What does GDPR mean to financial technologists?

Innovative technologies have developed rapidly. Many companies utilise advanced innovations to tap user data to understand users’ needs, upgrade operations, and discover business opportunities. However this has raised data privacy issues. The outbreak of Facebook data leak scandal has caused a wider user data privacy concern. To safeguard user data privacy, the European Union (EU) implemented the General Data Protection Regulation (GDPR) this year on May 25.

How GDPR affects Hong Kong companies?

Dubbed the strictest data protection law, the GDPR puts citizens in EU in control of their data. The GDPR applies to any business involving processing activities of personal data of the EU citizens, be it in or outside EU jurisdictions. In other words, the regulation applies to Hong Kong companies that run businesses that consist of processing operations related to EU citizens which require regular and systematic monitoring of data subjects on a large scale, or involve core activities consisting of processing a large scale of sensitive personal data and data relating to criminal convictions and offences.

The GDPR highlights an accountability principle and requires companies to implement measures to ensure compliance. Hong Kong companies that involve processing of EU citizens’ data are required to appoint a Data Protection Officer (DPO) to monitor and advise on GDPR compliance; conduct Data Protection Impact Assessment (DPIA) before engaging in any data processing that may put individuals’ rights at risk; undertake Privacy by Design and by Default in determining the means of processing and to integrate the necessary safeguards to realise the data protection principles; keep records of processing activities; and formulate data processing policies for compliance and accountability purposes. In case of a data breach, a company is required to issue a mandatory breach notification no later than 72 hours after noticing the breach.

How should financial technologists cope with the GDPR?

The financial sector, among the industries that deal with considerable sensitive personal user data, may expect more attention from the regulatory authority and the public. That is why financial technologists need to be on the lookout for the compliance risk of GDPR by complying with the principles of processing personal data stipulated in the GDPR.

The overriding principle of the GDPR is to safeguard data privacy of EU citizens, so financial technologists are obliged to protect the rights and privacy of data subjects in formulating and implementing their technical and organisational policies. In processing or overseeing the processing of user data, financial technologists should ensure the concerned service only collects and processes personal data stipulated in documented instructions, processes data confidentially, ensures safety of the data processed, answers the requests of deleting or returning the data after the processing activity.

The GDPR underlies data subjects’ control over their own data, that is why consent of the data subject is the prerequisite for legal processing of personal data. It is essential for financial technologists to ensure a clear and intelligible request on their service platforms for data consent from data subjects, which should also inform data subjects the option of withdrawing their consent anytime. Data consent from minors should as well be obtained, by the authorisation by their guardians.

Companies do not simply need to obtain from data subjects their consent of data usage, but also need to respect how and to what extent data subjects want their data to be used, by allowing the options of data rectification, objection, restriction, erasure, right to be forgotten and right to data portability. Financial technologists need to review their practices in alignment with the above enhanced rights for data subjects. Especially with the rapid advancement and increasing adoption of financial technologies to predict business trends and analyse customers’ needs, user data is inevitably collected and analysed in the financial sector. Such practices may go against the GDPR as the GDPR allows data subjects to object to data processing or profiling that is for direct marketing purposes, interests pursued by the concerned company or third party, statistical purposes, etc. Financial technologists need to ensure options to be provided to allow data subjects to object to or delete a data processing.

A more secured approach to handling user data can contribute to building customers’ trust on the company and improving customer services. Financial technologists should take this chance to review their technical practices against the GDPR to safeguard the public’s right to their personal data, while securing the company’s services to achieve a win-win situation.


《通用數據保障條例》對金融科技從業員的影響

創新科技發展一日千里,許多公司利用創新科技開拓用家數據和資料,提取有用資訊,讓企業更明白用戶的需要,藉以提升營運,發掘商機。然而,使用用戶數據和資料難免帶來侵犯個人資料和私隱的隱憂,近期Facebook洩露用戶資訊的一連串事件便引起社會廣泛關注。為了保障用戶資料安全,歐盟於今年五月二十五日起實施《通用數據保障條例》(General Data Protection Regulation,縮寫GDPR),GDPR被部分人認為是史上最嚴的個人資料保護條例。

GDPR如何影響香港企業?

GDPR把個人資料的控制權交回用戶本身,賦予歐盟居民更大權力決定個人資料的使用。GDPR適用於所有涉及處理歐盟居民資料的企業,包括在歐盟以外的企業。換言之,任何香港公司如業務涉及歐盟居民資料處理,包括定期和有系統地監控大量個人資料,或其核心業務涉及處理大量敏感的個人資料,或與刑事定罪和犯罪有關的資料時,均須遵行GDPR。

GDPR強調問責原則,要求公司採取措施確保合規。根據GDPR,香港任何公司若業務涉及處理歐盟居民資料,必須遵行以下規定︰

  • 委任保障資料主任(Data Protection Officer),負責監督、建議該公司的GDPR合規事宜;

  • 在進行任何可能使個人權利面臨風險的數據處理活動前,須進行資料保障影響評估(Data Protection Impact Assessment);

  • 採取貫徹私隱的設計及預設設定(Privacy by Design and by Default ),即在決定資料處理方法時結合必要的保障措施,貫踐資料保護原則;

  • 保留資料處理活動的紀錄;

  • 為合規和問責的目標訂立政策和措施;

  • 如果發生資料外洩事故,公司須於發現違規行為後72小時內發出通告。

金融科技從業員應如何應對GDPR?

金融業每天處理大量敏感個人資料,容易受到監管機構和公眾的格外關注,金融科技從業員因而須特別留意GDPR的合規風險,確保公司奉行GDPR的條例。

GDPR的首要原則是保護歐盟居民的個人資料和私隱,因此金融科技從業員在訂立和實施技術和企業措施時須以保障用戶的權利和私隱為目標。在資料處理或監察資料處理工作時,金融科技從業員須

  • 確保有關服務僅按照控制者書面指示處理個人資料;

  • 保密處理數據;

  • 確保處理資料安全;

  • 回應用戶要求在完成資料處理後刪除或交還其個人資料。

GDPR強調用戶對個人資料的控制,因而用戶的同意和授權是資料處理活動合法進行的必要前提,金融科技從業員因此須在公司網站或服務平台以清晰易明的字句徵詢用戶的同意,並須知會用戶有權在任何時候撤回同意。用戶若未成年,企業仍須獲得其父母或合法監護人的授權。

除了須獲得用戶同意處理個人資料外,企業亦須尊重用戶有權希望如何使用其資料和使用的程度,包括滿足用戶對資料修改、反對、限制、刪除、被遺忘及資料可攜權等要求。金融科技從業員有必要審視其行業實踐是否切合以上的用戶權利。隨着金融科技的急速發展和廣泛行業應用,金融業愈趨收集和分析用戶資料,以預測行業趨勢和了解客戶需要,這和GDPR若干規例原則相違背,例如GDPR讓用戶有權反對任何資料處理和個人概況彙編活動,只要活動用作直接捉銷、涉及有關企業或第三方利益、以統計為目的等,為此金融科技從業員須為用戶提供反對和刪除資料處理的選擇。

金融科技從業員應把握機會根據GDPR檢視其業務實踐,以更可靠、安全的方法處理用戶數據,不但能夠建立客戶對企業的信任,並提高客戶服務水平,在保障大眾個人資料使用權的同時,加強企業服務,達致雙贏。

Startup Community in Copenhagen

Copenhagen is well known for being a happy and smart city. That’s why I was really excited about joining the Startup Weekend of the Copenhagen Fintech Week and couldn’t wait to meet the dynamic FinTech startup community there!

The Copenhagen Fintech Week was an international event where people from all around the world came together to share insights on latest hot topics in the Fintech world like artificial intelligence (AI), blockchain, cybersecurity, Sustainable Development Goals (SDGs), open banking, etc. As part of the Copenhagen Fintech Week, the Startup Weekend embraced novel ideas from Fintech startups and provided a competitive yet potentially collaborative platform for innovation initiators. There we worked on projects that interested us, honed our ideas with exchanges from fellow participants and help from coaches, and finally got to pitch our work.

It was a valuable experience working and interacting with inspiring people, and building up our ideas with the insights and experience from like-minded fellows. I really appreciated the opportunity and looked forward to more to come!


參與哥本哈根的金融科技周,與各地初創企業家互動交流

哥本哈根是知名的快樂和智慧城市,所以我相當高興能參與其金融科技周的初創周末,急不及待和那裏的金融科技初創社區見面交流!

哥本合根的金融科技周是個國際盛事,來自世界各地的專業人士會聚首一堂,分享探究金融科技世界最新最流行的議題,這次的主題涵蓋人工智能(Artificial Intelligence),區塊鏈技術(Blockchain)、網絡安全(Cybersecurity)、可持續發展目標(Sustainable Development Goals)、開放銀行(Open banking)等等。而初創周末作為金融科技周的一部分,特別為初創企業和項目發起人提供一個鼓勵協作又具競爭性的平台,讓我們能在此開展我們感興趣的想法或項目,並藉着和與會者交流看法和導師的建議而加以完善,最後我們有機會匯報自己的項目提案。

這實在是個難得的體驗,能夠和不同背景但志同道合的與會者和初創企業家互動,藉大家的經驗和建議來改善加強彼此的項目想法,實在受益匪淺,期待未來更多與各地金融初創交流的機會!