• Print
  • Decrease text size
  • Reset text size
  • Larger text size

Hong Kong companies must start to grasp EU GDPR impacts

The European General Data Protection Regulation (GDPR) aims to protect individuals located in the EU by introducing new binding obligations for data controllers and data processors. This means any company holding personal data of individuals who are located in the EU, regardless of its operating location, needs to comply with GDPR. Therefore, many businesses in Asia will fall within scope. 

At less than 7 months to the enforcement date, companies are still unclear around how and when the European Commission will look at the extra-territorial enforcement and how it will cooperate with local regulators to enforce GDPR outside of its borders.  

The impacts of GDPR on Hong Kong businesses depend on the gap between the local law (Hong Kong Personal Data Privacy Ordinance - PDPO) and the GDPR. 

In Hong Kong, local companies have started to grasp the importance of GDPR as the HK Privacy Commissioner Stephen Wong has announced in last August that he has appointed his bureau to carry out a thorough review of the PDPO1, to identify the major gaps and to propose necessary amendments to align with the most stringent standards of GDPR. “The current Personal Data (Privacy) Ordinance law was enacted in '95, based on the EU directive of '95 among others… So it is appropriated for us when the EU is changing its regulations that we should also have a review of our law”, he told MLex in a telephone interview.

This article proposes an overview of the gaps between the EU GDPR and the HK PDPO, depicting the main operational and organisational changes for the potentially impacted Hong Kong companies. 


1. Data Breach Notification

Under GDPR, any event leading to destruction, loss/ alteration, unauthorised disclosure of/ access to personal data must be notified to the regulator by the organisation holding such data, within 72 hours of the organisation becoming aware of it. 
While PDPO encourages notification of data breach to PCPD2 and to relevant parties, there is neither binding obligation nor stringent timeframe to do so. 


Impacts & recommendations

  • Significant impact is expected to be on the company processes to identify, review and report data breaches under an intense time pressure. It will be necessary therefore, to implement data breach response plan, incident detection mechanism and escalation processes.
  • It is also recommended to implement robust security measures, such as personal data anonymisation or pseudonymisation by hashing data.


2. Customer Consent

The conditions to obtain a valid consent from individuals to use their personal data is stricter under GDPR, businesses must meet specific requirements in order to be deemed sufficient. Consent must be given by either a statement or a clear affirmative action and may be withdrawn at any time. Under PDPO, a lack of objection to use personal data can be considered as a consent. 

Impacts & recommendations

  • The information release to and permission to obtain from individuals change with GDPR, which will likely cause organisations to revise their data privacy notices. Thus, a complete review of the customer consent process (contracts, online forms, etc.) will be necessary. 


3. The Data Protection Officer 

Under certain circumstances, GDPR imposes the appointment of a DPO to deal with any matter related to data protection within an organisation and to face Data Protection Authorities (DPA) in case of disputes. Whereas, PCPD issued a non-binding guidance to advocate the development of a privacy management programme and the appointment of a DPO.

Impacts & recommendations

  • Even if the company does not fall into the categories mentioned by GDPR, it is still recommended to appoint a DPO as best practice for its reputational value and to highlight the company’s engagement towards data privacy protection matters. 
  • The appointment of a DPO will require an overhaul of a company’s internal structure, to review its current job specifications and to ensure its optimal reporting line. 


4. The right to object 

Under GDPR, the data subjects have the right to object, regardless of the process purpose, at any time to processing of personal data, unless the data controller can demonstrate the legitimate ground. Such right  only applies to direct marketing for PDPO.

Impacts & recommendations 

  • With regards to the consent process mentioned earlier, companies will have to review their privacy notices and implement a more comprehensive process to collect consents and objections.


5. The right to data portability 

GDPR states that the data subject can request to transmit the personal data previously provided from one controller to another controller, without hindrance from the controller. The transmission process should be carried out by automated means if technically feasible. 
Although the data subject can request the data controllers to transmit the data to another controller under PDPO but the data controllers are not obligated to address such request.

Impacts & recommendations 

  • To oblige, data controllers will have to restructure data sets and implement processes to enable data exchange upon request.


6. Privacy Impact assessments3 

Any type of processing that is likely to result in a high risk to an individual’s rights and freedoms, the controller shall, prior to the processing, carry out an impact assessment of the envisaged processing operations on the protection of personal data.
In the guidance note issued by PDPC, PIA is only encouraged, but not obliged to, before collecting biometric data. 

Impacts & recommendations 

  • PIA will be an additional compliance step for organisations when launching new projects or products, hence extra cost and time to be considered at the budgeting phase. 


7. Accountability

While the principle of accountability has previously been an implicit requirement, GDPR makes it mandatory thus additional obligations for data controllers.
The privacy regulator in Hong Kong has issued "Accountability Guides" or "Privacy Governance Frameworks" to embrace the notion of accountability as a vehicle to drive data privacy compliance, however there is no notion of mandatory accountability principle in PDPO.

Impacts & recommendations 

  • As mentioned, accountability principle implies additional compliance steps as data controllers will need to demonstrate below:
    • keeping a record of all processing activities;
    • appointing a DPO when necessary;
    • implementing measures that secure compliance with the data protection principles;
    • conducting PIA whenever appropriate.


The above gap analysis suggests that there are numerous required changes for an organisation be compliant with GDPR, with impacts on governance, reporting, processes and Information Systems. 

In addition to more stringent obligations under GDPR, business could be fined up to 4% of their global annual turnover or €20 million, whichever is higher. Statutory fines in Hong Kong are relatively low with a fine of  HK$100,000 (US$12,780) – except for direct marketing offences - that they do not act as a deterrent in certain circumstances. 

Last but not least, 25th March 2018 is the date to keep in mind, as the data privacy protection landscape will drastically change in the EU when GDPR comes into force, with surely some interesting developments outside of the EU. 

It is crucial for companies doing business with the EU to start assessing the comprehensiveness of their data privacy framework and kick off the GDPR compliance exercise.


For more information, please feel free to visit Sia Partners Asia GDPR website: http://www.asiagdpr.com/




1 Personal Data (Privacy) Ordinance
2 Office of the Privacy Commissioner for Personal Data

0 comment
Post a comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Enter the characters shown in the image.
Back to Top