No matter if you are starting from scratch or revamping an existing data governance program, the first step should always include developing a vision and business case. A vision defines your overall strategic objective while the business case identifies any specific opportunities; together these form the blueprint for any policies to support data governance efforts.
A business case can also help define the roles and responsibilities necessary for driving success in data governance programs. Your data governance program could involve many different people from across your organization – employees, customers, partners etc – so a RACI matrix (standing for Responsible, Accountable Consulted Inform) is an ideal way of organizing this. Doing this ensures the correct people are involved, their opinions are heard by decision makers, and actions are coordinated efficiently.
Understanding the regulatory environment within which your data governance program will operate is also crucial. Hong Kong has an ordinance called Personal Data (Privacy) Ordinance (“PDPO”), which generally applies to users that collect, hold, process or use personal data within or from Hong Kong.
The PDPO defines personal data as any information pertaining to an identifiable individual, which is consistent with other data privacy regimes like mainland China’s Personal Information Protection Law or EU’s General Data Protection Regulation. One key difference between the PDPO and other regimes is that its text does not explicitly grant extraterritorial application.
One repercussion is that when transferring personal data outside Hong Kong, data users must first obtain voluntary and express consent from data subjects before doing so. This requirement is particularly relevant to companies using technologies that learn individual behaviors as it will increase compliance measures required of them significantly.
A critical requirement of the PDPO is for data users to protect personal information from unauthorised access, disclosure, erasure and use. This is typically achieved by contractual arrangements or other measures that ensure agents and contractors also abide by its provisions. As the PDPO and other regimes evolve over time, it may be worthwhile exploring an expanded definition of “personal data” to better safeguard individuals.