Navigating data compliance is becoming a bigger challenge for businesses amid increased scrutiny
- As China’s economy continues to digitalise at a rapid pace Beijing is seeking to build a robust data governance regime
- Companies need to make sure they have good data management infrastructure in place, which allows them to keep Chinese data in China
Businesses are finding ways to navigate through a more complicated regulatory environment in mainland China and Hong Kong, as the Covid-19 pandemic forced all kinds of activities online, according to experts on Thursday at the South China Morning Post’s China Conference.
“We expect more laws coming in,” said Fuller Yu, chief information security officer at Hong Kong’s Hospital Authority. “Because number one, [data privacy] awareness from users [is increasing], and also, all countries are aware of their data as a critical asset and [are giving it] more protection.”
As China’s economy continues to digitalise at a rapid pace, Beijing is seeking to build a data governance regime that can strike a balance between unleashing the value of that data on the one hand with careful government scrutiny of how businesses handle personal data on the other.
A new national law that was passed last week, the Data Security Law, sets forward hefty punishments for companies that fail to protect their data, including those who fail to prevent large scale data leaks, and those that transfer the state’s “core data” overseas without Beijing’s approval. Companies that hand over “important data” to a foreign judiciary or law enforcement agency without approval will face a heavy penalty under the new law.
“Ultimately governments don’t want their nation’s data sitting with some other countries [and] being held by someone else, over which they have no control,” said Crystal Hui, head of data governance and analytics at AIA Hong Kong, at the China Conference. “Especially for China, they definitely have that highly secure concept in their mind. They have to keep the data in the country, so we have to do it.”
That means companies need to make sure they have good data management infrastructure in place, which allows them to keep Chinese data in China, and carry out risk management for that data as well, Hui said.
“It’s a lot of balancing work,” Hui said.
Meanwhile, in Hong Kong, the government is now reviewing and preparing to introduce possible amendments to the city’s Personal Data (Privacy) Ordinance (the “PDPO”), one of Asia’s longest-standing comprehensive data protection laws.
Passed in 1995 and taking effect in 1996, the city’s lawmakers plan to introduce amendments to the PDPO to align it better with the European Union’s General Data Protection Regulation (GDPR), putting forward stronger protection for personal data.
Increasing scrutiny of data privacy goes hand in hand with wider government moves to rein in the influence of Big Tech, and also comes at a time when internet users are becoming more aware of their privacy online after all kinds of activities were forced online by the pandemic.
“People are using a lot of online applications right now,” said Hui. “Previously [for example] we were not aware of this cookie thing, now everybody has a lot more awareness on this.” A cookie is data used to store user preferences for a specific site.
In order to gather the data needed for their businesses and to unlock its value, companies should make sure they are transparent with users about the data they are collecting and how it will be used, said Steven Fok, head of technology risk management at livi bank, a Hong Kong-based virtual bank offering online financial services.
“Never ask for more than you need.” Fok said. “Customers are very smart. They know what is the value of their data and what is the nature of their data.”