Implementing a data governance program requires engaging employees and stakeholders from across your organization who may become eager participants in every aspect of your project. While you should welcome their enthusiasm, be prepared for some level of chaos as everyone vies to get their say – in order to meet everyone’s needs effectively it is imperative that clear responsibilities and roles for every step in the process are established from the outset.
Start off right by outlining the roles of your data governance team. Your team should likely consist of both business and IT subject matter experts who will act as liaisons between different areas – business processes, decisions, etc. – affected by your governance framework, and IT subject matter experts who understand both industries. In order to be effective stewards, these individuals need to feel at home communicating between business and IT spheres; data and enterprise architects make good business stewards while senior business systems analysts make great IT stewards.
Step two of any data governance project should be to outline its scope. This should take into account your data’s purpose, its use and classes of people it will be transferred to – all factors which may alter data transfer practices or even prohibit them altogether.
At its core, knowing whether your data constitutes personal data is of vital importance. Under the Personal Data Protection Ordinance (PDPO), personal data refers to information pertaining to an identified or identifiable individual and includes things like name, address, telephone number and email address. Although not updated since its enactment in 1996, its definition remains in line with international norms on this topic.
As such, it’s crucial for organizations to understand how the PDPO applies to them – especially if data crosses borders. Our Data Privacy practice’s Padraig Walsh notes that according to this law – data users must inform data subjects directly of its purpose for collection as well as who it may be shared with. Furthermore, this requirement extends even when processing takes place outside Hong Kong but involves transfer to or from a Hong Kong entity, unlike some laws that only cover processing that takes place locally.