Updated: Nov 9
COVID-19 brings forth a wave of digital transformation amongst various business sectors in Hong Kong. The pace of acceleration in digitalisation is unprecedented, many have switched on full digitalisation mode - online selling, digital interaction with customers, online staff training, and remote workforce solutions. As business processes and data handling operations go digital, data privacy risks are amplified.
To prevent data privacy risks from ballooning into critical strategic risks that can compromise businesses’ brand and reputation, companies should make sure that their risk management measures commensurate with the level of technology they use. A thorough review of the internal data protection framework is inevitable to minimise risks.
1. Third party risks
During digital transformation, businesses may engage services of external service providers and procure third party hardware and software technological solutions such as conferencing, remote work stations and digital platforms. Outsourcing of operations does not equate to the outsourcing of data handling responsibility. Businesses should:
select technological solutions and products with enhanced cybersecurity capability and secure infrastructure;
exercise due diligence in selecting service providers with good standing and reputation in the industry;
retain oversight over service providers through contractual means and audit/oversight mechanism;
share data handling responsibilities with service providers in engagement contracts;
establish a reporting mechanism for service providers to report privacy incidents/data breaches; and
require IT department or service providers to conduct penetration testing and vulnerability scans of infrastructure and software from time to time to prevent and mitigate privacy risks.
2. Data management risks
As businesses utilise multifaceted digital channels (e.g., online meetings, websites, applications), they amass a large volume of personally identifiable data and shoulder greater responsibility in managing these data. A structured data management system will aid businesses’ compliance with data privacy requirements. Businesses should:
conduct data mapping exercise to track the types of personal data processed and processes of data handling to facilitate businesses’ handling of data subjects’ rights under privacy law;
conduct an overview of data operations cycle to ensure compliance with data minimisation and legitimate data use principles, identify high-risk areas and adopt solutions for improvements;
conduct data segregation according to the types and levels of sensitivity of data to reduce chain effects when privacy incidents/data breaches occur; and
apply a risk-based security approach to secure data operations in each data handling cycling.
3. People risks
Employees are key elements to drive businesses’ success in digital transformation, it, therefore, serves businesses’ interests to ensure that their staff receive the right training and are equipped to mitigate various privacy risks. Businesses should:
provide privacy awareness training to employees to ensure that they are equipped with the knowledge to handle new digital tools and automation products and prevent inadvertent human errors and privacy risks;
ensure that employees will handle customers’ data ethically and safeguard the data; and
devise a work-from-home policy to reinforce best practices in managing a remote workforce and require employees to take measures to safeguard confidential firm assets, customer data and account information.
4. Customer management risks
Businesses that provide clear information to customers will reinforce trust and brand reputation. Companies should review their external customer-facing notices, statements and product interfaces to raise transparency, and cultivate trust amongst customers. As businesses engage in new data operations/processes, they should:
review their privacy notices to ensure that customers are aware of its latest data protection practices and roles of external service providers; and
explain clearly the implications of using customers’ data in automated decision making (e.g., AI-empowered credit analytics and insurance claims handling), for customers to make informed choices at the outset.
For further information, please contact:
Machiuanna Chu, Partner, Deacons