What does GDPR mean to financial technologists?

Innovative technologies have developed rapidly. Many companies utilise advanced innovations to tap user data to understand users’ needs, upgrade operations, and discover business opportunities. However this has raised data privacy issues. The outbreak of Facebook data leak scandal has caused a wider user data privacy concern. To safeguard user data privacy, the European Union (EU) implemented the General Data Protection Regulation (GDPR) this year on May 25.

How GDPR affects Hong Kong companies?

Dubbed the strictest data protection law, the GDPR puts citizens in EU in control of their data. The GDPR applies to any business involving processing activities of personal data of the EU citizens, be it in or outside EU jurisdictions. In other words, the regulation applies to Hong Kong companies that run businesses that consist of processing operations related to EU citizens which require regular and systematic monitoring of data subjects on a large scale, or involve core activities consisting of processing a large scale of sensitive personal data and data relating to criminal convictions and offences.

The GDPR highlights an accountability principle and requires companies to implement measures to ensure compliance. Hong Kong companies that involve processing of EU citizens’ data are required to appoint a Data Protection Officer (DPO) to monitor and advise on GDPR compliance; conduct Data Protection Impact Assessment (DPIA) before engaging in any data processing that may put individuals’ rights at risk; undertake Privacy by Design and by Default in determining the means of processing and to integrate the necessary safeguards to realise the data protection principles; keep records of processing activities; and formulate data processing policies for compliance and accountability purposes. In case of a data breach, a company is required to issue a mandatory breach notification no later than 72 hours after noticing the breach.

How should financial technologists cope with the GDPR?

The financial sector, among the industries that deal with considerable sensitive personal user data, may expect more attention from the regulatory authority and the public. That is why financial technologists need to be on the lookout for the compliance risk of GDPR by complying with the principles of processing personal data stipulated in the GDPR.

The overriding principle of the GDPR is to safeguard data privacy of EU citizens, so financial technologists are obliged to protect the rights and privacy of data subjects in formulating and implementing their technical and organisational policies. In processing or overseeing the processing of user data, financial technologists should ensure the concerned service only collects and processes personal data stipulated in documented instructions, processes data confidentially, ensures safety of the data processed, answers the requests of deleting or returning the data after the processing activity.

The GDPR underlies data subjects’ control over their own data, that is why consent of the data subject is the prerequisite for legal processing of personal data. It is essential for financial technologists to ensure a clear and intelligible request on their service platforms for data consent from data subjects, which should also inform data subjects the option of withdrawing their consent anytime. Data consent from minors should as well be obtained, by the authorisation by their guardians.

Companies do not simply need to obtain from data subjects their consent of data usage, but also need to respect how and to what extent data subjects want their data to be used, by allowing the options of data rectification, objection, restriction, erasure, right to be forgotten and right to data portability. Financial technologists need to review their practices in alignment with the above enhanced rights for data subjects. Especially with the rapid advancement and increasing adoption of financial technologies to predict business trends and analyse customers’ needs, user data is inevitably collected and analysed in the financial sector. Such practices may go against the GDPR as the GDPR allows data subjects to object to data processing or profiling that is for direct marketing purposes, interests pursued by the concerned company or third party, statistical purposes, etc. Financial technologists need to ensure options to be provided to allow data subjects to object to or delete a data processing.

A more secured approach to handling user data can contribute to building customers’ trust on the company and improving customer services. Financial technologists should take this chance to review their technical practices against the GDPR to safeguard the public’s right to their personal data, while securing the company’s services to achieve a win-win situation.


《通用數據保障條例》對金融科技從業員的影響

創新科技發展一日千里,許多公司利用創新科技開拓用家數據和資料,提取有用資訊,讓企業更明白用戶的需要,藉以提升營運,發掘商機。然而,使用用戶數據和資料難免帶來侵犯個人資料和私隱的隱憂,近期Facebook洩露用戶資訊的一連串事件便引起社會廣泛關注。為了保障用戶資料安全,歐盟於今年五月二十五日起實施《通用數據保障條例》(General Data Protection Regulation,縮寫GDPR),GDPR被部分人認為是史上最嚴的個人資料保護條例。

GDPR如何影響香港企業?

GDPR把個人資料的控制權交回用戶本身,賦予歐盟居民更大權力決定個人資料的使用。GDPR適用於所有涉及處理歐盟居民資料的企業,包括在歐盟以外的企業。換言之,任何香港公司如業務涉及歐盟居民資料處理,包括定期和有系統地監控大量個人資料,或其核心業務涉及處理大量敏感的個人資料,或與刑事定罪和犯罪有關的資料時,均須遵行GDPR。

GDPR強調問責原則,要求公司採取措施確保合規。根據GDPR,香港任何公司若業務涉及處理歐盟居民資料,必須遵行以下規定︰

  • 委任保障資料主任(Data Protection Officer),負責監督、建議該公司的GDPR合規事宜;

  • 在進行任何可能使個人權利面臨風險的數據處理活動前,須進行資料保障影響評估(Data Protection Impact Assessment);

  • 採取貫徹私隱的設計及預設設定(Privacy by Design and by Default ),即在決定資料處理方法時結合必要的保障措施,貫踐資料保護原則;

  • 保留資料處理活動的紀錄;

  • 為合規和問責的目標訂立政策和措施;

  • 如果發生資料外洩事故,公司須於發現違規行為後72小時內發出通告。

金融科技從業員應如何應對GDPR?

金融業每天處理大量敏感個人資料,容易受到監管機構和公眾的格外關注,金融科技從業員因而須特別留意GDPR的合規風險,確保公司奉行GDPR的條例。

GDPR的首要原則是保護歐盟居民的個人資料和私隱,因此金融科技從業員在訂立和實施技術和企業措施時須以保障用戶的權利和私隱為目標。在資料處理或監察資料處理工作時,金融科技從業員須

  • 確保有關服務僅按照控制者書面指示處理個人資料;

  • 保密處理數據;

  • 確保處理資料安全;

  • 回應用戶要求在完成資料處理後刪除或交還其個人資料。

GDPR強調用戶對個人資料的控制,因而用戶的同意和授權是資料處理活動合法進行的必要前提,金融科技從業員因此須在公司網站或服務平台以清晰易明的字句徵詢用戶的同意,並須知會用戶有權在任何時候撤回同意。用戶若未成年,企業仍須獲得其父母或合法監護人的授權。

除了須獲得用戶同意處理個人資料外,企業亦須尊重用戶有權希望如何使用其資料和使用的程度,包括滿足用戶對資料修改、反對、限制、刪除、被遺忘及資料可攜權等要求。金融科技從業員有必要審視其行業實踐是否切合以上的用戶權利。隨着金融科技的急速發展和廣泛行業應用,金融業愈趨收集和分析用戶資料,以預測行業趨勢和了解客戶需要,這和GDPR若干規例原則相違背,例如GDPR讓用戶有權反對任何資料處理和個人概況彙編活動,只要活動用作直接捉銷、涉及有關企業或第三方利益、以統計為目的等,為此金融科技從業員須為用戶提供反對和刪除資料處理的選擇。

金融科技從業員應把握機會根據GDPR檢視其業務實踐,以更可靠、安全的方法處理用戶數據,不但能夠建立客戶對企業的信任,並提高客戶服務水平,在保障大眾個人資料使用權的同時,加強企業服務,達致雙贏。

New York passed a new law on home-sharing to regulate Airbnb business

Last week New York imposed a regulation on Airbnb to disclose hosts’ information and transaction data to the authority. Under the new law Airbnb will have to report hosts’ information such as names and addresses through electronic reports. The regulation aims to combat against illegal short-term rentals and will go into effect in 180 days. Non-compliance will result in heavy fines.

Launched in 2008, Airbnb is a home-rental company rising from the new sharing economy. Like most businesses in the new economy to traditional industries, Airbnb has brought disruptions to the hotel industry. The new New York law aims to clamp down on unlicensed guesthouses and the rising housing stock resulted from short-term rentals. However the law may also infringe on hosts’ privacy.

The New York law was not the first authoritative attempt to regulate Airbnb businesses. Early this year Japan passed a stringent home-sharing regulation to ask hosts to register their listing and limit home-sharing in Japan to 180 days a year. Local governments in Japan are enforcing even stricter regulations in their areas. For example in Yokohama, Tokyo’s Shinjuku, Nerima, Bunkyo, etc home-sharing is banned on weekdays. The stringent law led to Airbnb dropping almost 80% of its Japanese listings.

As the new sharing economy emerged and thrived, new business models such as the Airbnb home-sharing developed ahead of regulations. While the new model injects dynamic energy into the business through introducing unique traveller experience, there are problems beyond regulation such as hosts avoiding lodging taxes, safety issues, blows to housing markets, etc. The new law will be able to tackle illegal rentals by keeping an eye on hosts to combat hosts that rent apartments that forbid short-term rentals, commercial operators that run unlicensed listings, etc. By curbing illegal rentals, more housing can be released back to the market. The regulation also secured the service with a regulated list of hosts. Despite all the advantages expected to come with the law, the law will almost ruin the original idea of sharing spare home space to people with a charge and strangle the model of creating values out of available resources.

The tension between the hotel industry and the new sharing economy has been an issue that needs to be resolved. More similar regulatory attempts are expected to come in future. The public should pay attention to the development.


紐約新法案打擊Airbnb共享業務

上星期紐約簽署法案規定Airbnb向當局提交屋主資料和交易訊息,包括屋主姓名和地址等,以電子報告的形式每月向紐約當局提交,用以打擊非法出租。新法於簽署後180天起生效,違例將予以嚴重罰款。

Airbnb於2008年成立,是共享經濟下迅速發展的房屋共享公司。許多共享經濟的公司或業務對傳統行業帶來顛覆性影響,而Airbnb也不例外,對酒店業造成衝擊。紐約市的新法旨於打擊非法租賃和短期出租帶來的房租上漲、空房率下隆的問題。然而新法將侵犯屋主私隱。

紐約並非首個對Airbnb業務進行規管的地區,今年初日本亦頒布針對民宿出租的嚴厲新法,民宿經營者需進行登記,出租期一年內亦不得多於180日,地區政府更進一步收緊做法,例如在橫濱、東京新宿、練馬、文京區等,民宿經營者不得在星期一至五出租房屋。新法下,Airbnb的日本民宿近八成下架。

共享經濟發展蓬勃,嶄新的商業經濟模式發展日新月異,不受法例規範和監管。雖然Airbnb的經營模式為旅客帶來獨特的住宿體驗,為行業注入活力和新意,但不受法例監管卻造成各項問題,例如屋主逃稅、住客安全問題、地區房租上漲等等。新法可望有效打擊非法的短期房屋租賃,並杜絕商戶經營未登記的物業等等。打擊非法租賃可把更多物業放回市場,同時屋主受監管安障了住客。然而,新法將扼殺透過共享閒置資源創造更大價值的概念。

酒店業和共享經濟間的衝突有待解決。未來對共享經濟模式將有更多的規管行為,大眾亦應留意發展。

 

How to reduce consumption of plastic bags

Korea plans to ban plastic bags in supermarkets and malls this year to further tighten its crackdown on plastic waste. At present, Korea has in effect a plastic bag levy scheme making it compulsory for retail shops to charge extra fee for plastic bags. The new plan is about to further reduce the use of plastic bags, obliging the 11,000 supermarkets and 2,000 shopping malls to provide instead recycled paper bags, cardboard boxes or reusable bags.

The plan is a stricter enforcement against the use of plastic bags, which eliminates the use of plastic bags at one of the major consumption sources. Hong Kong imposed the first phase of an environmental levy on plastic shopping bags in 2009, which came into full force in 2015 to extend to more than 100,000 retail points. Though the levy yielded a significant decrease in the landfill disposal of plastic bags from the retail industry in the initial phase, consumption of the bags rebounded in 2016 at more than 9%. A more stringent approach may be needed to cut down on the usage.

Imposing a ban in the retail industry can be one effective measure. Hong Kong may learn from Korea in the fight against the consumption of plastic bags. Countries or regions such as Australia, China, Kenya, Chile, Karnataka in India, etc also ban the use of plastic bags. While it is vital for the government to take the lead in reducing plastic bag consumption, citizens’ environmental awareness to cut down on the usage is just as critical. Citizens can reduce plastic bag usage according to the 4R principles, namely reduce, reuse, recycle and replace.

In order to reduce the usage, we should only use plastic bags when necessary. Replacing plastic bags with reusable ones is an effective way. To make the most out of used plastic bags, we should reuse used ones. For example, we can clean the used plastic bags and save them in a tissue box to be easily dispensed for reuse. Making creative use of the plastic bags is also a good idea, such as crafting artistic decorations, recycled bags, umbrella wraps etc. We should avoid throwing plastic bags away by recycling the bags at the “brown” recyclables collection bins. By minimising the consumption of plastic bags and maximising the use, we can help build a greener city.


如何減少使用膠袋

南韓計劃今年內禁止超級市場和商場提供塑膠袋,現時韓國實行塑膠購物袋徵費,新政將進一步打擊塑膠廢物污染。韓國1.1萬間超市和2000個商場在新政下只能提供紙袋、紙箱或可重用膠袋代替膠袋。

南韓的膠袋新政嚴厲打繫塑膠袋,從消耗源頭減少使用膠袋。香港於2009年推行塑膠購物袋環保徵費計劃首階段,並在2015年全面實施,涵蓋逾100,000零售點。徵費計劃雖在首階段大量減少來自零售業的堆填區膠袋棄置量,但數字在2016年回升逾9%,若要改善情況,需更嚴厲的做法。

香港可學效南韓,禁止零售業提供膠袋。事實上許多國家或地區亦已實施無膠袋的做法,如澳洲、中國、肯雅、智利、印度的卡納塔克邦等等。雖然減少膠袋使用由政府帶頭至關重要,但市民有環保意識主動少用膠袋亦必不可少。市民可參考4R原則來減廢,即減少(Reduce)、重用(Reuse)、循環再用(Recycle)和替代(Replace)。

為了減少使用,我們應在必要時才使用,儘量以可重復使用的購物袋代替膠袋。如非必要用膠袋的話,膠袋使用後亦要物盡其用,例如,清潔後可用空紙巾盒放好方便下次使用。或創意利用膠袋,製作成藝術裝飾、環保袋或雨傘袋等,亦不失為廢物利用的好方法。如果要棄置膠袋,我們應該避免直接丟棄,而應把膠袋棄置到「啡膠樽」回收桶,讓膠袋得以循環再用。綠色城市需要市民的努力,以減少使用和物盡其用來減廢。

How to live a normal pressure life

Recently I came across this blood pressure chart, which shows the blood pressure readings from low, normal, prehypertension to hypertension. Hypertension is the medical term for a high blood pressure. The normal blood pressure reading for an adult should be less than 120 over 80 (<120 systolic and <80 diastolic).

26

There are many reasons that lead to hypertension, such as a stressful lifestyle, tight schedules, unhealthy diets, a lack of exercise, insufficient sleep, etc. All are commonplace in a hectic urban lifestyle. No wonder hypertension remains one of the most commonly seen diseases in urbanites. Other factors that contribute to hypertension include bad habits like smoking, drinking, etc, genetics and ageing.

While a busy urban lifestyle may be unavoidable, we can try to squeeze in healthy patterns to lower our blood pressure and relieve stress. The following is a list of items contributive to a normal blood pressure and a less stressful life:

  • Exercise more
  • Eat more vegetables, fruit, and less salt
  • Cut down on caffeine and alcohol
  • Gain adequate sleep
  • Keep an eye on your body mass index (BMI) and lose weight when necessary
  • Manage stress

I believe everybody is well acquainted with the items, and the rest lies in how to realise it. Despite a busy schedule, I try to embed the items into my daily routine such as walking whenever possible. I also find apps that help you keep a healthy lifestyle very useful. There are lots of mobile apps out there that help you set goals and track progress. For example, some sports apps record your exercise patterns in a calendar, and encourage you to do exercise with regular reminders. These apps allow you to keep track of your goals with measurable figures and to adjust goals accordingly.

Everybody is different, so how to adapt the items into one’s routine varies too. Nevertheless, setting measurable goals and tracking progress are critical. Mobile apps can play a part here. I hope everybody can find a way to realise a normal pressure lifestyle.


如何保持血壓正常和身心舒暢

最近看見這張高血壓指引圖,以不同顏色標示血壓高低的標準,包括低、正常、高血壓前期到高血壓。高血壓是指血壓升高使心臟推動血液循環時的負擔加大。成年人的正常血壓普遍為收縮壓(Systolic Blood Pressure )小於120 mmHg及舒張壓(Diastolic Blood Pressure)小於80 mmHg。

導致高血壓的成因有多種,例如緊張的生活節奏、忙碌的工作日程、不健康飲食、缺乏運動、睡眠不足等等,在繁忙的都市生活中十分普遍,城市人都已習以為常,高血壓成為常見都市病。其他導致高血壓的因素包括吸煙和酗酒等不良生活習慣、遺傳和年老等自然因素。

雖然忙碌的生活方式無可避免,我們仍可儘量把良好的習慣融入到生活中,從而降低高血壓,同時釋放壓力。以下是一些保持正常血壓和減輕壓力的做法︰

  • 多做運動

  • 多吃蔬果,減少鹽攝取量

  • 減少攝取咖啡因和酒精

  • 保持足夠睡眠

  • 留意自己的身高體重指數(BMI),有需要時減重

  • 舒緩壓力

相信大部分人對以上的建議都不陌生,只欠實踐一步。像很多人一樣,我也十分忙碌,即使如此,我亦嘗試把建議融入到平時的日程中,如多走動等。市面上亦有很多手機程式能幫你健康生活,例如一些助你訂下目標和追踪進度的程式,還有許多運動程式能把你的運動紀錄記在月曆上,並定時提醒你做運動。這些程式讓你更容易查看自己的運動紀錄,包括數據和時間,讓你可輕易調整步伐。

每個人都不一樣,如何實踐低壓生活亦然,但設定可量度的目標和追踪進度必不可少,善用手機程式是其中一個用效方法助我們達標。