How to Build a Business Case for Data Governance in Hong Kong

Data governance programs typically involve many individuals, from subject matter experts in both IT and business areas who collaborate together as part of an implementation team or governance team to support, sponsor and implement policies aligned with an organization’s data goals. These individuals are commonly known as data stewards. They will help identify the optimal way for you to govern your data, along with any necessary policies and processes that must be in place, as well as how these will be operationalized across your enterprise. To ensure your governance program delivers a positive return on investment, you need to create a detailed business case outlining both its objectives and expected benefits for your company. A great business case will be clear and actionable and form the basis of policies designed to reach those goals.

Under Hong Kong’s data protection regime, those collecting personal data must notify their data subjects on or prior to collecting their information as to the purposes and classes of persons whom it may be transferred (DPP1). This information must also be provided in writing; under Hong Kong law “personal data” does not refer only to information pertaining to identifiable people but is more broadly defined than this.

Regarding cross-border transfers from Hong Kong, those transferring personal data must enter into contractual arrangements that comply with the provisions of the Personal Data Protection Ordinance relating to data transfer. Such arrangements could take the form of separate agreements, schedules to main commercial agreements or contractual provisions within main commercial agreements.

Transferring personal data from Hong Kong to another jurisdiction outside the European Economic Area must ensure compliance with PDPO provisions relating to use for specific or necessary legitimate purposes, with adequate safeguards put into place to protect any processing which occurs – to ensure fair and lawful processes for personal data processing. This should include making sure data only processed according to instructions and not for other uses, providing sufficient safeguards are in place, etc.

The Personal Data (Privacy and Protection) Ordinance does not impose statutory restrictions on the transfer of personal data outside Hong Kong; however, there are substantial and onerous requirements related to such transfers. Extensive guidance is available on how best to fulfil these requirements; most users of data will likely ensure contractual arrangements exist in order to fulfill their statutory obligations when sending personal information outside Hong Kong.

Data Stewards are one of the cornerstones of an effective data governance framework. They act as liaison between business and IT teams, understanding both business implications of decisions made around data governance as well as their personal. Successful Data Stewards include senior business analysts or IT managers comfortable navigating both technology and business environments – they’re adept at facilitating communication between both teams and are skilled at mediating relationships between teams.