On 25 May 2018, the General Data Protection Regulation 2016 (GDPR) came into force in the EU. It is drafted as a Regulation and becomes immediately applicable in all EU member states.
The GDPR contains new provisions, prohibitions and regulations for the collection and processing of personal data. This significantly enhances data protection.
A. Impact on Hong Kong
The GDPR does have extraterritorial effect, meaning that businesses in Hong Kong can be subject to the new regulations. Since the GDPR sets out more stringent regulations than the Hong Kong Privacy Ordinance, Hong Kong businesses are advised to check whether they could be subject to the GDPR.
The GDPR applies to a Hong Kong business if such business has an establishment in the EU. An establishment does not only contain a subsidiary, affiliate or mother company, but also a representative selling goods or services to the public in the EU.
The GDPR is furthermore applicable to a Hong Kong business without such establishment if they sell goods or services to the public in the EU.
Organisations/ businesses subject to the GDPR must:
- Demonstrate their compliance with the principles of processing of personal data;
- Implement appropriate technical and organizational measures to ensure compliance; and
- Integrate data protection into their processing activities.
More specifically, the GDPR requires:
- The appointment of a Data Protection Officer;
- Undertaking a Data Protection Impact Assessment;
- Undertaking Privacy by Design and by Default, and integrate the necessary safeguards;
- Keep records of processing activities; and
- Draft data processing or handling policies or practices to demonstrate compliance.
Data defined by GDPR includes race, religion, sexual orientation, health, etc. Its collection is prohibited unless certain conditions are fulfilled.
For other personal data, the GDPR requires explicit, free, informed and unambiguous consent by the data subject.
If a business breached its obligations under the GDPR, it is required to notify the EU supervisory authority within a certain time limit.
If a business wants to collect personal data, it needs to comply with the new and enhanced rights for individuals, including the right to notice on data protection, the right to erase personal data, the right to object the collection and controlling, and (new) the right to restrict the processing of the personal data.
C. What Hong Kong businesses should do
Given its wide application, it is advisable for a Hong Kong business to check whether it might be subject to the GDPR. If so, the responsible persons should make sure that their privacy statements, collection and processing process of personal data is up to date.
If the Hong Kong business has an affiliate in the EU, it is advisable to adjust their processes to the EU level.