Jul 72023

Hong Kong New PCPD Guidance on Handling Data Breaches

Yuet Ming Tham, Shu Min Ho and Sam Johnson
, , , , ,

On June 30, 2023, Hong Kong’s data protection authority (the Office of the Privacy Commissioner for Personal Data, or PCPD) issued an updated version of its Guidance on Data Breach Handling and Data Breach Notifications (the Guidance, accessible here), which aims to guide companies on how they respond to data breaches. In particular, the Guidance contains a new recommendation for companies to adopt written data breach response plans.

The latest Guidance, which was last updated in January 2019, underscores the PCPD’s desire for companies to have robust measures in place for responding to data breaches. Although Hong Kong does not currently have a statutory data breach notification requirement, the PCPD has made it clear that companies that are able to react promptly and effectively to data breaches by implementing the recommendations in the Guidance may mitigate the risks of adverse outcomes of a data breach, such as the issuance of a PCPD enforcement notice as well as reputational harm.

The Guidance recommends that companies take the following steps in response to a breach: (i) immediate gathering of essential information to assess the impact on affected individuals (such as how the breach occurred and what personal data was involved); (ii) containing the data breach as soon and as effectively as possible; (iii) based on the sensitivity and volume of personal data subject to the data breach, assessing the risk of harm to affected individuals, such as identity theft, loss of business, or other financial loss; (iv) considering notifying the PCPD and affected individuals; and (v) documenting the data breach in a comprehensive manner that records the details of the data breach, how it was contained, and remedial actions taken by the company.

A new recommendation in the latest Guidance is for companies to have a “comprehensive” written data breach response plan that sets out the procedures for implementing these steps. The Guidance explains that this is to ensure that companies can act upon data breaches in a “prompt” manner to “minimize and contain the impact of a breach.” The need for companies to act promptly has been noted by the PCPD when it has publicly criticized companies that in its view failed to notify the PCPD and affected individuals of a data breach in a timely manner.

With respect to notification of data breaches, the Guidance emphasizes the PCPD’s stance that companies “should notify the PCPD and the affected data subjects as soon as practicable after becoming aware of the data breach, particularly if the data breach is likely to result in a real risk of harm to those affected data subjects.” In this regard, the PCPD has made it easier to notify the PCPD of a suspected data breach by launching a new electronic portal alongside the Guidance (accessible here). Previously, data breaches had to be notified by downloading a form from the PCPD’s website and submitting it by email, fax, or post. The portal is a welcome introduction that should enable companies to make notification in a timelier manner.

Accordingly, companies that collect, hold, process, or use personal data in or from Hong Kong should review the recommendations in the Guidance. Companies that do not have a data breach response plan should consider preparing one, and companies with existing response plans should consider whether they reflect the recommendations in the Guidance.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Yuet Ming Tham

Singapore, Hong Kong

ytham@sidley.com

Shu Min Ho

Singapore

shumin.ho@sidley.com

Sam Johnson

Singapore

sam.johnson@sidley.com

You might also like
Top 10 Questions on the EU AI Act

The EU AI Act will be the first standalone piece of legislation worldwide regulating the use and provision of AI in the EU, and will form a key consideration in AI governance programs. The AI Act will have a significant impact on many organizations inside and outside the EU, with failure to comply potentially leading to fines of up to 7% of annual worldwide turnover.

EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Chambers 2024 Global Practice Guides for Data Protection & Privacy and Cybersecurity
The newest editions of the Chambers Global Practice Guides have been published and, once again, Sidley lawyers have contributed to two guides: Data Protection & Privacy 2024 and Cybersecurity 2024. These publications cover important developments across the globe and offer insightful legal commentary for businesses on issues related to data privacy and cybersecurity, such as regulatory enforcement and litigation, global cooperation to combat cybercrime, international agreement on ‘Software Security by Design,’ a global approach to policy on artificial intelligence, and more. Sidley partner Alan Charles Raul is a contributing editor to both guides in addition to authoring the introductions. The UK chapters of Cybersecurity 2024, covering “UK Law and Practice” and “UK Trends and Development” were authored by Sidley lawyers William Long, Francesca Blythe, Denise Kara, and Eleanor Dodding.