Data privacy and cybersecurity are two of the biggest concerns that companies holding personal data face in 2016.  2015 saw an alarming increase in data breaches worldwide and a number of incidents in Hong Kong.  For example, just before Christmas, Sanrio Digital (HK) Limited announced that personal data (potentially including children’s data) of up to 3.3 million members of the SanrioTown website may have been the subject of a data breach. SanrioTown is currently being investigated by the Hong Kong Privacy Commissioner.  

Recent data breach scenarios have shown that the ramifications of data breaches are rarely confined to one jurisdiction and will likely prompt investigations in multiple jurisdictions. Needless to say that this is something to be avoided.  In this two-part article, we offer five practical lessons to help organisations minimise the risk and impact of data breaches (from a Hong Kong perspective and beyond). 

Lesson 1: Know Your Data

Do you know exactly the types of personal data your organisation holds? And do you know how personal data is being used, stored and transferred? Who is responsible for the different types of data (marketing, IT, HR)? Maintaining a detailed document which records your data collection and processing activities, known as a ‘Personal Data Inventory’, is the first key step to effective data governance. 

An up-to-date Personal Data Inventory is also crucial in the event of a breach. Frequently, whether or not data breaches should or must be notified to affected data subjects and/or the authorities depends on the severity of the breach and the “risk of harm” to data subjects.  Assessing the severity of a breach and the risk of harm to data subjects requires knowledge of the type and extent of personal data accessed during a breach.  A pre-prepared and detailed data inventory classifying the types of data held, the locations where the data is stored, who maintains the data and who has access to it will be an essential pre-requisite for such assessment. 

Recommendation: Conduct an audit of your organisation’s current data collection, storage and transfer practices early in 2016 and maintain clear records of the types and extent of personal data kept by your organisation, along with other essential details such as where it is stored (physically and on-line), who is responsible for maintaining the data (key contacts) and who has access to it. 

Lesson 2: Limit Collection To What Is Necessary

Does your company need all the data it holds? Under Hong Kong privacy law (and similar concepts can be found in other privacy laws around the world), data users must only collect personal data “for a lawful purpose directly related to the function and activity of the data user” and personal data collected must be “necessary but not excessive”.  

The less personal data you access/collect/use, the less you have to worry about. In light of recent cyberattacks, organisations should consider reducing the type and extent of personal data they hold so that only essential data is retained.  And moving forward, they should reconsider their data collection strategy to avoid collecting unnecessary data in the first place.

Recommendation: Consider which personal data your organisation really requires. Delete or anonymise any data that is no longer required and, moving forward, avoid collection of unnecessary data in the first place.  

Read Part II here.

Contributor – Susan Kendall


Paolo Sbuttoni is a partner in the Hong Kong office of Baker McKenzie and a member of the firm's IT & Communications Practice Group. He focuses on technology agreements and transactions, e-commerce, telecommunications regulatory matters, and data privacy. Mr. Sbuttoni has presented on a number of topics relevant to his field including cloud computing contracts, data privacy, and social media.