What does GDPR mean to financial technologists?

Innovative technologies have developed rapidly. Many companies utilise advanced innovations to tap user data to understand users’ needs, upgrade operations, and discover business opportunities. However this has raised data privacy issues. The outbreak of Facebook data leak scandal has caused a wider user data privacy concern. To safeguard user data privacy, the European Union (EU) implemented the General Data Protection Regulation (GDPR) this year on May 25.

How GDPR affects Hong Kong companies?

Dubbed the strictest data protection law, the GDPR puts citizens in EU in control of their data. The GDPR applies to any business involving processing activities of personal data of the EU citizens, be it in or outside EU jurisdictions. In other words, the regulation applies to Hong Kong companies that run businesses that consist of processing operations related to EU citizens which require regular and systematic monitoring of data subjects on a large scale, or involve core activities consisting of processing a large scale of sensitive personal data and data relating to criminal convictions and offences.

The GDPR highlights an accountability principle and requires companies to implement measures to ensure compliance. Hong Kong companies that involve processing of EU citizens’ data are required to appoint a Data Protection Officer (DPO) to monitor and advise on GDPR compliance; conduct Data Protection Impact Assessment (DPIA) before engaging in any data processing that may put individuals’ rights at risk; undertake Privacy by Design and by Default in determining the means of processing and to integrate the necessary safeguards to realise the data protection principles; keep records of processing activities; and formulate data processing policies for compliance and accountability purposes. In case of a data breach, a company is required to issue a mandatory breach notification no later than 72 hours after noticing the breach.

How should financial technologists cope with the GDPR?

The financial sector, among the industries that deal with considerable sensitive personal user data, may expect more attention from the regulatory authority and the public. That is why financial technologists need to be on the lookout for the compliance risk of GDPR by complying with the principles of processing personal data stipulated in the GDPR.

The overriding principle of the GDPR is to safeguard data privacy of EU citizens, so financial technologists are obliged to protect the rights and privacy of data subjects in formulating and implementing their technical and organisational policies. In processing or overseeing the processing of user data, financial technologists should ensure the concerned service only collects and processes personal data stipulated in documented instructions, processes data confidentially, ensures safety of the data processed, answers the requests of deleting or returning the data after the processing activity.

The GDPR underlies data subjects’ control over their own data, that is why consent of the data subject is the prerequisite for legal processing of personal data. It is essential for financial technologists to ensure a clear and intelligible request on their service platforms for data consent from data subjects, which should also inform data subjects the option of withdrawing their consent anytime. Data consent from minors should as well be obtained, by the authorisation by their guardians.

Companies do not simply need to obtain from data subjects their consent of data usage, but also need to respect how and to what extent data subjects want their data to be used, by allowing the options of data rectification, objection, restriction, erasure, right to be forgotten and right to data portability. Financial technologists need to review their practices in alignment with the above enhanced rights for data subjects. Especially with the rapid advancement and increasing adoption of financial technologies to predict business trends and analyse customers’ needs, user data is inevitably collected and analysed in the financial sector. Such practices may go against the GDPR as the GDPR allows data subjects to object to data processing or profiling that is for direct marketing purposes, interests pursued by the concerned company or third party, statistical purposes, etc. Financial technologists need to ensure options to be provided to allow data subjects to object to or delete a data processing.

A more secured approach to handling user data can contribute to building customers’ trust on the company and improving customer services. Financial technologists should take this chance to review their technical practices against the GDPR to safeguard the public’s right to their personal data, while securing the company’s services to achieve a win-win situation.


《通用數據保障條例》對金融科技從業員的影響

創新科技發展一日千里,許多公司利用創新科技開拓用家數據和資料,提取有用資訊,讓企業更明白用戶的需要,藉以提升營運,發掘商機。然而,使用用戶數據和資料難免帶來侵犯個人資料和私隱的隱憂,近期Facebook洩露用戶資訊的一連串事件便引起社會廣泛關注。為了保障用戶資料安全,歐盟於今年五月二十五日起實施《通用數據保障條例》(General Data Protection Regulation,縮寫GDPR),GDPR被部分人認為是史上最嚴的個人資料保護條例。

GDPR如何影響香港企業?

GDPR把個人資料的控制權交回用戶本身,賦予歐盟居民更大權力決定個人資料的使用。GDPR適用於所有涉及處理歐盟居民資料的企業,包括在歐盟以外的企業。換言之,任何香港公司如業務涉及歐盟居民資料處理,包括定期和有系統地監控大量個人資料,或其核心業務涉及處理大量敏感的個人資料,或與刑事定罪和犯罪有關的資料時,均須遵行GDPR。

GDPR強調問責原則,要求公司採取措施確保合規。根據GDPR,香港任何公司若業務涉及處理歐盟居民資料,必須遵行以下規定︰

  • 委任保障資料主任(Data Protection Officer),負責監督、建議該公司的GDPR合規事宜;

  • 在進行任何可能使個人權利面臨風險的數據處理活動前,須進行資料保障影響評估(Data Protection Impact Assessment);

  • 採取貫徹私隱的設計及預設設定(Privacy by Design and by Default ),即在決定資料處理方法時結合必要的保障措施,貫踐資料保護原則;

  • 保留資料處理活動的紀錄;

  • 為合規和問責的目標訂立政策和措施;

  • 如果發生資料外洩事故,公司須於發現違規行為後72小時內發出通告。

金融科技從業員應如何應對GDPR?

金融業每天處理大量敏感個人資料,容易受到監管機構和公眾的格外關注,金融科技從業員因而須特別留意GDPR的合規風險,確保公司奉行GDPR的條例。

GDPR的首要原則是保護歐盟居民的個人資料和私隱,因此金融科技從業員在訂立和實施技術和企業措施時須以保障用戶的權利和私隱為目標。在資料處理或監察資料處理工作時,金融科技從業員須

  • 確保有關服務僅按照控制者書面指示處理個人資料;

  • 保密處理數據;

  • 確保處理資料安全;

  • 回應用戶要求在完成資料處理後刪除或交還其個人資料。

GDPR強調用戶對個人資料的控制,因而用戶的同意和授權是資料處理活動合法進行的必要前提,金融科技從業員因此須在公司網站或服務平台以清晰易明的字句徵詢用戶的同意,並須知會用戶有權在任何時候撤回同意。用戶若未成年,企業仍須獲得其父母或合法監護人的授權。

除了須獲得用戶同意處理個人資料外,企業亦須尊重用戶有權希望如何使用其資料和使用的程度,包括滿足用戶對資料修改、反對、限制、刪除、被遺忘及資料可攜權等要求。金融科技從業員有必要審視其行業實踐是否切合以上的用戶權利。隨着金融科技的急速發展和廣泛行業應用,金融業愈趨收集和分析用戶資料,以預測行業趨勢和了解客戶需要,這和GDPR若干規例原則相違背,例如GDPR讓用戶有權反對任何資料處理和個人概況彙編活動,只要活動用作直接捉銷、涉及有關企業或第三方利益、以統計為目的等,為此金融科技從業員須為用戶提供反對和刪除資料處理的選擇。

金融科技從業員應把握機會根據GDPR檢視其業務實踐,以更可靠、安全的方法處理用戶數據,不但能夠建立客戶對企業的信任,並提高客戶服務水平,在保障大眾個人資料使用權的同時,加強企業服務,達致雙贏。

How to reduce consumption of plastic bags

Korea plans to ban plastic bags in supermarkets and malls this year to further tighten its crackdown on plastic waste. At present, Korea has in effect a plastic bag levy scheme making it compulsory for retail shops to charge extra fee for plastic bags. The new plan is about to further reduce the use of plastic bags, obliging the 11,000 supermarkets and 2,000 shopping malls to provide instead recycled paper bags, cardboard boxes or reusable bags.

The plan is a stricter enforcement against the use of plastic bags, which eliminates the use of plastic bags at one of the major consumption sources. Hong Kong imposed the first phase of an environmental levy on plastic shopping bags in 2009, which came into full force in 2015 to extend to more than 100,000 retail points. Though the levy yielded a significant decrease in the landfill disposal of plastic bags from the retail industry in the initial phase, consumption of the bags rebounded in 2016 at more than 9%. A more stringent approach may be needed to cut down on the usage.

Imposing a ban in the retail industry can be one effective measure. Hong Kong may learn from Korea in the fight against the consumption of plastic bags. Countries or regions such as Australia, China, Kenya, Chile, Karnataka in India, etc also ban the use of plastic bags. While it is vital for the government to take the lead in reducing plastic bag consumption, citizens’ environmental awareness to cut down on the usage is just as critical. Citizens can reduce plastic bag usage according to the 4R principles, namely reduce, reuse, recycle and replace.

In order to reduce the usage, we should only use plastic bags when necessary. Replacing plastic bags with reusable ones is an effective way. To make the most out of used plastic bags, we should reuse used ones. For example, we can clean the used plastic bags and save them in a tissue box to be easily dispensed for reuse. Making creative use of the plastic bags is also a good idea, such as crafting artistic decorations, recycled bags, umbrella wraps etc. We should avoid throwing plastic bags away by recycling the bags at the “brown” recyclables collection bins. By minimising the consumption of plastic bags and maximising the use, we can help build a greener city.


如何減少使用膠袋

南韓計劃今年內禁止超級市場和商場提供塑膠袋,現時韓國實行塑膠購物袋徵費,新政將進一步打擊塑膠廢物污染。韓國1.1萬間超市和2000個商場在新政下只能提供紙袋、紙箱或可重用膠袋代替膠袋。

南韓的膠袋新政嚴厲打繫塑膠袋,從消耗源頭減少使用膠袋。香港於2009年推行塑膠購物袋環保徵費計劃首階段,並在2015年全面實施,涵蓋逾100,000零售點。徵費計劃雖在首階段大量減少來自零售業的堆填區膠袋棄置量,但數字在2016年回升逾9%,若要改善情況,需更嚴厲的做法。

香港可學效南韓,禁止零售業提供膠袋。事實上許多國家或地區亦已實施無膠袋的做法,如澳洲、中國、肯雅、智利、印度的卡納塔克邦等等。雖然減少膠袋使用由政府帶頭至關重要,但市民有環保意識主動少用膠袋亦必不可少。市民可參考4R原則來減廢,即減少(Reduce)、重用(Reuse)、循環再用(Recycle)和替代(Replace)。

為了減少使用,我們應在必要時才使用,儘量以可重復使用的購物袋代替膠袋。如非必要用膠袋的話,膠袋使用後亦要物盡其用,例如,清潔後可用空紙巾盒放好方便下次使用。或創意利用膠袋,製作成藝術裝飾、環保袋或雨傘袋等,亦不失為廢物利用的好方法。如果要棄置膠袋,我們應該避免直接丟棄,而應把膠袋棄置到「啡膠樽」回收桶,讓膠袋得以循環再用。綠色城市需要市民的努力,以減少使用和物盡其用來減廢。

Belt and Road Summit 2018 celebrated success of the development while reflecting on more future collaborative opportunities

I was excited to join the Belt and Road Summit 2018, where officials from the mainland and Hong Kong as well as industry leaders gathered on this occasion to share updates and inspirations on the Belt and Road development. It was held in the Hong Kong Convention and Exhibition Centre, and attracted around 5000 people from 55 countries to come together to explore the summit’s theme, Collaborate for Success.

The Chief Executive of the HKSAR, Carrie Lam, gave an opening speech for the occasion, while the Chairman of the HKTDC, Vincent HS Lo, delivered the welcoming remarks. In the uplifting speeches, we could clearly feel the success of and prosperity brought by the initiative. During the summit, a free trade agreement was signed between Hong Kong and Georgia. As a door to the Caucasus and Central Asia, Georgia will play a critical role in linking Europe and Asia and the free trade agreement marked a promising beginning.

At the Plenary Session titled “Action through Collaboration: Case Studies on Signature Belt and Road Projects” chaired by President of Asia Financial Holdings Limited, Bernard Chan, Belt and Road initiative investment opportunities were discussed and insights shared by President of China Communications Construction Group Liu Qitao, Vice Chairman of All-China Federation of Industry and Commerce and Chairman of Zhejiang Geely Holding Group Li Shufu, Chairman of MTR Corporation Limited Professor Frederick Ma, Chairman of Metro Pacific Investments Corporation Manuel V Pangilinan, and Vice Chairwoman of Indonesian Chamber of Commerce and Industry (KADIN Indonesia) and Chief Executive Officer of Sintesa Group, Shinta Widjaja Kamdani. This marked the highlight of the summit. Afterwards many discussion sessions unfolded where financing for infrastructure, information technology, engineering, green finance, risk management, legal services, etc were explored.

It was an eye-opening experience to hear reviews from industry leaders on the development of the national strategy. It also offered a good chance of reflecting on what role your industry plays and what position can be taken in this initiative.


一帶一路高峰論壇慶祝發展成果,審視未來合作機會

我十分高興能參與今年的一帶一路高峰論壇,會上內地和香港官員,及各行各業的領袖聚首一堂,分享一帶一路的成果和最新發展,並審視未來的合作機會。是次論壇在香港會議展覽中心舉辦,吸引來自五十五個國家約五千人參與,深入探討今年的主題「全方位合作」,場面盛大。

會議在行政長官林鄭月娥的開幕辭和貿發局主席羅康瑞的歡迎辭下順利開始,會上我們亦見證了香港和格魯吉亞簽署自由貿易協定,格魯吉亞是通往高加索和中亞地區的重要樞紐,在接通歐洲和亞洲上扮演關鍵角色,而這次的自由貿易協定可望為雙方帶來更多合作機會。

接着的討論環節以「共商合作 共拓商機:探討一帶一路重點項目」為主題,由亞洲金融集團總裁陳智思主持,討論嘉賓有中國交通建設集團董事長劉起濤、全國工商聯副主席兼浙江吉利控股集團董事長李書福、香港鐵路有限公司主席馬時亨、菲律賓基建企業 Metro Pacific Investments Corporation 主席彭澤仁 (Manuel V Pangilinan),以及印尼工商會副主席兼 Sintesa 集團行政總裁 Shinta Widjaja Kamdani,深入探討了一帶一路的投資機會,分享了相關經驗。討論環節後多場論壇陸續展開,由各領域專業人士相互討論,多項專題包括基建融資、資訊科技、工程、綠色金融、風險管理以及法律服務等方面,從不同面向探討相關議題。

此次論壇可以聽到來自行業領袖關於國家級戰略的回顧和分析,真是讓人眼界大開,亦是個重新審視自己行業從中扮演甚麼角色及如何把握機遇的好機會。

PolyU Entrepreneurship Parade 2018, a glance of the vibrant Hong Kong startup scene

Recently I joined the PolyU Entrepreneurship Parade 2018, where 40 startups supported by the funding programmes of PolyU showcased their projects and successful startup entrepreneurs shared their experience and insights of their startup journeys. The event provided a valuable platform for over 200 startup entrepreneurs and industry professionals to get connected with each other. In the event you could feel the vibrant startup scene in Hong Kong!

In the touring of exhibitions, there was a variety of innovative startup projects and initiatives, in fields as diverse as mobile app management, educational simulation games, martial arts, hearing aid, cultural preservation, green energy generation, etc. A majority of the initiatives utilised state-of-the-art innovation technologies like AI (Artificial Intelligence), robotics, AR (Augmented Reality) and so on. I was excited to see creativity and innovation being adopted in many new disciplines.

There are many local startup incubators such as Science Park and Cyberport. PolyU is one of the largest university-based startup incubators in Hong Kong. It is encouraging to know that since its launch in 2011, it has supported more than 230 startups and 680 entrepreneurs. Hopefully in the future more domain-specific like FinTech incubators can be set up to support more local startups to push forward a smart city.


2018理工大學初創企業巡禮,感受香港初創活力

最近我出席了理工大學二零一八年的初創企業巡禮,典禮上四十間獲理大資助的初創展示其產品和成果,成功的初創企業家在會上分享他們成功的創業經歷。巡禮為逾二百個初創企業家和業內人士提供寶貴的交流平台,互相學習。

巡禮展示了多個不同類型的創新項目,應用領域十分多元化,如手機程式管理、教學遊戲、武術、聽力支援、文化保育、綠色能源等等,大部分項目採用了創新科研技術,如人工智能(Artificial Intelligence)、機械人(Robotics)、擴增實境(Augmented Reality)等等。看到創新技術在越來越多新領域得到使用,真是振奮人心。

本地有許多初創的培育中心,如科學園和數碼港,而理工大學是最大的以大學為本的初創培育中心,自二零一一年創立以來,已支援超過二百三十間初創及六百八十個企業家,期望香港將來有更多針對特定領域的培育中心,例如金融科技培育中心等,提供更專業的支援服務,加強對本地初創的協助,推動香港智慧城市的發展。