Hong Kong New PCPD Guidance on Handling Data Breaches

On June 30, 2023, Hong Kong’s data protection authority (the Office of the Privacy Commissioner for Personal Data, or PCPD) issued an updated version of its Guidance on Data Breach Handling and Data Breach Notifications (the Guidance, accessible here), which aims to guide companies on how they respond to data breaches. In particular, the Guidance contains a new recommendation for companies to adopt written data breach response plans.

The latest Guidance, which was last updated in January 2019, underscores the PCPD’s desire for companies to have robust measures in place for responding to data breaches. Although Hong Kong does not currently have a statutory data breach notification requirement, the PCPD has made it clear that companies that are able to react promptly and effectively to data breaches by implementing the recommendations in the Guidance may mitigate the risks of adverse outcomes of a data breach, such as the issuance of a PCPD enforcement notice as well as reputational harm.

The Guidance recommends that companies take the following steps in response to a breach: (i) immediate gathering of essential information to assess the impact on affected individuals (such as how the breach occurred and what personal data was involved); (ii) containing the data breach as soon and as effectively as possible; (iii) based on the sensitivity and volume of personal data subject to the data breach, assessing the risk of harm to affected individuals, such as identity theft, loss of business, or other financial loss; (iv) considering notifying the PCPD and affected individuals; and (v) documenting the data breach in a comprehensive manner that records the details of the data breach, how it was contained, and remedial actions taken by the company.

A new recommendation in the latest Guidance is for companies to have a “comprehensive” written data breach response plan that sets out the procedures for implementing these steps. The Guidance explains that this is to ensure that companies can act upon data breaches in a “prompt” manner to “minimize and contain the impact of a breach.” The need for companies to act promptly has been noted by the PCPD when it has publicly criticized companies that in its view failed to notify the PCPD and affected individuals of a data breach in a timely manner.

With respect to notification of data breaches, the Guidance emphasizes the PCPD’s stance that companies “should notify the PCPD and the affected data subjects as soon as practicable after becoming aware of the data breach, particularly if the data breach is likely to result in a real risk of harm to those affected data subjects.” In this regard, the PCPD has made it easier to notify the PCPD of a suspected data breach by launching a new electronic portal alongside the Guidance (accessible here). Previously, data breaches had to be notified by downloading a form from the PCPD’s website and submitting it by email, fax, or post. The portal is a welcome introduction that should enable companies to make notification in a timelier manner.

Accordingly, companies that collect, hold, process, or use personal data in or from Hong Kong should review the recommendations in the Guidance. Companies that do not have a data breach response plan should consider preparing one, and companies with existing response plans should consider whether they reflect the recommendations in the Guidance.