On 25 May 2018, the General Data Protection Regulation 2016 (GDPR) came into force in the EU. It is drafted as a Regulation and becomes immediately applicable in all EU member states.

The GDPR contains new provisions, prohibitions and regulations for the collection and processing of personal data. This significantly enhances data protection.

A. Impact on Hong Kong

The GDPR does have extraterritorial effect, meaning that businesses in Hong Kong can be subject to the new regulations. Since the GDPR sets out more strin­gent regulations than the Hong Kong Privacy Ordinance, Hong Kong businesses are advised to check whether they could be subject to the GDPR.

The GDPR applies to a Hong Kong business if such business has an establishment in the EU. An establishment does not only contain a subsidi­ary, affiliate or mother company, but also a representative selling goods or services to the public in the EU.

The GDPR is furthermore appli­cable to a Hong Kong business without such establishment if they sell goods or services to the public in the EU.

B. Regulations

Organisations/ businesses subject to the GDPR must:

• Demonstrate their com­pliance with the princi­ples of pro­cessing of per­sonal data;
• Implement appropriate tech­nical and organiza­tional measures to en­sure compli­ance; and
• Integrate data protection into their processing ac­tivities.

More specifically, the GDPR re­quires:

• The appointment of a Data Protection Officer;
• Undertaking a Data Pro­tection Impact Assess­ment;
• Undertaking Privacy by De­sign and by Default, and in­tegrate the neces­sary safe­guards;
• Keep records of pro­cessing activities; and
• Draft data processing or handling policies or prac­tices to demonstrate com­pliance.

Data defined by GDPR in­cludes race, religion, sexual orientation, health, etc. Its collection is prohibited unless certain conditions are fulfilled.

For other personal data, the GDPR requires explicit, free, informed and unambiguous consent by the data subject.

If a business breached its obliga­tions under the GDPR, it is re­quired to notify the EU supervisory authority within a certain time limit.

If a business wants to collect personal data, it needs to com­ply with the new and enhanced rights for individuals, including the right to notice on data protection, the right to erase personal data, the right to object the collection and controlling, and (new) the right to restrict the processing of the personal data.

C. What Hong Kong businesses should do

Given its wide application, it is advisable for a Hong Kong business to check whether it might be subject to the GDPR. If so, the responsible persons should make sure that their privacy statements, collection and processing process of personal data is up to date.

If the Hong Kong business has an affiliate in the EU, it is advis­able to adjust their processes to the EU level.