Developing a Data Governance Framework
Data hk is one of the most valuable assets of any organization. The best way to ensure that it’s used for the right reasons, at the right time, and in the right ways is by having a clear data governance framework in place. It should be built around a vision and business case, with the goals of the organization driving the policies and processes that will support your governance program.
The vision spells out the broad strategic objective of your governance program, and the business case explains how it will deliver a return on investment. It is important that both the vision and the business case are clearly articulated to the entire organization. This will help to ensure that everyone understands how they can contribute to the success of the program.
A good way to communicate a vision is through a narrative, which outlines how the program will work and what the key activities will be. The story should also describe the key capabilities and technologies required to implement the governance program. It should also include a roadmap to be developed over the short to medium term that will provide clarity about what is to be achieved and how it will be accomplished.
A business case will typically be more pragmatic and hands on, and it should specify the people (roles), technologies and processes that are needed to support your governance program. It should also contain a roadmap that is focused on the specific activities, metrics and reporting activities to be delivered and the expected ROI of these activities.
The definition of personal data in the PDPO is similar to other legislative regimes in that it refers to information that relates to an identified or identifiable person. This includes a range of information, such as name, address, date of birth, identity card number, bank account details, credit-card details, etc.
As a data user, you must expressly inform the data subject on or before the original collection of his personal data of the purposes for which it will be used and the classes of persons to whom the data may be transferred. In addition, you must ensure that the data are not kept longer than is necessary for processing.
You must also have a process in place for detecting and investigating breaches, and you must notify the data subject promptly of any breach that occurs. You must also have a process in place to deal with requests from data subjects for access to their personal data, and you must respond to these promptly and without charge.
While a transfer impact assessment is not mandatory under Hong Kong law, there are a growing number of circumstances in which a data user in Hong Kong will be required to conduct a transfer impact assessment by virtue of the laws of other jurisdictions. This will be particularly true in the event of data transfers to or from mainland China and the European Economic Area.