Hong Kong – Digital Transformation In The Time Of Covid-19: Is Your Business Ready?

1. 

Third party risks 
 

During digital transformation, businesses may engage services of external service providers and procure third party hardware and software technological solutions such as conferencing, remote work stations and digital platforms. Outsourcing of operations does not equate to the outsourcing of data handling responsibility. Businesses should:
 

• select technological solutions and products with enhanced cybersecurity capability and secure infrastructure;
   

• exercise due diligence in selecting service providers with good standing and reputation in the industry;
   

• retain oversight over service providers through contractual means and audit/oversight mechanism;
   

• share data handling responsibilities with service providers in engagement contracts;
   

• establish a reporting mechanism for service providers to report privacy incidents/data breaches; and
   

• require IT department or service providers to conduct penetration testing and vulnerability scans of infrastructure and software from time to time to prevent and mitigate privacy risks.

•  

2. 

Data management risks 
 

As businesses utilise multifaceted digital channels (e.g., online meetings, websites, applications), they amass a large volume of personally identifiable data and shoulder greater responsibility in managing these data. A structured data management system will aid businesses’ compliance with data privacy requirements. Businesses should:
 

• conduct data mapping exercise to track the types of personal data processed and processes of data handling to facilitate businesses’ handling of data subjects’ rights under privacy law;
   

• conduct an overview of data operations cycle to ensure compliance with data minimisation and legitimate data use principles, identify high-risk areas and adopt solutions for improvements; 
   

• conduct data segregation according to the types and levels of sensitivity of data to reduce chain effects when privacy incidents/data breaches occur; and
   

• apply a risk-based security approach to secure data operations in each data handling cycling.
   

3. 

People risks 
 

Employees are key elements to drive businesses’ success in digital transformation, it, therefore, serves businesses’ interests to ensure that their staff receive the right training and are equipped to mitigate various privacy risks. Businesses should:
 

• provide privacy awareness training to employees to ensure that they are equipped with the knowledge to handle new digital tools and automation products and prevent inadvertent human errors and privacy risks;
   

• ensure that employees will handle customers’ data ethically and safeguard the data; and
   

• devise a work-from-home policy to reinforce best practices in managing a remote workforce and require employees to take measures to safeguard confidential firm assets, customer data and account information.
   

4. 

Customer management risks
 

Businesses that provide clear information to customers will reinforce trust and brand reputation. Companies should review their external customer-facing notices, statements and product interfaces to raise transparency, and cultivate trust amongst customers. As businesses engage in new data operations/processes, they should:
 

• review their privacy notices to ensure that customers are aware of its latest data protection practices and roles of external service providers; and
   

• explain clearly the implications of using customers’ data in automated decision making (e.g., AI-empowered credit analytics and insurance claims handling), for customers to make informed choices at the outset.