What does GDPR mean to financial technologists?

Innovative technologies have developed rapidly. Many companies utilise advanced innovations to tap user data to understand users’ needs, upgrade operations, and discover business opportunities. However this has raised data privacy issues. The outbreak of Facebook data leak scandal has caused a wider user data privacy concern. To safeguard user data privacy, the European Union (EU) implemented the General Data Protection Regulation (GDPR) this year on May 25.

How GDPR affects Hong Kong companies?

Dubbed the strictest data protection law, the GDPR puts citizens in EU in control of their data. The GDPR applies to any business involving processing activities of personal data of the EU citizens, be it in or outside EU jurisdictions. In other words, the regulation applies to Hong Kong companies that run businesses that consist of processing operations related to EU citizens which require regular and systematic monitoring of data subjects on a large scale, or involve core activities consisting of processing a large scale of sensitive personal data and data relating to criminal convictions and offences.

The GDPR highlights an accountability principle and requires companies to implement measures to ensure compliance. Hong Kong companies that involve processing of EU citizens’ data are required to appoint a Data Protection Officer (DPO) to monitor and advise on GDPR compliance; conduct Data Protection Impact Assessment (DPIA) before engaging in any data processing that may put individuals’ rights at risk; undertake Privacy by Design and by Default in determining the means of processing and to integrate the necessary safeguards to realise the data protection principles; keep records of processing activities; and formulate data processing policies for compliance and accountability purposes. In case of a data breach, a company is required to issue a mandatory breach notification no later than 72 hours after noticing the breach.

How should financial technologists cope with the GDPR?

The financial sector, among the industries that deal with considerable sensitive personal user data, may expect more attention from the regulatory authority and the public. That is why financial technologists need to be on the lookout for the compliance risk of GDPR by complying with the principles of processing personal data stipulated in the GDPR.

The overriding principle of the GDPR is to safeguard data privacy of EU citizens, so financial technologists are obliged to protect the rights and privacy of data subjects in formulating and implementing their technical and organisational policies. In processing or overseeing the processing of user data, financial technologists should ensure the concerned service only collects and processes personal data stipulated in documented instructions, processes data confidentially, ensures safety of the data processed, answers the requests of deleting or returning the data after the processing activity.

The GDPR underlies data subjects’ control over their own data, that is why consent of the data subject is the prerequisite for legal processing of personal data. It is essential for financial technologists to ensure a clear and intelligible request on their service platforms for data consent from data subjects, which should also inform data subjects the option of withdrawing their consent anytime. Data consent from minors should as well be obtained, by the authorisation by their guardians.

Companies do not simply need to obtain from data subjects their consent of data usage, but also need to respect how and to what extent data subjects want their data to be used, by allowing the options of data rectification, objection, restriction, erasure, right to be forgotten and right to data portability. Financial technologists need to review their practices in alignment with the above enhanced rights for data subjects. Especially with the rapid advancement and increasing adoption of financial technologies to predict business trends and analyse customers’ needs, user data is inevitably collected and analysed in the financial sector. Such practices may go against the GDPR as the GDPR allows data subjects to object to data processing or profiling that is for direct marketing purposes, interests pursued by the concerned company or third party, statistical purposes, etc. Financial technologists need to ensure options to be provided to allow data subjects to object to or delete a data processing.

A more secured approach to handling user data can contribute to building customers’ trust on the company and improving customer services. Financial technologists should take this chance to review their technical practices against the GDPR to safeguard the public’s right to their personal data, while securing the company’s services to achieve a win-win situation.


《通用數據保障條例》對金融科技從業員的影響

創新科技發展一日千里,許多公司利用創新科技開拓用家數據和資料,提取有用資訊,讓企業更明白用戶的需要,藉以提升營運,發掘商機。然而,使用用戶數據和資料難免帶來侵犯個人資料和私隱的隱憂,近期Facebook洩露用戶資訊的一連串事件便引起社會廣泛關注。為了保障用戶資料安全,歐盟於今年五月二十五日起實施《通用數據保障條例》(General Data Protection Regulation,縮寫GDPR),GDPR被部分人認為是史上最嚴的個人資料保護條例。

GDPR如何影響香港企業?

GDPR把個人資料的控制權交回用戶本身,賦予歐盟居民更大權力決定個人資料的使用。GDPR適用於所有涉及處理歐盟居民資料的企業,包括在歐盟以外的企業。換言之,任何香港公司如業務涉及歐盟居民資料處理,包括定期和有系統地監控大量個人資料,或其核心業務涉及處理大量敏感的個人資料,或與刑事定罪和犯罪有關的資料時,均須遵行GDPR。

GDPR強調問責原則,要求公司採取措施確保合規。根據GDPR,香港任何公司若業務涉及處理歐盟居民資料,必須遵行以下規定︰

  • 委任保障資料主任(Data Protection Officer),負責監督、建議該公司的GDPR合規事宜;

  • 在進行任何可能使個人權利面臨風險的數據處理活動前,須進行資料保障影響評估(Data Protection Impact Assessment);

  • 採取貫徹私隱的設計及預設設定(Privacy by Design and by Default ),即在決定資料處理方法時結合必要的保障措施,貫踐資料保護原則;

  • 保留資料處理活動的紀錄;

  • 為合規和問責的目標訂立政策和措施;

  • 如果發生資料外洩事故,公司須於發現違規行為後72小時內發出通告。

金融科技從業員應如何應對GDPR?

金融業每天處理大量敏感個人資料,容易受到監管機構和公眾的格外關注,金融科技從業員因而須特別留意GDPR的合規風險,確保公司奉行GDPR的條例。

GDPR的首要原則是保護歐盟居民的個人資料和私隱,因此金融科技從業員在訂立和實施技術和企業措施時須以保障用戶的權利和私隱為目標。在資料處理或監察資料處理工作時,金融科技從業員須

  • 確保有關服務僅按照控制者書面指示處理個人資料;

  • 保密處理數據;

  • 確保處理資料安全;

  • 回應用戶要求在完成資料處理後刪除或交還其個人資料。

GDPR強調用戶對個人資料的控制,因而用戶的同意和授權是資料處理活動合法進行的必要前提,金融科技從業員因此須在公司網站或服務平台以清晰易明的字句徵詢用戶的同意,並須知會用戶有權在任何時候撤回同意。用戶若未成年,企業仍須獲得其父母或合法監護人的授權。

除了須獲得用戶同意處理個人資料外,企業亦須尊重用戶有權希望如何使用其資料和使用的程度,包括滿足用戶對資料修改、反對、限制、刪除、被遺忘及資料可攜權等要求。金融科技從業員有必要審視其行業實踐是否切合以上的用戶權利。隨着金融科技的急速發展和廣泛行業應用,金融業愈趨收集和分析用戶資料,以預測行業趨勢和了解客戶需要,這和GDPR若干規例原則相違背,例如GDPR讓用戶有權反對任何資料處理和個人概況彙編活動,只要活動用作直接捉銷、涉及有關企業或第三方利益、以統計為目的等,為此金融科技從業員須為用戶提供反對和刪除資料處理的選擇。

金融科技從業員應把握機會根據GDPR檢視其業務實踐,以更可靠、安全的方法處理用戶數據,不但能夠建立客戶對企業的信任,並提高客戶服務水平,在保障大眾個人資料使用權的同時,加強企業服務,達致雙贏。

One Night in Paris, France

Because of work, I dropped by Paris, the beloved city. I took a direct flight from Hong Kong and managed to fall asleep over the 13-hour flight. I landed at Charles De Gaulle Airport and from there, it took around an hour to arrive right at the city centre.

Paris has been talked and written about over and over again. There are numerous reasons why Paris has enchanted everyone; its beauty is beyond words. I was glad I made it at this time of the year when the city was at its most charming. While it was riveting in the day time, it was just as mesmerising at night. My favourite part of the stay was the night walk from the Opéra Garnier to the Louvre Pyramid.

Paris at night was full of life, especially in the area around the Opéra Garnier, one of the busiest parts of the city. The landmark of the place was the Opéra, one of the most renowned opera houses worldwide. When illuminated, it was of a different kind of spectacle at night than the day time. Just around the corner was the luxurious Galeries Lafayette, a fashion flagship store anyone fond of shopping shouldn’t miss. Around the giant landmarks were many pretty nice restaurants and shops in the classical architectural style. After dinner, I chose to walk a bit around and then down the avenue to the Louvre Pyramid. The Pyramid was grand and awe-inspiring when illuminated against the surrounding palaces. It was such an unforgettable night.

This time I stayed at Intercontinental Paris Le Grand.

Thanks for the bottle of Champagne!


美麗的巴黎夜景

因為工作的關係到了巴黎,乘搭從香港直飛巴黎的航班,大概十三小時就到了戴高樂機場(Aéroport Paris-Charles-de-Gaulle),從機場再搭火車約一小時便到市中心,十分方便。

這次雖然時間匆忙,不能飽覽巴黎的美景,但這時節的巴黎特別美麗,到處風光如畫已是一大收穫。我特別喜歡它夜晚的街景,尤其是從巴黎歌劇院(Opéra Garnier)步行至羅浮宮金字塔(Louvre Pyramid)的一段路,和陽光普照的時候一樣迷人,難怪巴黎一直為人稱道,大概巴黎對每個人而言都有其不同之處。

歌劇院位於市中心,是巴黎其中一個著名地標,外觀宏偉,晚上打燈後更是金碧輝煌。旁邊便是法國連鎖百貨公司老佛爺百貨總店,喜歡購物的人絕對不能錯過。此區有着兩個巨型地標,加上許多餐廳和商品店,所以到了晚上仍然十分熱鬧。晚飯過後我選擇在附近閒逛,欣賞古典風格的建築,再慢慢沿着大道走到羅浮宮,看打着昏黃燈光的宮殿和透明金字塔,美不勝收,讓人流連忘返,就此度過一個難忘的晚上。

此行我住在巴黎洲際大酒店,還收到驚喜香檳!

 

Highlights from a Day Trip in Lyon, France (3/3)

The Basilica of Notre-Dame de Fourvière stands like a giant on top of the Fourvière hill overlooking the entire Lyon. It is a must-go during a visit to Lyon not only because of its spectacular appearance, rich history, but also of the must-see panorama viewed from the highest point of the city. It was the highlight of my trip to Lyon.

Giant on a hill — Basilica of Notre-Dame de Fourvière in Lyon

 

The basilica was built in the late 19th century dedicated to the Virgin Mary, whom people believed saved the city from the Black Death, Prussian invasion and many other incidents. The basilica featured four main towers and a bell tower, designed with Romanesque and Byzantine architectural styles with very rich details. When I first saw the basilica, I was stunned. While the outside was impressive, the interior was just as breathtaking: the ceilings, walls and the floor were decorated with mosaics, gold and delicate carvings. Not to mention the marble columns, frescoes and statues, all meticulously done to make a pure masterpiece.

Among many stunning cathedrals and basilicas in Europe, this giant basilica on top of the Fourvière is one sure to be remembered for a long time.


一日飽覽里昂風光

富維耶聖母聖殿是里昂的標誌,像個巨人佇立在富維耶山山頂,是到里昂的必游之地,不單因為聖殿壯觀宏偉、歷史悠久,也因富維耶山是里昂的最高點,整個城市在此一覽無遺,實在不能錯過。

富維耶聖母聖殿 — 佇立在山頂的巨人

富維耶聖母聖殿建於十九世紀末,顧名思義就是用來紀念聖母的。相傳聖母瑪利亞守護着這個城市,在好幾次災禍中保護了里昂,如使其免於黑死病,普法戰爭期間又免了普魯士軍隊的入侵,所以里昂人便建了聖殿紀念聖母。聖殿共有四個主塔一個鐘樓,建築具強烈羅馬式和拜占庭風格,精雕細琢,美侖美奐。內部建築同樣精緻,且非常華麗,天花、牆壁、地板以馬賽克、黃金和精細雕刻來裝飾,到處還有大理石柱,壁畫、雕像,讓人嘆為觀止。

歐洲許多大教堂和聖殿都讓人印象深刻,里昂的富維耶聖母聖殿便美得震撼人心,值得再訪。

Highlights from a Day Trip in Lyon, France (1/3)

Many rivers flow through Europe, some of which have become synonymous with the cities they belong, like River Thames in London, Seine in Paris and Danube in Budapest, Vienna and across many other borders. Lyon is a city where 2 rivers, the Saône and Rhône, converge, making one of the city’s unique features.

Lyon is the third largest city in France after Paris and Marseille. My stay there was enjoyable and relaxing. Thanks to the  beautiful weather, I got to enjoy a laidback afternoon just hanging around the city centre and the old town.

The city centre is located between the Saône and Rhône on a peninsula. There are many monuments and heritage. Its city hall (the upper left construction) is one of the oldest buildings in the city, and has been classified as a French historic monument since the 18th century. The Église Saint-Bonaventure (the bottom right church) is another distinctive medieval church well preserved.

Having seen the heart of Lyon, roaming along the Saône would lead to the Vieux Lyon (the old town), a famed Renaissance neighbourhood. The lanes and constructions were of a classic gothic style. There were many pleasant shops and restaurants worth checking out. From the old town we could walk up a long staircase to the Fourvière hill to see the landmark of Lyon, the Basilica of Notre-Dame de Fourvière. If you don’t want to climb the hill, you can take the metro. But the fantastic view along the climb was really worth it! As for the beauty of the basilica, that’s another story.


一日飽覽里昂風光

歐洲有許多或大或小的河流,靜靜在一國流淌或穿洲過省,部分已成為其所屬城市的代名詞,如倫敦的泰晤士河、巴黎的塞納河、還有流過布達佩斯、維也納等邊境的多瑙河。而法國的里昂就有兩條河流,索恩河和隆河在此交匯,成為該城一大特色。

里昂是法國繼巴黎和馬賽後第三大城市,我的里昂之旅亦十分愉悅。因為陽光明媚,只在里昂的市中心和里昂老城(Vieux Lyon)閒逛已足夠賞心悅目。里昂的市中心位於索恩河和隆河匯流的半島上,此處有許多歷史建築和遺蹟,里昂市政廳(左上圖建築)便是里昂其中一座最古老的建築,於十八世紀起已被評為法國歷史古蹟。除了宏偉的市政廳外,此處的聖文德堂(Église Saint-Bonaventure)(右下圖教堂)是難得保存良好的中世紀教堂,值得一看。

逛完里昂的市中心,沿着索恩河岸走便會到達里昂老城,里昂最歷史悠久的地區,亦是歐洲知名文藝復興街區。街道和建築瀰漫着典型的哥德式風格,並有許多商店和餐廳值得一逛。從里昂老城有一條長石階可爬上富維耶山(Fourvière hill),知名的里昂地標富維耶聖母聖殿(Basilica of Notre-Dame de Fourvière)就位於山上。如果不想爬山,也可乘搭地鐵,不過上山沿路景緻極佳,搭地鐵可能就要錯過了。幾經辛苦到了山頂,聖殿美得震撼人心,但關於它的美又是另一個故事了。