Presentation to BSI data protection seminar

1. GDPR :
Implications for
Hong Kong businesses
Charles Mok
Legislative Councillor (Information Technology)
BSI data protection seminar 2018-6-19

4. Consent
Control
Clarity
Transparency
Accountability
Key ideas in GDPR

5. Frequently asked questions
● What is GDPR? Does it apply to my business?
● What kind of information does the GDPR apply to?
● What responsibilities will my company have under this new
regulation?
● What rights will data subjects have?
● What should I do to be GDPR compliant?
● Where should organizations start with GDPR?

6. Will European regulators really enforce
the GDPR outside of their jurisdictions?
EU regulator may potentially coordinate with a local regulator on
enforcement actions.
Be prepared and plan ahead.

7. Disclaimer
The following information only serves the purpose of enhancing
understanding about the GDPR.
Please consult legal advice for professional opinion on
compliance issue.

8. What is the ‘General Data Protection
Regulation’?
01 A set of new law that governs the protection of personal data in the EU
starting from 25 May 2018. It applies directly to EU member states.
02 It revises the definition of ‘personal data’, extends existing data
protection principles while introducing new rights for data subjects.
03 It applies to any organisation which processes and holds the personal data
of data subjects residing in the EU, and includes heavier sanctions to
non-compliance.

9. Does my business need to follow GDPR?
HK companies that operate in Europe (or otherwise serve E.U.
citizens) have to comply. Ask If your business:
- Have establishment in the EU (e.g. office,
representative)
- process data about individuals in the context of offering
goods or services to citizens in EU countries;
- monitor individuals in the EU
- handle personal data of EU citizens for business partners
or associates in the EU
Regardless of your company’s location or where you
process the data, you will need to comply with the
GDPR.

10. Further considerations
● Can EU citizens access or purchase
goods and services from your business?
● Are your goods and services offered in
languages used in EU?
● Do you accept payment method from
EU?
● Is your business actively targeting the
EU market?

11. What kind of information does the GDPR
apply to?
Any information relating to an identified or identifiable
natural person ('data subject'). An identifiable person is
one who can be identified, directly or indirectly, by
reference to an identifier such as - name, ID number,
email address or location
Online identifiers : IP address, types of website cookies
and other device identifiers.
E.g. tracking web and app use on smartphones

12. What kind of information does the GDPR
apply to? (cont’d)
Sensitive personal data - "special categories of personal
data which uniquely identify a person."
e.g. genetic data, biometric data, criminal conviction and
offenses data, race, religion, political affiliation, sexual
orientation
Pseudonymized data - depending on the difficulty of
attributing the pseudonym to an individual

13. What are the lawful
basis for processing?
Necessary for the relevant
purpose (with no other
reasonable way)
“Legitimate interests” can include
commercial interests, individual
interests or broader societal
benefits
To be balanced against individual’s
rights and freedom
High standard for consent: positively opt in
Includes: data controller’s name, purposes of the
processing and types of processing activity
1. No more pre-ticked boxes as default
2. No consent as precondition for service
3. No vague or blanket consent
4. Third party controllers (e.g. vendors)
should be identified
Do you have the tools to manage user
preference and make it easy to act on
withdrawals of consent?

14. What responsibilities will my
company have under GDPR?
Article 5 of the EU GDPR states that personal data must be:
● Processed lawfully, fairly and in a transparent manner
● Collected only for specified, explicit and legitimate purposes
● Adequate, relevant and limited to what is necessary
● Accurate and kept up to date
● Held only for the absolute time necessary and no longer
● Processed in a manner that ensures appropriate security of the personal
data

15. What rights will data subjects have?
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure*
5. The right to restrict processing
6. The right to data portability*
7. The right to object
8. Rights in relation to automated decision making and
profiling

16. Right to be informed - in practice
Selling/sharing
personal data
Tell data subjects who their data
is shared with and let people
manage their data.
Buying personal
data
Provide privacy information ,
especially about the purpose (if
changed) and lawful basis for
processing; Carry out an audit if
necessary.
Using publicly
accessible sources
Provide privacy information ,
especially about the purpose (if
changed) and lawful basis for
processing; Carry out an audit if
necessary.
Applying Artificial
Intelligence
Inform users the purpose of
processing and the likely
impacts. Keep users informed
proactively and give control.
01
02
03
04

17. What does subject
access requests
mean to my
business?
A right to request for a
copy of their personal
data as well as other
supplementary
information, made in any
means.
You need to provide within a month in
concise, transparent, intelligible and
easily accessible form, using clear and
plain language:
● confirmation that you are
processing their personal data;
● a copy of their personal data; and
● other supplementary information
* a “reasonable fee” for manifestly
unfounded or excessive request can be
charged

18. What is the right to erasure (or Right to be
forgotten)?
A right for individuals to have personal data erased, if the data is no
longer necessary for the purpose, or the individual withdraws a
consent, or object to the processing (Not applicable in some conditions)
Businesses should have processes to handle requests and
methods to erase personal data on request, within one month.
How about backups?

19. What is the right to
reject processing?
A right to request the
restriction or
suppression of their
personal data
Related:
the right to rectification
the right to object
How? examples
● temporarily moving the data
to another processing
system;
● making the data unavailable
to users; or
● temporarily removing
published data from a
website.
Does your business have the tools
to ensure the data cannot be
processed further?

20. What is the right
to data
portability?
A right for individuals to
move, copy or transfer
personal data easily from
one IT environment to
another without hindrance
(applies to automated
processing)
Can your business provide a copy user’s
personal data in structured, commonly
used and machine readable formats e.g.
CSV, XML and JSON? Do you have an
automatic tool for extraction?
Examples:
● history of website usage or search
activities;
● traffic and location data; or
● ’raw’ data processed by connected
objects such as smart meters and
wearable devices.
● ‘inferred’ or ‘derived’ data about the
individuals

21. Do you classify users using algorithms and
machine-learning?
Automated decision making: a decision made by automated
means with no human involvement to evaluate, analyse or
predict aspects about a natural person.
E.g. online assessment for loan, insurance premium or job applicants’ aptitude
Do you have a lawful basis? Do you clearly tell customers about what info you use
and the source? Do you have the tools to let users review and edit?
Are your data for profiling anonymised? Have you carried out an impact
assessment?

22. How about personal data breach?
Examples
● access by an unauthorised third party
(e.g. theft of customer database)
● deliberate or accidental action (or
inaction) by a controller or processor;
● sending personal data to an incorrect
recipient;
● computing devices containing
personal data being lost or stolen;
● alteration without permission;
● loss of availability of personal data
(database encrypted by hackers?)
Duty to report to regulator within 72
hours of becoming aware of the
breach
Must inform users if there is high risk of
adversely affecting individuals e.g.
financial loss or other consequences
Does your business have
robust breach detection,
investigation and internal
reporting procedures?

23. Frequently asked questions
● What is GDPR? Does it apply to my business?
● What kind of information does the GDPR apply to?
● What responsibilities will my company have under this new
regulation?
● What rights will data subjects have?
● What should I do to be GDPR compliant?
● Where should organizations start with GDPR?

24. Where should
organisations start
with GDPR?
Accountability
Transparency
‘Data protection by
design and by
default’
● Review your privacy policy and update
consent arrangements
● Assess security risk level and use
measures such as pseudonymisation
and encryption
● Use standard contract clauses with
third party processors
● Document your personal data
processing activities
● Consider a Data Protection Impact
Assessment (DPIA)
● Assess the need for appointing an
data protection officer (DPO)
● Consider abiding to code of conduct
or certification scheme

25. How much risk are you willing to
take? Better late than sorry.
Thank You
www.charlesmok.hk
Facebook: @charlesmokoffice
LinkedIn/Twitter: @charlesmok
Telegram channel: t.me/charlesmok
charlesmok@charlesmok.hk