Hong Kong
  • Singapore
  • UK
  1. Osome Blog Hong Kong
  2. Is It Necessary for My Company To Have a Data Protection Officer

Is It Necessary for My Company To Have a Data Protection Officer

Hong Kong is also a fantastic place to base e-commerce businesses as it is well-connected with the rest of the world. This means that personal data will be collected, used and processed during the business transactions.

So what does that mean for new and existing businesses registered in Hong Kong? How does a business owner help to prevent data breach and protect an individual's personal data? Perhaps, many business owners who are planning to base their businesses in Hong Kong have this question in their mind: is it necessary for my company to appoint a data protection officer (DPO)? In this article, we will share about Personal Data (Privacy) Ordinance (PDPO) and General Data Protection Regulation (GDPR) and how these regulations affect Hong Kong companies.

How Does GDPR Apply to Hong Kong Companies?

In Hong Kong, individuals’ privacy is governed by the Personal Data (Privacy) Ordinance (PDPO). It is applicable to both private and public sectors. The purpose of PDPO is to protect the individuals’ personal data from being compromised, and at the same time, provide a framework for companies that are processing data. So how does GDPR apply to Hong Kong companies?

When the PDPO was first drafted, it drew references from OECD Privacy Guidelines 1980 and the EU Directive. As such, the PDPO and GDPR share similar features. Given that GDPR was adopted in 2016, significant developments have since been made towards the data protection law.

Even though GDPR is usually applied to EU countries, it has extended to companies in Hong Kong. In other words, it applies to non-EU companies that collect and process personal data relating to goods and services sold to individuals in EU countries.

With more companies trading globally, it is important for Hong Kong companies to check if GDPR is applicable to them. This means if your company has business clients or customers who are based in EU countries, you will need to comply with GDPR and keep informed of new developments of the regulations.

Oak Health Supplement Company sells their health supplements to their local residents and also supplies their products to overseas customers. Some of the customers who purchased their products are based in EU countries such as France and Germany. Since they offer products to customers in the EU countries, the personal data they have collected have to comply with the GDPR.

Likewise, if your e-commerce business has a website that allows customers to place orders and ships products to your customers in the EU, it will fall within the GDPR’s scope. But it will not fall within the GDPR’s scope if you explicitly explain on your website that you do not intend to ship goods to EU countries or are not applicable to people living in those countries.

GDPR vs PDPO

At this point, you might be wondering if there is any major difference betweenPersonal Data (Privacy) Ordinance (PDPO) and General Data Protection Regulation (GDPR). To understand these regulations better, here are the major differences:

GDPR PDPO
Application
Companies that collect or process the data are based in the EU, or non-EU companies that offer services and goods to EU customers. Companies control the collection, processing and use of the personal data in Hong Kong.
Personal Data
Personal data refers to any information which relates to an identified or identifiable living person. Information also includes location, race, health and religion. Personal data refers to any information which relates to a living individual and can be used as identification. It must exist in a form that is accessible and practicable.
Accountability & Governance
Companies are required to implement technical and organisational measures to ensure compliance. They are also required to conduct data protection impact assessment (DPIA) for high-risk data processing. Appointment for Data Protection is mandatory for certain companies. It does not offer any accountability principle and privacy management tools. But they have issued a Privacy Management Programme to encourage Hong Kong companies to adopt accountability for data privacy compliance.
Sensitive Personal Data
There are different categories of sensitive personal data. Processing of such sensitive information is only allowed under special circumstances. There is no distinction between sensitive and non-sensitive personal data.
Consent
The GDPR has listed specific requirements for companies to obtain an individual’s consent before they can use their personal data. Getting consent should be separated from other terms, and in clear and plain language. Consent is not a prerequisite for the collection of personal data, unless the data is used for a new purpose. Aside from marketing, businesses need to provide notice of the purpose of collecting the data. There is also no requirement for parental consent. The PDPO allows parents or legal guardians to give consent on their child’s behalf if they are given proper evidence that the purpose of using the data might be in the child’s interest.
Data Breach Notification
Companies are required to notify the authority of any data breach. Subsequently, they need to inform affected individuals if it poses a high risk to their rights and privacy. If there is a data breach, companies are advised to notify the Privacy Commissioner and affected individuals.
Data Processors
Data processors who are processing data on behalf of the companies are obliged to maintain records of processing. They have to ensure the security and report data breaches and designate Data Protection Officers. Data processors are not directly regulated, and they are required to adopt contractual or other means to ensure data compliances.

Is It a Mandatory Requirement To Appoint a Data Protection Officer for My Company?

Under the PDPO, there is no mandatory requirement for companies to appoint a data protection officer in Hong Kong. However, in March 2019, PCPD revised and released a guide entitled, Privacy Management Programme: A Best Practice Guide (PMP). This guide encourages companies to develop their own Privacy Management Programme, based on these three important components:

  • Organisational commitment
  • Programme controls
  • Ongoing assessment and revision

It also encourages companies to appoint a designated DPO to oversee the company's compliance with the PDPO and the implementation of PMP. For big companies, the DPO should be a senior executive. For a smaller company, such as a small medium enterprise (SME), the officer should be the owner.

Adrian runs a training consultancy firm in Hong Kong, which has an approximately 15 full-time staff. His customer base is mainly based in Hong Kong, and others are from other countries. Since his company is considered a SME, Adrian will be the DPO for his company.

What Are the Main Responsibilities of a DPO if I Were To Appoint One?

The job of a DPO is to ensure that companies comply with PDPO and GDPR, if they have customer bases in the EU.

Aside from the above, their main responsibilities include:

  1. Establish and implement the PMP programme controls such as:
  • Keep a record of the company’s personal data inventory, conduct periodic risk assessment to all departments and handle data breach incidents.
  • Initiate the periodic risk assessment to all departments.
  • Monitor, review and provide advice to all risk assessment reports and privacy impact reports.
  • Conduct training and promote staff awareness on data protection by circulating data privacy policies, guidelines and privacy-related information.
  • Coordinate and monitor the handling of data breach incidents and provide advice to departments on conducting investigations.
  • Monitor, review and provide advice on preparing Personal Information Collection Statement.
  1. Review the effectiveness of the PMP.
  1. Prepare oversight plans and review plans for PMP, and revising the programme controls, if necessary.
  1. Report to senior management periodically about the company’s compliance issues, problems encountered and any complaints received regarding an individual’s personal data privacy.

What Qualifications Does My Data Protection Officer Need?

Though the PDPO does not indicate any specific qualification needed for a DPO, the designated officer should have a clear understanding of the company’s business industry and the methods of handling the personal data. He or she is also required to have some knowledge of PDPC and GDPR. The officer must be an excellent communicator who is able to work with various departments to report potential compliance issues and handle complaints from the public.

What if My Company Fails To Comply With the PDPO or GDPR?

We understand that sometimes companies may get too overwhelmed with work that they neglect on improving their data processing system. Likewise, there are some companies that may not consider appointing a DPO to oversee the implementation of PMP. Given the amount of data handled by a company, it is important to ensure that your company complies with PDPO or GDPR to prevent any data breach. Failure to comply with PDPO or GDPR will lead to heavy fines.

If your company fails to comply with the PDPO, the Office of the Privacy Commissioner for Personal Data (PCPD) will first issue an enforcement notice to the affected company to provide information requested by PCPD during the investigation. However, if the company fails to comply with the enforcement notice, the statutory fine will be from HK$50,000 to HK$100,000. For direct marketing offences, the penalties are much higher with fines up to HK$1 million, and five years imprisonment.

On the other hand, if your company fails to comply with GDPR, the fines for infringements will be 4% of annual worldwide turnover or €20 million.

In June 2017, a director of a Hong Kong company was found transferring personal data without consent after a complaint was filed against the company. Despite repeated requests to get necessary information that was required for the investigation, the director failed to supply sufficient information. The PCPD then issued an enforcement notice to the director, asking him to attend the office for examination. However, the director failed to attend the office without any lawful excuse. As a result, the director was fined HK$3,000.

Key Takeaways

  1. In Hong Kong, individuals’ privacy is governed by the Personal Data (Privacy) Ordinance (PDPO).
  2. The GDPR might apply to EU countries, but it has extended to companies in Hong Kong. It also applies to non-EU companies that handle the amount of data collected relating to goods and services sold to individuals in EU countries.
  3. Although the GDPR and PDPO regulations share certain similarities, there are major differences between the two of them.
  4. Under the PDPO, there is no mandatory requirement for companies to appoint a data protection officer in Hong Kong. But in 2019, PDPC revised and released a Privacy Management Programme (PMP), which encourages companies to appoint DPO to oversee the company’s compliance and develop their own PMP.
  5. For big companies, a DPO should be a senior executive. For a smaller company such as SME, the DPO should be the owner.
  6. Your DPO should have a clear understanding of the company’s industry and the amount of sensitive personal data the company handles. The DPO should also have some knowledge of PDPC and GDPR.
  7. If your company fails to comply with PDPO, the statutory fines will be from HK$50,000 to HK$100,000.
  8. Likewise, if your company fails to comply with GDPR, the fines for infringements will be 4% of annual worldwide turnover or €20 million.

This clearly shows that the Hong Kong government takes individuals’ personal data and holds companies accountable for the amount of data they handle daily. As such, it is important to appoint a DPO to oversee and review data protection policies.

Have more questions about other aspects of compliance that a company has to maintain in Hong Kong? Get in touch with our experienced Corporate Secretaries today!

Share this post:

Tips to run your business smarter.
Delivered to you monthly.

You'll receive a verification email you'll have to open and confirm the subscription.

You might like it

E-commerce

Paypal vs Stripe: Comparing Pros & Cons of 2 Payment Gateways

As an e-commerce business owner, you would have heard of payment gateways PayPal and Stripe. With these two big platforms being the most popular online payment gateways, you may face a dilemma when it comes to deciding which payment gateway to use.

Entrepreneur's Bootcamp

What Is a Compliance Calendar?

The repercussions of missing crucial deadlines extend beyond non-compliance and can even include hefty fines, lost revenues and opportunities, as well as decreased productivity.

E-commerce

An Online Seller's Guide to E-commerce Fulfillment & Shipping

Here’s a guide to e-commerce fulfilment and shipping for new sellers in Hong Kong looking to drive revenue from online sales. Find out more about the methods, models and software that’ll help you scale the business you’ve worked hard to build.

E-commerce

Tips For Amazon Sellers To Better Manage Your Inventory

Brand owners and sellers of all scales struggle to seek a well-balanced supply chain. Additionally, Amazon has its own inventory management rules, which makes everything even tougher.

E-commerce

The 10 Best E-commerce Hosting Services in 2021

When you are setting up your e-commerce shop, the right hosting provider can make all the difference. However, with a variety of options out there, choosing the best one can be confusing.

E-commerce

What To Include in an E-commerce Invoice?

For business owners who own and run an online store, you probably already know that invoices must be sent to your customers for the services you provide or the goods you sell, as a form of purchase proof.

Secretary

What Are the Penalties for Late Filing of Documents?

You will usually need to file your documents by a fixed time however, business owners are often so busy with business engagement that they forget about the deadlines.

Incorporation

How To Set Up Your Own Employment Agency

Given the importance of employment agencies, it is no doubt that they play an integral role in Hong Kong's economic success. Find out how to start an employment agency in Hong Kong as the world hurtles to define a new future of work.

E-commerce

How Packaging Inserts Can Increase Your E-commerce Revenue

As a business owner, you can use packaging inserts to publicise your products. Placing your focus on existing customers also means that you do not have to splurge extra dollars on marketing.

Tax

A Guide to Reducing Taxable Income for Small Businesses

As a business owner, you can’t escape paying taxes. But what kind of taxes would you have to pay, and how are you taxed?

E-commerce

5 Profitable E-Commerce Niches Worth Looking At

If you’re just starting or looking to go in a new direction, finding a lucrative niche will make every part of running your e-commerce business easier. This article will look at trending e-commerce niches to consider.

Customer Stories

How RoyalKey Saved 4h/day & Reduced Stress with Osome

For Denis Andrei Valcu, setting up his own business was his dream and passion. Fast forward to today, the company he set up, RoyalKey, gets most of their business through gaming channels, honing their reputation as a go-to for gamers’ software needs.

Tips to run your business smarter. Delivered to you monthly.

You'll receive a verification email you'll have to open and confirm the subscription.

We’re using cookies! What does it mean?