LogoOsome
  1. Osome Blog HK
  2. Is It Necessary for My Company To Have a Data Protection Officer

Is It Necessary for My Company To Have a Data Protection Officer

Is It Necessary for My Company To Have a Data Protection Officer
  • Author Renee Yang

    Renee Yang

    Business Writer

    Fintech companies, government agencies and private companies, Renee has experience writing for them all. Her writing inspires startups to establish their business and succeed in Asia and Europe. Here at Osome, she helps make running a small business more accessible. Her articles help entrepreneurs succeed in every step of their business journey, covering accounting and bookkeeping advice to tax must-knows. She also has copywriting experience covering branding, website copy, printed publicity collateral, blog articles and interviews.

Hong Kong is also a fantastic place to base e-commerce businesses as it is well-connected with the rest of the world. This means that personal data will be collected, used and processed during the business transactions.

So what does that mean for new and existing businesses registered in Hong Kong? How does a business owner help to prevent data breach and protect an individual's personal data? Perhaps, many business owners who are planning to base their businesses in Hong Kong have this question in their mind: is it necessary for my company to appoint a data protection officer (DPO)? In this article, we will share about Personal Data (Privacy) Ordinance (PDPO) and General Data Protection Regulation (GDPR) and how these regulations affect Hong Kong companies.

How Does GDPR Apply to Hong Kong Companies?

In Hong Kong, individuals’ privacy is governed by the Personal Data (Privacy) Ordinance (PDPO). It is applicable to both private and public sectors. The purpose of PDPO is to protect the individuals’ personal data from being compromised, and at the same time, provide a framework for companies that are processing data. So how does GDPR apply to Hong Kong companies?

When the PDPO was first drafted, it drew references from OECD Privacy Guidelines 1980 and the EU Directive. As such, the PDPO and GDPR share similar features. Given that GDPR was adopted in 2016, significant developments have since been made towards the data protection law.

Even though GDPR is usually applied to EU countries, it has extended to companies in Hong Kong. In other words, it applies to non-EU companies that collect and process personal data relating to goods and services sold to individuals in EU countries.

With more companies trading globally, it is important for Hong Kong companies to check if GDPR is applicable to them. This means if your company has business clients or customers who are based in EU countries, you will need to comply with GDPR and keep informed of new developments of the regulations.

Example

Oak Health Supplement Company sells their health supplements to their local residents and also supplies their products to overseas customers. Some of the customers who purchased their products are based in EU countries such as France and Germany. Since they offer products to customers in the EU countries, the personal data they have collected have to comply with the GDPR.

Likewise, if your e-commerce business has a website that allows customers to place orders and ships products to your customers in the EU, it will fall within the GDPR’s scope. But it will not fall within the GDPR’s scope if you explicitly explain on your website that you do not intend to ship goods to EU countries or are not applicable to people living in those countries.

GDPR vs PDPO

At this point, you might be wondering if there is any major difference betweenPersonal Data (Privacy) Ordinance (PDPO) and General Data Protection Regulation (GDPR). To understand these regulations better, here are the major differences:

GDPR
PDPO
ApplicationApplication
Companies that collect or process the data are based in the EU, or non-EU companies that offer services and goods to EU customers.Companies control the collection, processing and use of the personal data in Hong Kong.
Personal DataPersonal Data
Personal data refers to any information which relates to an identified or identifiable living person. Information also includes location, race, health and religion.Personal data refers to any information which relates to a living individual and can be used as identification. It must exist in a form that is accessible and practicable.
Accountability & GovernanceAccountability & Governance
Companies are required to implement technical and organisational measures to ensure compliance. They are also required to conduct data protection impact assessment (DPIA) for high-risk data processing. Appointment for Data Protection is mandatory for certain companies.It does not offer any accountability principle and privacy management tools. But they have issued a Privacy Management Programme to encourage Hong Kong companies to adopt accountability for data privacy compliance.
Sensitive Personal DataSensitive Personal Data
There are different categories of sensitive personal data. Processing of such sensitive information is only allowed under special circumstances.There is no distinction between sensitive and non-sensitive personal data.
ConsentConsent
The GDPR has listed specific requirements for companies to obtain an individual’s consent before they can use their personal data. Getting consent should be separated from other terms, and in clear and plain language.Consent is not a prerequisite for the collection of personal data, unless the data is used for a new purpose. Aside from marketing, businesses need to provide notice of the purpose of collecting the data. There is also no requirement for parental consent. The PDPO allows parents or legal guardians to give consent on their child’s behalf if they are given proper evidence that the purpose of using the data might be in the child’s interest.
Data Breach NotificationData Breach Notification
Companies are required to notify the authority of any data breach. Subsequently, they need to inform affected individuals if it poses a high risk to their rights and privacy.If there is a data breach, companies are advised to notify the Privacy Commissioner and affected individuals.
Data ProcessorsData Processors
Data processors who are processing data on behalf of the companies are obliged to maintain records of processing. They have to ensure the security and report data breaches and designate Data Protection Officers.Data processors are not directly regulated, and they are required to adopt contractual or other means to ensure data compliances.

Is It a Mandatory Requirement To Appoint a Data Protection Officer for My Company?

Under the PDPO, there is no mandatory requirement for companies to appoint a data protection officer in Hong Kong. However, in March 2019, PCPD revised and released a guide entitled, Privacy Management Programme: A Best Practice Guide (PMP). This guide encourages companies to develop their own Privacy Management Programme, based on these three important components:

  • Organisational commitment
  • Programme controls
  • Ongoing assessment and revision

It also encourages companies to appoint a designated DPO to oversee the company's compliance with the PDPO and the implementation of PMP. For big companies, the DPO should be a senior executive. For a smaller company, such as a small medium enterprise (SME), the officer should be the owner.

Example

Adrian runs a training consultancy firm in Hong Kong, which has an approximately 15 full-time staff. His customer base is mainly based in Hong Kong, and others are from other countries. Since his company is considered a SME, Adrian will be the DPO for his company.

What Are the Main Responsibilities of a DPO if I Were To Appoint One?

The job of a DPO is to ensure that companies comply with PDPO and GDPR, if they have customer bases in the EU.

Aside from the above, their main responsibilities include:

1. Establish and implement the PMP programme controls such as:

  • Keep a record of the company’s personal data inventory, conduct periodic risk assessment to all departments and handle data breach incidents.
  • Initiate the periodic risk assessment to all departments.
  • Monitor, review and provide advice to all risk assessment reports and privacy impact reports.
  • Conduct training and promote staff awareness on data protection by circulating data privacy policies, guidelines and privacy-related information.
  • Coordinate and monitor the handling of data breach incidents and provide advice to departments on conducting investigations.
  • Monitor, review and provide advice on preparing Personal Information Collection Statement.

2. Review the effectiveness of the PMP.

3. Prepare oversight plans and review plans for PMP, and revising the programme controls, if necessary.

4. Report to senior management periodically about the company’s compliance issues, problems encountered and any complaints received regarding an individual’s personal data privacy.

What Qualifications Does My Data Protection Officer Need?

Though the PDPO does not indicate any specific qualification needed for a DPO, the designated officer should have a clear understanding of the company’s business industry and the methods of handling the personal data. He or she is also required to have some knowledge of PDPC and GDPR. The officer must be an excellent communicator who is able to work with various departments to report potential compliance issues and handle complaints from the public.

What if My Company Fails To Comply With the PDPO or GDPR?

We understand that sometimes companies may get too overwhelmed with work that they neglect on improving their data processing system. Likewise, there are some companies that may not consider appointing a DPO to oversee the implementation of PMP. Given the amount of data handled by a company, it is important to ensure that your company complies with PDPO or GDPR to prevent any data breach. Failure to comply with PDPO or GDPR will lead to heavy fines.

If your company fails to comply with the PDPO, the Office of the Privacy Commissioner for Personal Data (PCPD) will first issue an enforcement notice to the affected company to provide information requested by PCPD during the investigation. However, if the company fails to comply with the enforcement notice, the statutory fine will be from HK$50,000 to HK$100,000. For direct marketing offences, the penalties are much higher with fines up to HK$1 million, and five years imprisonment.

On the other hand, if your company fails to comply with GDPR, the fines for infringements will be 4% of annual worldwide turnover or €20 million.

Example

In June 2017, a director of a Hong Kong company was found transferring personal data without consent after a complaint was filed against the company. Despite repeated requests to get necessary information that was required for the investigation, the director failed to supply sufficient information. The PCPD then issued an enforcement notice to the director, asking him to attend the office for examination. However, the director failed to attend the office without any lawful excuse. As a result, the director was fined HK$3,000.

Key Takeaways

  1. In Hong Kong, individuals’ privacy is governed by the Personal Data (Privacy) Ordinance (PDPO).
  2. The GDPR might apply to EU countries, but it has extended to companies in Hong Kong. It also applies to non-EU companies that handle the amount of data collected relating to goods and services sold to individuals in EU countries.
  3. Although the GDPR and PDPO regulations share certain similarities, there are major differences between the two of them.
  4. Under the PDPO, there is no mandatory requirement for companies to appoint a data protection officer in Hong Kong. But in 2019, PDPC revised and released a Privacy Management Programme (PMP), which encourages companies to appoint DPO to oversee the company’s compliance and develop their own PMP.
  5. For big companies, a DPO should be a senior executive. For a smaller company such as SME, the DPO should be the owner.
  6. Your DPO should have a clear understanding of the company’s industry and the amount of sensitive personal data the company handles. The DPO should also have some knowledge of PDPC and GDPR.
  7. If your company fails to comply with PDPO, the statutory fines will be from HK$50,000 to HK$100,000.
  8. Likewise, if your company fails to comply with GDPR, the fines for infringements will be 4% of annual worldwide turnover or €20 million.

This clearly shows that the Hong Kong government takes individuals’ personal data and holds companies accountable for the amount of data they handle daily. As such, it is important to appoint a DPO to oversee and review data protection policies.

Tip

Have more questions about other aspects of compliance that a company has to maintain in Hong Kong? Get in touch with our experienced Corporate Secretaries today!

Author Renee Yang
Renee YangBusiness Writer

Fintech companies, government agencies and private companies, Renee has experience writing for them all. Her writing inspires startups to establish their business and succeed in Asia and Europe. Here at Osome, she helps make running a small business more accessible. Her articles help entrepreneurs succeed in every step of their business journey, covering accounting and bookkeeping advice to tax must-knows. She also has copywriting experience covering branding, website copy, printed publicity collateral, blog articles and interviews.

Get expert tips and business insights

Advice on starting and growing your company, as told by Osome's business community

By clicking, you agree to our Terms & Conditions, Privacy and Data Protection Policy
Get expert tips and business insights

Get business confidence

Tips on starting and growing your company, as told by Osome’s business community

By clicking, you agree to our Terms & Conditions, Privacy and Data Protection Policy

We’re using cookies! What does it mean?