Data privacy is a particularly sensitive issue because it has everything to do with trust. Data provided to you in trust carries with it the responsibility to appropriately use, protect, and keep private. But what happens when that trust breaks down? When you have failed expectations by letting sensitive personal data fall into the hands of others without consequence? Make no mistake, data privacy is material to companies large or small (even to us), and as long as you collect any personal data in any form, the same applies to you. Don’t let the lessons of Facebook and the Hong Kong Broadband Network go to waste. Here are 4 basic steps that you’ll need to take in order to properly address the risks of data privacy breaches.



Quick recap : Data Privacy refers to an organisation’s capacity to determine what data is collected, and what can or cannot be shared with third parties.

What is within, and what is beyond, your control. Your data privacy policies are well within your control, so starting there is a no-brainer. This includes having a good understanding of your own data. Ask yourself :

  • What kinds of information do we collect?
  • How do we collect them?
  • Are the processes transparent?
  • What are their purposes?
  • Are they more than reasonably necessary for their purposes?
  • Are they outdated for their original purposes?
  • What is that 6-year-old data file full of sensitive ex-customer information we no longer need still doing in our system?! Etc.

Understand the data you have like the back of your hand and make sure your collection and management processes are compliant with local regulation (such as the Personal Data Ordinance in Hong Kong). But don’t stop there. Make sure this is also enforced consistently throughout your company through leadership, training, and awareness programs. Couple all that with a privacy policy that’s transparent, comprehensive, and easily accessible, and you’ve got a good foundation of trust to build upon when your prospective customers hand you their data.


What is sometimes beyond your control however is the matter of data security. Sad to say, there is no such thing as 100% security. But that certainly doesn’t mean you should make it easy. At minimum, have a data security system in place that complies with recognised standards such as ISO 27001 (Information Security Management System). International standards can serve as common languages when communicating the quality of your data security measures. Be sure to also invest in the cyber-security training of your IT personnel. At the very least, make sure they’re trained enough to respond quickly when a data breach does happen.

Don’t assume the data in your care isn’t valuable enough to warrant extensive security measures. It doesn’t hurt to be on the safe side.


Admittedly this isn’t exactly a basic step. But remember that the digital space has been developing at a ridiculously rapid pace, and regulation has always been slow to catch up. But thanks to Facebook and now HKBN, more Hong Kong stakeholders will likely start viewing Data privacy as a legitimate risk concern. In fact, we wouldn’t be all too surprised if the GRI Standards adds data privacy to its emphasis, or if the Hong Kong government updates its 22-year-old Personal Data Ordinance, in the near future. But why sit there and wait for regulatory change when you can take the lead and actively participate in the discourse? Turn your risks into opportunities, and help shape the rules of the game. That is certainly what Mark Zuckerberg will be doing with the U.S government, which is the kind of proactive leadership necessary for rebuilding public trust in a company.


Here’s an example of a pretty well written data privacy section.


“Lenovo recognizes that privacy is of great importance to individuals everywhere: our customers, website visitors, product users, employees—everyone. This is why we have established the responsible use and protection of personal and other information under our care as core Lenovo values. 

To give effect to our privacy policies, principles and processes, Lenovo maintains a global Privacy Program, led by the Legal Department, and a cross-functional Privacy Working Group comprised of key partners of the Privacy Program, including Information Security, Product Security, Product Development, Marketing, E-Commerce, Service and Repair, Human Resources and other groups. 

Key projects of the Privacy Program include : 

  • Frontline engagement with Lenovo’s business teams on privacy due diligence and application of key privacy principles 
  • Internal and external privacy policies development and governance 
  • Prelaunch privacy review processes for products, software, websites, marketing programs, internal applications and vendor relationships 
  • Privacy awareness and training initiatives 
  • Are they more than reasonably necessary for their purposes?
  • Contractual support 
  • Tracking and application of legal requirements and industry best practices
  • Privacy audit and assessment
  • Incident response planning and processes

If you have any further questions or concerns, please feel free to reach us at”

Not only did the report recognise that data privacy is a risk that involves EVERYONE, it also goes to specifically outline policies and projects designed to tackle the issue as well as the business activities they span. And last, but not least, they have a dedicated email for data privacy enquiries that’s easily found in the report. Comprehensive, specific, and accessible – Signs of a trustworthy report, although the report could benefit from more disclosure in terms of cyber-security measures.

People provide you their data in trust, and you have a duty to be vigilant with how you handle the data entrusted to you. The bottom line? Trust takes a long time to establish, and when that trust is broken, you’re going to lose a lot of likes. 

Share This