A stricter regime for profiling07 June 2016
Privacy Complaints Up 48% in Hong Kong in 2013: Are Businesses Prepared?
The step change in enforcement activity should most obviously be a cause for concern for businesses that rely on personal data for marketing their products and services. Thirty percent of last year's complaints related to direct marketing (a significant increase). But a close examination of the figures shows that business concerns should be much broader than this. For example, there was a substantial increase in the number of data security breaches reported to the Commissioner (61 in 2013 against 50 in 2012), showing that the growth in investigations and enforcement activity doesn't just relate to electronic marketing. As businesses become more and more dependent on their data holdings as a means of finding competitive advantage, and "Big Data" becomes an increasingly valuable business asset, data privacy compliance becomes a business-wide issue that requires board level attention.
The Commissioner's latest policy initiative underscores this point. Last month, the Commissioner published guidance calling for businesses to adopt comprehensive Privacy Management Programmes directed at achieving compliance in all aspects of their business. This "best practice" standard of compliance needs to be looked at carefully, as it will likely be looked at in adjudicating future rounds of enforcement action. Every organisation that handles personal data needs to ensure compliance with the PDPO. If the Commissioner's office receives a complaint, the Commissioner has the power to order an investigation and, where there has been a breach, issue an enforcement notice. There are now substantial penalties under the PDPO for the most serious breaches with fines up to HK$1,000,000 and 5 years' imprisonment. Quite apart from the criminal sanctions, there are reputational risks for an organisation that is subject to an investigation with the Commissioner increasingly prepared to "name and shame" organisations and publicise the results of his investigations.
Comprehensive regulation requires a well-considered, comprehensive response. For an overview of the PDPO, click here.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016