HKCSView: Why the EU data protection rules matter to HK businesses?

Michael MuddThe European Union (EU) has enacted two key regulations relating to data processing- the General Data Protection Regulation (GDPR) and the Network and Information Security Directive (NISD). They are expected to apply to organizations within and outside Europe by May 2018. Is your organization ready to comply with these regulations?

When the GDPR comes into full force any company based in Hong Kong or anywhere else outside the EU, will need to have governance policies in place if they collect, store or process any EU citizen data.

Despite the ‘Brexit’ filing, this also means UK citizens for the foreseeable future. But many enterprises are not aware that these regulations are relevant to them. A recent survey by the UK Chartered Institute of Marketing indicated that only 6% of marketers say they wholly understand what the GDPR means for their business. Half say they don’t understand or don’t know about it at all and a surprising 16% do not think GDPR is relevant to them. Heavy fines await businesses that are not in compliance - the fines for breaking the regulations are capped at €20 million (HK$169 million) or 4% of global turnover, whichever is higher.

Heavy fines are happening

A couple of recent examples indicate that even before the GDPR comes into force, individual Privacy Commissioners are enforcing their own laws more vigorously.  The UK Information Commissioner’s Officer has fined Flybe, a UK-based airline and Honda Motor Europe last month for a total of £83,000 (HK$826,000) for misuse of customer data. Flybe has been fined £70,000 (HK$697,000) just for sending an email to three million customers, asking if the details on their records were correct.  Honda was fined £13,000 (HK$129,000) for sending nearly 300,000 emails also about preferences. Both were viewed as unsolicited marketing and against the law.

The Italian Data Protection Authority also recently imposed a fine to a company in early February for misusing customer data in a money laundering scam. The company allegedly made money transfers to China on behalf of individuals without their knowledge or agreement, and therefore did not obtain the individuals’ consent to the processing of their data. This allegedly was done in order to circumvent applicable Italian anti-money laundering rules and to avoid disclosing the names of the real parties transferring the money.  This resulted in a record fine of €5.9 million (HKS$49 million ) for a UK company operating in Italy. This is the largest data privacy fine ever issued by a European data protection authority for a breach of the EU’s data protection framework.

Lessons for HK businesses

What does this mean for the board of a listed company in Hong Kong? If they have a branch office in Europe and even they hold or process EU citizen data elsewhere, there is also a need for compliance. 

Hong Kong businesses need to ensure data they gather on individuals meets the purpose of processing. Businesses must also document the legal basis of processing, such as consent, or that the processing is “necessary” for the performance of a contract or for the purposes of the legitimate interests of the controller or a third party

The EU law also mandate large organizations to appoint a Data Protection Officer (DPO) to obtain a single view of where data resides and set parameters on who have access rights. The DPO will have to work with CISOs and IT executives to monitor data movement and usage. With data sprawled throughout an organisation with no central control, this will be no easy task.

Organizations addressing the GDPR and other regulations must start taking their first steps by re-architecting their data provisioning. Like many organizations in the UK, the GDPR has yet been recognized as a matter of urgency in Hong Kong or the region. There is now only 12 months left to get the controls in place to avoid penalties.

Hong Kong has one of the strongest personal privacy regimes in Asia and globally. It is fairly close to the GDPR in a number of key regulations, but not all of them are the same. A board has a fiduciary duty and needs to ensure that shareholders are protected, no matter where data is stored or processed, and that includes using cloud computing services.

In conclusion, Hong Kong companies need to put in place data management policies that will protect data that is held on EU citizens or face prosecution. Boards of Hong Kong companies need to be aware and take action sooner rather than later to protect their shareholders before receiving a letter from the EU after May 2018.

Michael Mudd is a member of the FinTech, Policy and Cloud computing SIG’s of the Hong Kong Computer Society. He is also managing partner of Asia Policy Partners LLC, an independent consultancy specializing in technology policy for security, privacy and trade related business. He may be reached at