands for Responsible, Accountable Consulted Inform

Assigning and assigning responsibilities are vital elements of data governance programs. Just like any project, data governance programs involve numerous individuals with diverse responsibilities and perspectives. Therefore, establishing an efficient process for collecting feedback as well as collecting all pertinent information must also be developed to ensure a successful program. Documenting decisions made throughout will serve as a useful reference in future endeavors and help ensure all decisions made were well-informed decisions.

Data governance teams must be capable of evaluating the effects of their decisions on each stakeholder, and assess if potential benefits outweigh risks. Furthermore, they should create a clear roadmap for the program’s future – this allows the team to build its case for continued funding from management as well as set clear expectations regarding what it can achieve quickly and deliver results.

Hong Kong’s data protection regime is grounded on the Personal Data (Privacy) Ordinance (PDPO). This law contains six core data privacy obligations that must be fulfilled, among them meeting transparency, fairness and accountability principles. Another principle stipulates that personal data cannot be used for purposes other than those disclosed to data subjects through PICSs; their voluntary and express consent must also be obtained before being transferred to new users or for different uses as transfer is considered data use.

Since international data flow is now an essential feature of modern economies, regulations surrounding it have developed rapidly globally. Hong Kong stands out in this respect as its regulations differ considerably from most others: Section 33 of the Personal Data Protection Ordinance prohibits transfers outside Hong Kong without satisfying certain conditions, while data users must perform an impact analysis prior to sending personal data outside the European Economic Area (EEA). This article by Padraig Walsh from Tanner De Witt’s Data Privacy Practice will guide you through key points to be kept in mind when considering an international data transfer decision; written by Padraig Walsh from Tanner De Witt’s Data Privacy Practice team.