Much work ahead for Hong Kong compliance staff to comply with EU data privacy regulation

Thomson Reuters Regulatory Intelligence | September.26.2017

By Ajay Shamdasani 

Compliance staff at larger financial institutions in Hong Kong have a tough road ahead in gauging their overall levels of compliance with the EU's new data privacy law, industry officials said. The General Data Protection Regulation (GDPR) takes effect next spring and there is a lack of preparedness at some local firms, a lawyer said.

"If you are a compliance officer at a local bank, do a data audit now. Make sure you know what data you are collecting and where it comes from," said Paul Haswell, a partner with law firm Pinsent Masons in Hong Kong.

Firms needed to assess their data collection and processing methods with European counterparties, he said.

"Small startups can easily tell what their exposure to data originating from or being processed in the EU is. But large multinational corporations have a larger challenge: many cannot tell immediately what data they are holding, where it came from and where it is going. That is the challenge, since it is key to how you must comply with GDPR provisions. Even if you are not in Europe in any meaningful way, if you collect any data or have any processing done in Europe, or even a tiny representative office in a European city, you are still covered by GDPR," Haswell said.

The GDPR will come into force on May 25, 2018. It will affect multinational corporations, and those banking and financial institutions operating transnationally. The regulation's aim is to protect the personal data of European residents but it also has an extraterritorial effect. The GDPR's emphasis on privacy means that, once it comes into effect, its reach in terms of data processing, collection and privacy will extend well beyond the EU's borders.

Asian institutions or entities that store or process European residents' personal data will be within the GDPR's scope, as will retail websites.

"A bank or institution with an office or branch in the EU will be subject to the General Data Protection Regulation, even if that office or branch is more of a representative office for activities that are mainly carried out in Asia. Even where there are no physical operations, banks or financial institutions may be caught by the GDPR where they are providing services to EU residents," said Kolvin Stone, partner with law firm Orrick in London.

EU nationals resident in Asia were likely to be out of scope, he said. "There may be more of a grey area with EU nationals that divide their time between Europe and Asia".

"Whether it [the law] actually applies, depends on the extent to which firms have an establishment in Europe. If you do, you are likely to be already covered by existing data protection rules in Europe. Under the GDPR if you are not established in Europe but are offering [financial] services into Europe, you could be subject to EU data protection laws for the first time," said David Smith, special adviser to law firm Allen & Overy in London and former deputy data commissioner at the UK Information Commissioner's Office.

The applicability of the GDPR, ultimately, depends on two things: whether an institution has an establishment in Europe or if it offers services to customers in Europe or monitors their behaviour in Europe. The regulation applies if either is true.

This excerpt is reprinted here courtesy of Thompson Reuters Regulatory Intelligence. Click below to read the complete article.