HK privacy watchdog releases new guidelines on data breach handling

share on

twitter /
facebook /
linkedin /
- email
- telegram
- whatsapp
- wechat
- pinterest
- line
- snapchat
- reddit

Hong Kong's privacy watchdog has issued new guidelines on data breach handling and data breach notifications to assist organisations in preparing themselves in the event a data breach occurs.

This comes as the number of data breach incidents reported to the Office of the Privacy Commissioner for Personal Data (PCPD) in the first half of 2023 has increased by more than 20% to 55 cases when compared to the second half of 2022. The impact of data breaches goes beyond harm to the affected individuals as organisations can also suffer reputational damage and other losses.

The new Guidance on Data Breach Handling and Data Breach Notifications recommended that organisations should follow the following key steps when handling a data breach, which include immediate gathering of essential information, containing the data breach, assessing the risk of harm, considering giving data breach notifications and documenting the breach.

The guidance also pointed out that organisations should notify the PCPD and the affected data subjects as soon as practicable after becoming aware of the data breach, particularly if the data breach is likely to result in a real risk of harm to those affected data subjects.

Separately, the PCPD has launched an e-data breach notification form. The online form is a web-based form with guided questions and multiple-choice answers which enables organisations to grasp the details of data breach incidents more comprehensively and effectively, and report data breach incidents to the PCPD in a more convenient manner.

"There has been an increase in data breach incidents in recent years, with organisations of all sizes and industries falling victim to cyberattacks, human errors and the like," said Ada Chung, the privacy commissioner for personal data. “ To safeguard data security, the guidance recommends that organisations should formulate a data breach response plan to enable them to respond to data breach incidents promptly and manage them effectively."

The guidance also provided a clear step-by-step guide to assist organisations in handling and managing data breach incidents properly, with a view to minimising the impact on the affected individuals as well as the potential damage to the organisations, she added.

share on