Launching a data governance program begins with both a vision and business case. Your vision should establish your broad strategic goal while your business case details opportunities available to your organization and how best to take advantage of them. Your business case can also help identify who needs roles (roles), technologies and processes as part of your governance framework implementation plan.
Data Governance frameworks are policies designed to align organizational structures and processes with business goals for data. A good data governance framework will include definitions, guidelines, policies, rules and procedures which range from high-level principles to detailed operating procedures; training education plans may also be part of this framework. A great data governance framework will also assign key roles that execute, sponsor, and support it effectively.
Data is an indispensable asset to many businesses, providing customer experience improvements, efficiency gains and revenue increases. Yet the sheer volume of information most businesses must manage can quickly become overwhelming; to combat this challenge effectively they need a way to analyze it and make informed decisions with it; therefore it’s imperative that a robust data governance framework be put in place.
Hong Kong’s Personal Data Protection Ordinance (“PDPO”) establishes several requirements regarding cross-border data transfers. Furthermore, this definition aligns with international norms; however it doesn’t automatically obligate all PDPO obligations with regard to cross-border data transfer.
Under the PDPO, data users are required to inform data subjects prior to collecting their personal data of its intended use and any potential recipients – in other words, conducting a transfer impact assessment before sending any personal information overseas.
Additionally, the PDPO requires data users to take appropriate measures to prevent access, processing or erasure of personal data exported from Hong Kong which has been lost or stolen either during transit or at destination. Furthermore, data users must adopt contractual or other arrangements which ensure personal data transferred abroad does not remain stored somewhere that does not provide sufficient levels of protection for personal data transferred abroad.
Data exporters should be mindful of the PDPO’s provisions regarding cross-border data transfers. As Hong Kong continues to export more personal data outside its borders, it will be interesting to observe whether this trend towards wider application of transfer impact assessments continues or other factors drive changes; perhaps in response to increasing demands to develop efficient and secure means of data transferring with mainland China or internationally, section 33 could become subject to revised implementation practices.