Media Statements

How Hong Kong Businesses Should Prepare for the EU General Data Protection

(3 April 2018)　The Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner) Mr Stephen Kai-yi WONG issued the “European Union General Data Protection Regulation (GDPR) 2016” booklet, which aims at raising awareness amongst organisations / businesses in Hong Kong of the possible impact of the new regulatory framework for data protection in the European Union, as well as comparing some of the major requirements with those set out in the Personal Data (Privacy) Ordinance, Laws of Hong Kong (Cap 486) (PDPO).  
 
The GDPR, adopted in 2016, will come into force on 25 May 2018. One of the new developments introduced under the GDPR to the data protection landscape outside the EU is the explicit requirement of compliance by organisations established in non-EU jurisdictions in specified circumstances. “As the EU is Hong Kong’s second largest trading partner, the new GDPR’s extra-territorial effect suggests that as long as Hong Kong organisations / businesses collect and process personal data of EU individuals, they should be prepared to comply with GDPR’s requirements,” the Privacy Commissioner said.  “I am aware that in view of their global and diversified business or transaction models, many business owners or managers are concerned about possible contraventions of this new regulation. I believe they will find the booklet helpful.”
 
A number of features of the GDPR are highlighted in the booklet as follows:

• Extra-territorial application
• Personal data covered
• New data privacy governance, data mapping and impact assessment
• Sensitive personal data
• Consent
• Mandatory breach notification
• Data processors’ obligations
• New and enhanced rights for individuals
• Data protection seals, codes of conduct and cross-jurisdiction data transfer
• Sanctions

 
The booklet also outlines the limited exception for organisations with fewer than 250 employees with regard to record-keeping.  In addition, the regulatory authorities in the EU are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of the GDPR.
 
As the regulator on protection of personal data privacy in Hong Kong, the Privacy Commissioner will continue to proactively assist local data users in understanding and complying with data protection regimes overseas. Apart from having conducted a comparative study on the GDPR and the PDPO, the PCPD has been organising educational activities since late 2017 to help organisations / businesses understand the GDPR’s standards and the possible impact on their operations. A specific webpage on the GDPR has been introduced on the PCPD’s website where the booklet can also be downloaded.