Skip to content

Media Statements

Media Statements

Date: 16 August 2018

Privacy Commissioner Issues Best Practice Guide on Privacy Management Programme and
Encourages Organisations to Embrace Personal Data Protection as Part of Corporate Governance Responsibilities

The Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner) Mr Stephen Kai-yi WONG issued the revised Best Practice Guide on Privacy Management Programme (the Guide), which aims at assisting organisations in constructing a comprehensive Privacy Management Programme (PMP).  The Guide is a “2.0 version” of the 2014 issue, with more concrete examples, charts, templates of questionnaire and checklist for reference. 
The Privacy Commissioner advocates that organisations should develop their own PMP.  Organisations should embrace personal data protection as part of their corporate governance responsibilities and apply them as a business imperative throughout the organisation, starting from the boardroom.  The Privacy Commissioner said, “With the growing public expectations for privacy protection, organisations should go further than merely treating personal data protection as a compliance issue.  Constructing a comprehensive PMP not only can build trust with customers, but also enhance the organisation’s reputation as well as competitiveness.  In fact, the European Union’s General Data Protection Regulation (GDPR), which came into force on 25 May 2018, expressly incorporates an accountability principle.  Obviously, the adoption of accountability approach in handling personal data through implementation of PMP becomes a global trend for organisations.”
The Guide provides the practical advice in constructing a comprehensive PMP as follows: 
  1. The Benefits of Implementing a Privacy Management Programme
  2. Components of a Privacy Management Programme
  1. Organisational Commitment
  • Buy-in from the Top
  • Appointment of Data Protection Officer/Establishment of Data Protection Office
  • Establishment of Reporting Mechanisms
  1. Programme Controls
  • Personal Data Inventory
  • Internal Policies on Personal Data Handling
  • Risk Assessment Tools
  • Training, Education and Promotion
  • Handling of Data Breach Incident
  • Data Processor Management
  • Communication 
  1. Ongoing Assessment and Revision
  • Development and Oversight and Review Plan
  • Assessment and Revision of Programme Controls
The Best Practice Guide on Privacy Management Programme is now available for download on the PCPD website:
The Privacy Commissioner will organise seminars and professional workshops on PMP, and introduce an online toolkit, so as to help organisations develop their own PMP and treat personal data protection as part of their corporate governance responsibilities.
- END -

Best Practice Guide on
Privacy Management Programme