What is Hong Kong’s PDPO

Data Subjects' Rights under the PDPO:

The PDPO prescribes the following rights for the data subjects;

• DPP 6 provides data subjects with the right to request access to and correction of their personal data. A data user should give reasons when refusing a data subject’s request to access or correction of his/her personal data.
• Data subjects have the right to be informed by data user(s) regarding the holding of their personal data.
• There is no explicit right to erasure available under the PDPO, however, data subjects can request the data user to delete his/her personal data that is no longer necessary for the processing. Also, data users are not allowed to retain personal data longer than necessary.
• Under the PDPO, there is no right to object to processing (including profiling) available, but data subjects may opt-out from direct marketing activities.

Organizations' obligations under the PDPO:

• PDPO does not explicitly state accountability principles and other privacy management related measures; however, the PCPD recommends that the organizations need to adopt privacy management systems to ensure compliance with the PDPO. For this purpose, the appointment of data protection officers and having privacy impact assessments are also recommended by the PCPD.
• DPP5 obliges data users to take all practicable steps to ensure the openness of their personal data policies and practices, the kind of personal data they hold, and the main purposes for holding it.
• Data users must take all practicable steps to protect the personal data they hold against unauthorized or accidental access, processing, erasure, loss, or use.
• There is no mandatory breach notification requirement, but notification to the PCPD (and data subjects, where appropriate) is recommended.
• Under the PDPO, certification, and adherence to an approved code of practice are not explicitly made a legal basis for the cross-border transfer.

Non Compliance Risks and Penalties:

Under the PDPO, noncompliance with DPPs is not considered an offense; however, contravention of specific provisions of the PDPO is an offense that can result in hefty fines and imprisonment.

• Contravention of an enforcement notice issued by the Commissioner is an offense that may result in a maximum fine of HK $50,000 and imprisonment for two years.
• Subsequent convictions can result in a maximum fine of HK $100,000 and imprisonment for two years.
• Contravention of section 26 of the PDPO that requires data users to delete unnecessary personal data is an offense, which is punishable by a fine of up to HK$10,000.
• Data subjects may also seek compensation by civil action from data users for damage caused by a contravention of the PDPO.

The PCPD has issued a table detailing the penalties for each contravention of the PDPO. This table can be found here.

How can Securiti.ai help?

SECURITI.ai’s award-winning compliance solution revolves around the concept of PrivacyOps, which calls for utilizing robotic automation, artificial intelligence, and machine learning. This system provides enterprises with a system that automates the majority of compliance tasks, freeing up crucial resources for other areas of business.

SECURITI.ai helps businesses discover data over a web of internal and external systems, links personal data with each individual, conducts an automated internal assessment of policies as well as third-party vendors, manages consent, and does a lot more!

While businesses may hesitate to take the leap towards automation from their current manual methods for fear of the costs and change in infrastructure, it is clear that automation is truly the way forward. Automation increases ROI as well as productivity lowers cost and improves accuracy.  It pays for itself and brings organizations several benefits along with it.

Automation helps you with swift and efficient compliance with the PDPO  as well as other data privacy regulations. Watch it in action today!