A data governance program involves a lot of people. Even if your actual data governance team is small, the project will impact employees, partners and customers who depend on your data. Many of them will have strong opinions about how the framework should be used. It is important to identify them and involve them in the process. You should also identify the responsibilities of each person. A responsibility assignment matrix, such as RACI (responsible, accountable, consultable and informed), can help you organize this.
A common approach to data governance is to have a data steward for each type of business unit or process. The steward is responsible for translating how the framework affects that unit’s business processes, decisions and interactions. Strong stewards are both business and IT savvy and can act as communication bridges between business and IT. Data and enterprise architects and senior business systems analysts are excellent candidates.
Another common way to approach data governance is to focus on a specific area of the data life cycle. This may be a particular application of the information security policy or an aspect of the privacy code. This approach can provide a clear and practical focus for the team. It is also less likely to result in a large number of different policies and procedures.
Data exports
When a Hong Kong data user transfers personal data to a location outside Hong Kong, it is required under the PDPO to carry out a transfer impact assessment. The purpose of this assessment is to ensure that the level of protection afforded to the personal data by the foreign jurisdiction meets the standards set out in the PDPO. The statutory exemptions in the PDPO allow for some flexibility, but the data user must take a balanced view of the risk versus benefit.
The PCPD has published two sets of recommended model clauses for use in contracts involving cross-border data transfers. These cover the transfer of personal data to a place outside Hong Kong and between two locations where one is outside Hong Kong and the other is controlled by a Hong Kong data user.
Section 33 of the PDPO prohibits the transfer of personal data outside Hong Kong, unless certain conditions are fulfilled. This position is unusual and seems to run counter to international trends. However, it is based upon considerations that are very specific to Hong Kong and its relationship with the mainland and the rest of the world. It remains to be seen whether, in the long term, this will change. In the meantime, businesses should be mindful of this and should take a cautious but proactive approach to cross-border data transfers. In addition, they should keep abreast of the latest developments in this field.