Data is the foundation of a company’s digital strategies. It drives business innovation and propels digital transformation. But with the growing volume of data, companies need a reliable and robust framework to govern its use. A good data governance structure will enable organizations to take the right steps toward business value and success. It will also ensure that data is used in compliance with regulatory and contractual obligations.

Padraig Walsh from the Tanner De Witt Data Privacy practice group takes a closer look at personal data transfers in Hong Kong and the impact of local interpretations of key concepts that have significant implications for businesses.

A basic principle is that a data user must comply with the six Data Protection Principles (“DPP”) as they apply to personal data it controls. This includes compliance with the law on cross-border transfer of data. It is critical for businesses to be aware of this as they prepare and implement global compliance data transfers.

What are the key points to consider in respect of data transfers?

When a Hong Kong business intends to transfer personal data abroad, it must verify that the purpose for which the data was collected (and the classes of persons to whom the data will be transferred) is still lawful under the PICS. This step is markedly less onerous in Hong Kong than under GDPR and reflects the fact that Hong Kong has been at the forefront of modernising its data protection regime since 1996.

In addition, a Hong Kong data exporter must check that its Personal Information Collection Statement (“PICS”) has disclosed to a data subject that the personal data it controls may be transferred as specifically contemplated. Unless this is done, a further obligation will arise to obtain the voluntary and express consent of the data subject to transfer his or her personal data for a new purpose not set out in the original PICS.

If the PICS does not disclose this requirement, the data exporter must assess whether the foreign jurisdiction’s laws and practices bring its level of personal data protection up to that required by the DPPs. If this is not the case, the data exporter should identify and adopt supplementary measures to bring the level of protection up to those standards. This can include technical measures such as encryption, pseudonymisation or split processing, and contractual provisions imposing obligations on audit, inspection and reporting, beach notification and compliance support and co-operation.

Having an effective data governance structure is the key to successful implementation of a DPO and efficient compliance with cross-border data transfers. In order to achieve this, it is important that data governance roles and responsibilities are clearly defined. Data governance leaders act as communication bridges between business and IT and drive ongoing data audits and metrics that measure program success and ROI. They are typically senior business analysts or enterprise architects and can help to translate business needs into IT-friendly solutions. In addition, they can act as escalation points for breaches and other data governance issues.

A lot of people in HR struggle with making decisions in their roles and a big part of this is because they don’t understand the tools available to them. One such tool is SDy, which helps to quantify performance differences between candidates or current role incumbents. SDy is a statistical method of calculating the difference in performance in dollar terms between two people. It can be used to make decisions in recruitment, selection and training and development.

This article will be the first in a series of articles that put forward some of the fundamentals of HR and explain the use of SDy. It will be useful for both HR generalists and those who are responsible for making decisions within their own teams.

The first step in using SDy is to determine the difference in performance between a candidate and a current role incumbent. This is done by comparing the candidates’ CVs and assessing their experience, skills and capabilities. This information will then be used to create a scorecard for each candidate. This scorecard will be based on criteria and weightings that the organisation has established. The scorecard will then be used to make a decision about who should receive an offer for the role.

Once the decision has been made, the next step is to calculate the value of that candidate compared to the current role incumbent. This can be done by dividing the difference in performance by the average salary of the current role. This gives a relative performance score which can be compared with the target salary of the role to determine whether the proposed candidate is at the correct level.

It is important to note that SDy should only be used as a guide for making a decision and should not replace the need for a thorough analysis of both the candidate and the role. It is also important to consider other factors such as the company culture, the size of the team and the budget of the organisation when making a decision.

In order to get the best possible results, it is recommended that you consult a professional who can help you with this process. They will be able to provide you with the best advice and will help you to choose a candidate that is right for your organisation.