Firms see bottom line in need to protect privacy
Better data protection can lead to increased customer satisfaction, conference hears
There's a silver lining to privacy scandals that have tarnished the reputations of businesses worldwide - they have prompted many to reconsider their approach to data protection.
That was the view of some of the corporate world's data-protection pioneers, who gathered for an international conference in Hong Kong last week.
One message of the conference was that companies are starting to view data protection as not merely a legal requirement, but as a chance to provide customers with good service and maintain their trust.
Key to this new approach is the emerging role of the data protection officer.
As the chief executive of Octopus Holdings, Sunny Cheung knows more than most how hard it is to regain the public's trust. Before he took over, the smart-card issuer became mired in controversy in 2010 for collecting excessive personal data from 2.4 million cardholders and selling the information.
"Legal rights do not save you from dissatisfied customers. Consumers always demand something more," Cheung said.
He said the company now collected "minimal" personal data and avoided using vague terms that could mislead customers about data policies.
Elaine Chong, corporate data protection officer at CLP Power, said the Octopus incident prompted the electricity provider to rethink its own approach to data protection.
"We must go beyond compliance, taking it to the next level - respect," she said.
"We are not the owner of the personal data. The customers own the data. So the use of the data must not take the customer by surprise," she said.
Chong compared her job to being a gardener, as she had to tend to and watch over data protection every day. She said she was also a "tiger mum" who was strict in directing colleagues to adhere to the privacy law.
For Chris Cheng, legal adviser for telecoms firm HKT Ltd, data protection officers are more like firefighters. "It's not just about emergency work," he said. "What's more important are the precautions you take.
"I don't think any company can afford the adverse publicity caused by not complying with the [privacy] law," he added. "This is especially so for an international company."
The conference was held as the Privacy Commission released a guide to best practice for firms drawing up voluntary privacy-management programmes.
The guide highlights the role of data protection officers, urging companies to appoint them, and to keep and update an inventory of stored personal data. They are also advised to conduct risk-management assessments regularly, and establish a reporting mechanism so that any data breaches can be quickly handled.
The commission said the government and 35 companies had pledged to implement privacy-management programmes.
The watchdog rolled out the guide after shelving its proposed Data User Returns Scheme, following opposition by companies. Under the scheme, slated to begin in 2012, companies in the public, banking, telecoms and insurance sectors would have had to make annual submissions to the Office of the Privacy Commissioner for Personal Data, and specify whether they transferred personal data to third parties.
The Hong Kong watchdog said that a similar scheme in the EU had been put under review after questions were raised about its effectiveness.