Learn more about our comprehensive legal services.
Advising our clients on different opportunities and challenges of the industry.
Developing a unique culture, which blends traditional client care with modern technology and working practices since 1851.
Stay up to date on the latest news and legal insights.
News & Insights
In today’s data-driven economy, every business is likely to be processing personal data from their customers, and privacy concerns are becoming a high priority for consumers and businesses alike. Non-compliance with data privacy law can lead to significant fines, as well as the financial and reputational cost of a data breach. Maintaining customer trust in data management and privacy is critical for all businesses. Regular privacy audits should be a normal part of your organisation’s practices as your business is likely to have experienced a lot of changes since your privacy policy was first implemented.
The following checklist is a starting point of things to consider:
1. What types of data do you hold?
Think about the categories of data subjects, e.g. employee data or customer data.
Consider the type of personal data that you collect, e.g. names and addresses, phone numbers, purchasing history, online browsing history, video or audio recordings,
Do you collect sensitive personal data such as ID cards, full date of birth, credit card information, or information on people’s religious beliefs, racial or ethnic background, political opinions or sexual orientation? Do you collect and process data on children?
2. Why do you hold this data?
Why do you collect and retain this data? Is it for human resources, marketing or product development, improvement of service, or operations and systems maintenance?
What do you do with the data? Do you really need each of the types of information collected? Do you use all of the data you collect and are their collection all justified?
3. How do you collect the data?
Do you collect directly from individuals or third parties? What methods do you use to collect data? Are the data subjects aware of your privacy policy? Do you document the consent or opt-in procedure?
4. How do you store it?
Where do you store the data? Can you track how and when you collected the data? How secure is the data? Do you use encryption or passwords?
5. What do you do with the data?
How do you process it? Do you share the data with any third parties and, if so, why?
Do you transfer personal data outside of Hong Kong and, if so, where do you transfer to? Further, if you collect personal data in China, consider whether that data is transferred overseas. It is very common for multinational businesses to share employee or customer data with global headquarters or other parts of the business outside of China. Many corporations may share IT infrastructure with their Chinese subsidiaries or have remote access to data stored in China. Such activities could be subject to China’s cross-border data transfer requirements.
6. Who controls the data?
Are you the controller or processor of the data? Who can access the data? What safeguards do you have in place with your external processors?
7. How long do you keep the data for?
Check your retention periods. What is your process for deleting data? Can you justify the length of time you retain the data?
Triggering events
There may be specific circumstances that will trigger a privacy audit such as:
In particular, with the reform of Hong Kong’s data privacy law back on the legislative agenda, now is the time for business to review their data compliance and risk profile, as legacy systems may not be fit for purpose. The proposed amendments to the Personal Data (Privacy) Ordinance indicate that a stricter regime is on its way including:
Remember, prevention is always better than cure – it takes much less cost and time consuming to comply in advance than to suffer a data breach or regulatory action, not to mention the reputational damage that ensues.
Subscribe to Publications
Sign up for our regular updates covering the latest legal developments, regulations and case law.
Media Contact
For media enquiries please contact us at media.relations@deacons.com.
Tel: +852 2825 9211