Stephen Kai-Yi Wong, Commissioner at the Office of the Privacy Commissioner for Personal Data, Hong Kong
January 02, 2020
The ‘Regulator Spotlight’ interview series by OneTrust DataGuidance documents jurisdictional focuses, legal developments, and guidance direct from commissioners, regulators, and supervisory boards and brings poignant commentary to the rapidly changing data privacy landscape. OneTrust DataGuidance has sat down with leading figures from organizations including the European Data Protection Supervisor’s Office, the UK ICO, and the United Nations.
We met with Stephen Kai-Yi Wong, Commissioner at the Office of the Privacy Commissioner for Personal Data, Hong Kong in October 2019. Stephen discusses the authority’s recent work regarding enforcement, ethics, accountability, and Privacy by Design.
Lessons from enforcement action
Following recent enforcement actions by the authority, Stephen noted some of the takeaways, which included a lack of data privacy awareness at senior management.
“Data protection and privacy rights protection is not a matter for the middle-ranking, or below. It is an issue for the board of directors, and they should talk about it or they should ask their officer to report on it on a regular basis not as and when troubles are discovered,” explained Stephen.
Alongside regular reporting, Stephen also stated that having a strategy to handle data breaches should be a process for senior management to understand, so in the event of a data breach, a notification can be made in a timely fashion to the regulator, avoiding fines and further enforcement action.
Ethical accountability framework
Hong Kong’s accountability project was started in 2014 and was initially set up to outline what accountability should mean within data protection. With cooperation from enterprises and consultants, the authority drafted some practical tips and strategies which they believe would be good for data governance programs within the public and private sectors.
Stephen explained, “We tried to introduce an effective way to help implement the law without revising or amending the law. We tried to complement the enforcement of the law by promoting data ethics. In other words, enterprises are not only asked to do what they are required by the law to do, but also what they think they should or what they believe they are expected to do.”
Stephen also stated that the approach to data protection within an organization should be broken down into two parts. One is the implementation of the law, and the other based in the ethical side of what a business thinks it is expected to do in regard to data protection. Stephen concludes that these ethical frameworks should supplement the legal requirements in Hong Kong and offers guidance relating to the ethical values of data privacy.
Watch the full interview where Stephen talks further about the authority’s priorities for the next 12 months, as well as sharing his thoughts on the implementation of Privacy by Design.