How can companies determine if they are prepared for new data privacy laws?
The first issue is whether a company has an existing data privacy program and if so, with which regulations was it designed to be compliant. Many companies covered by the GDPR invested a lot of time and money to develop GDPR-compliant data privacy programs and SOPs, and as the gold standard, such a program would have been largely compliant in numerous jurisdictions around the world, with localized variations.
The new PRC PIPL largely derives from the GDPR but has distinct characteristics, which means the previous approach of applying a globally adapted GDPR-standard will not necessarily comport with the PIPL. One example of a key distinction is that the PIPL has no mechanism for binding company rules and leans very strongly towards data-sovereignty and -localisation, with numerous other unique requirements and ambiguities, including different cross-border data transfers, notions of what constitutes sensitive data and different legal bases for personal data processing, among many others.
Therefore, preparation for and compliance with the evolving data privacy regulatory landscape requires an overall assessment of an organization’s exposure to varying data privacy laws in different jurisdictions, the degree to which the organization transfers personal data out of that jurisdiction, restrictions on cross-border transfers, the legal bases available for processing and the nature of the personal data being processed, among other things. Additionally, numerous companies based in Hong Kong, with their businesses primarily in Hong Kong, only focus on compliance with the Hong Kong Data Privacy Ordinance. The PIPL will apply in Hong Kong (and anywhere else in the world) if any organization is selling goods or services to or tracking or monitoring the behaviour of any individuals covered by the PIPL.
Organizations that are already GDPR compliant, for example, will find the learning curve much less steep than those who, for example, are only compliant with Hong Kong’s Data Privacy Ordinance. It should also be noted that data privacy regulatory compliance is an ongoing process. Starting a well-founded data privacy program from scratch may not be easy but regulatory compliance is obligatory and the fines and loss of reputation caused by non-compliance can be extraordinarily expensive.
Retaining the services of a solid and qualified data privacy expert can greatly facilitate the process. The cost of engaging a certified data privacy professional is nominal compared with the risks and quantum of fines under the PIPL and GDPR.
At present and for the foreseeable future, having a minimally compliant or non-compliant approach to data privacy is nothing at all like failing to purchase insurance on the off chance that a catastrophe may occur in the future but far more like being told one has a horrible illness right now and not following a surgeon’s advice and not taking the prescribed medicine.
If there are doubts about whether your data privacy program and compliance are not up to par then they probably are not.
What are the best actions companies can take so that their privacy policies remain fluid and they can respond quickly to new regulations and laws?
Depending on size, a company will either need an in-house data privacy team with a data privacy officer or data privacy compliance specialist and/or external data privacy advisors. A data privacy professional can help you to become compliant if you are not already and help you maintain that compliance as regulations, policies or your business model or data handling approaches change.
As to SMEs, it’s certainly possible to try to build a data privacy program oneself as a small company or a start-up; However, in the instances I’ve seen, the novice approach of cobbling together resources found online has not resulted in particularly effective data privacy compliance programs. Bootstrapping may understandably appeal to a company’s budgetary constraints but the regulatory liabilities and reputational risks that come with this approach really make it much more expensive than doing things properly in the first place. It’s also important to recognize that the size of the company has no relationship with the size of the potential fines under most modern data privacy regimes, which means the consequences for non-compliance or failures can be crippling. The fines and liability correspond to the infractions. Regulators will look to see what companies have done and failed to do in assessing penalties. It is also important to note that under the PIPL there is personal liability for those responsible for data privacy and not just company liability. Moreover, that liability is both criminal and civil.
Adapting to new regulatory compliance obligations requires dedicated people to keep abreast of new laws and changes to existing rules. Data privacy compliance is complex. There are competing interests (a company’s interests in processing personal data vs. the rights and interests of the data subjects) and competing jurisdictional obligations (complying with different data privacy regulations that apply to your organization no matter where you may be).
The best approach for any company is to have a culture of data privacy with buy-in from the top, without which there can only be a palliative approach to data privacy and a high likelihood of substantially increased risk. It’s very important to remember that data privacy is not merely a regulatory imperative but also a critical matter of reputation and customer and client trust. Regulatory fines arising from data privacy infractions can be compounded significantly by loss of business, trust, and credibility in a marketplace where customers and clients can easily migrate to your competitors. In a hyper-connected online world, customers and clients are becoming more educated and demanding about how you treat their personal information, which directly impacts their security, safety, and well-being. A strong data privacy program is another important way to demonstrate to your customers and clients that you are worthy of their business and can have a direct impact on your company’s brand equity and market perception.
How can a company test its own data protection capabilities?
The first thing a company can do is to know what personal data it possesses, why it possesses it, how long the data is needed and if it is and will be processing it legally. This starts with data inventory mapping and data privacy impact assessments. If a company cannot put together an adequate data inventory map because those in the organization do not know what data they have and/or cannot identify where that data is stored, let alone the legal basis for processing or why they have it, then there is a problem. This assumes the company is already operating. For start-ups and small companies then a data privacy program needs to be designed in line with the business and operating model of the company. There is no one-size-fits-all approach because every company’s business model and data handling needs are different. A company should regularly evaluate its state of data privacy. This should be conducted by a data privacy officer or, if the company doesn’t have dedicated, internal data privacy staff, then by outside advisors. Again, while some small companies and start-ups may take a DIY approach, the size of the company and its budget do not exonerate it from its data privacy compliance obligations and the potentially huge fines that can be levied. Doing things properly in the first place is far less expensive than regulatory fines and loss of reputation.
How much attention should companies pay to data and data protection during the deal process?
Whether a transaction is international or local, and whether a merger or acquisition or a VC- or PE-type investment, the quantum of liability makes data privacy a very real and substantial source of potential successor liability. Nobody wants more than they bargained for when it comes in the form of big regulatory fines and reputational damage. Additionally, it isn’t just the deal process that creates potential liability but also dealing with third-party vendors and service providers with direct or indirect access to an organization’s personal data. An excellent privacy program cannot protect a company from this kind of ‘supply chain’ risk if companies fail to ensure the integrity of the spokes in its hub. Therefore, data privacy exposure must be viewed as a source of transactional risk as well as commercial risk.
What is the importance of appointing a Data Officer in a company?
For companies that are large enough or that can afford it, a data privacy officer is a very valuable asset. This person, and their team (if there is a team), is the sounding board and responsible person for all things related to personal data in an organization, from data inventory mapping to privacy impact assessments to establishing sound standard operating procedures for internal data handling and external data transfers. They can draft privacy policies and privacy notices together with cookie policies and terms of service and importantly keep them up to date. They can assess issues on an ongoing basis to determine where changes are required as circumstances or operating models evolve. A data privacy officer will often collaborate with IT and Infosec staff in order to provide a robust and comprehensive data privacy climate, with the involvement of top management as well. Many people mistakenly assume that application developers, IT and Infosec practitioners know about data privacy obligations, but these are very different fields that are distinct but happen to overlap (a bit like comparing an orthopedist to an anesthesiologist – they work together in the same operating theatre but perform very different functions). The data privacy officer or advisor should be able to work with these different functions to ensure data privacy by design and default. The data privacy officer can be internal or external consultants can be retained to advise as necessary.
How does corporate culture influence data protection in a business?
Corporate culture has a strong impact data protection. Again, companies with strong cultures of data privacy led from the top down tend to have much better track records of data privacy compliance. It engenders customer trust as well as employee trust. A 2020 study by Oracle found a clear return on investment from data privacy spending. The internet has no borders and consequently personal data can migrate anywhere almost instantaneously. Data subjects have a right to know why a company is collecting their data, the legal grounds to do so, how the data will be used and if that data will be transferred to third parties or outside the jurisdiction where the data subjects reside, among other things. Data subjects are people, and they worry about the level of intrusiveness of companies that possess large amounts of their data or their most sensitive data such as financial records and medical records. For example, identity theft is a very real threat and uncontrolled access to personal data or weak data privacy and security protocols can facilitate breaches that allow for such a misuse of personal data. Systems can be breached by outside hackers or malevolent or careless insiders. Companies with a culture of privacy inspire trust and credibility while companies that do not demonstrate a sincere commitment to data privacy do not – a privacy culture and investment in strong data privacy is good for a company’s bottom line in more way than one.
For further information, please contact:
Alex May, Data Privacy Practice Leader (Hong Kong, Corporate)
+852 2525 7562
alex.may@hilldickinson.com
Alex is a digital privacy specialist and transactional adviser on the corporate and commercial team.
Alex has two certifications from the International Association of Privacy Practitioners – a CIPP/E (GDPR) (Certified Information Privacy Professional) and CIPM (Certified Information Privacy Manager). Alex is qualified as a lawyer in New York.
