What does GDPR mean to financial technologists?

Innovative technologies have developed rapidly. Many companies utilise advanced innovations to tap user data to understand users’ needs, upgrade operations, and discover business opportunities. However this has raised data privacy issues. The outbreak of Facebook data leak scandal has caused a wider user data privacy concern. To safeguard user data privacy, the European Union (EU) implemented the General Data Protection Regulation (GDPR) this year on May 25.

How GDPR affects Hong Kong companies?

Dubbed the strictest data protection law, the GDPR puts citizens in EU in control of their data. The GDPR applies to any business involving processing activities of personal data of the EU citizens, be it in or outside EU jurisdictions. In other words, the regulation applies to Hong Kong companies that run businesses that consist of processing operations related to EU citizens which require regular and systematic monitoring of data subjects on a large scale, or involve core activities consisting of processing a large scale of sensitive personal data and data relating to criminal convictions and offences.

The GDPR highlights an accountability principle and requires companies to implement measures to ensure compliance. Hong Kong companies that involve processing of EU citizens’ data are required to appoint a Data Protection Officer (DPO) to monitor and advise on GDPR compliance; conduct Data Protection Impact Assessment (DPIA) before engaging in any data processing that may put individuals’ rights at risk; undertake Privacy by Design and by Default in determining the means of processing and to integrate the necessary safeguards to realise the data protection principles; keep records of processing activities; and formulate data processing policies for compliance and accountability purposes. In case of a data breach, a company is required to issue a mandatory breach notification no later than 72 hours after noticing the breach.

How should financial technologists cope with the GDPR?

The financial sector, among the industries that deal with considerable sensitive personal user data, may expect more attention from the regulatory authority and the public. That is why financial technologists need to be on the lookout for the compliance risk of GDPR by complying with the principles of processing personal data stipulated in the GDPR.

The overriding principle of the GDPR is to safeguard data privacy of EU citizens, so financial technologists are obliged to protect the rights and privacy of data subjects in formulating and implementing their technical and organisational policies. In processing or overseeing the processing of user data, financial technologists should ensure the concerned service only collects and processes personal data stipulated in documented instructions, processes data confidentially, ensures safety of the data processed, answers the requests of deleting or returning the data after the processing activity.

The GDPR underlies data subjects’ control over their own data, that is why consent of the data subject is the prerequisite for legal processing of personal data. It is essential for financial technologists to ensure a clear and intelligible request on their service platforms for data consent from data subjects, which should also inform data subjects the option of withdrawing their consent anytime. Data consent from minors should as well be obtained, by the authorisation by their guardians.

Companies do not simply need to obtain from data subjects their consent of data usage, but also need to respect how and to what extent data subjects want their data to be used, by allowing the options of data rectification, objection, restriction, erasure, right to be forgotten and right to data portability. Financial technologists need to review their practices in alignment with the above enhanced rights for data subjects. Especially with the rapid advancement and increasing adoption of financial technologies to predict business trends and analyse customers’ needs, user data is inevitably collected and analysed in the financial sector. Such practices may go against the GDPR as the GDPR allows data subjects to object to data processing or profiling that is for direct marketing purposes, interests pursued by the concerned company or third party, statistical purposes, etc. Financial technologists need to ensure options to be provided to allow data subjects to object to or delete a data processing.

A more secured approach to handling user data can contribute to building customers’ trust on the company and improving customer services. Financial technologists should take this chance to review their technical practices against the GDPR to safeguard the public’s right to their personal data, while securing the company’s services to achieve a win-win situation.


《通用數據保障條例》對金融科技從業員的影響

創新科技發展一日千里,許多公司利用創新科技開拓用家數據和資料,提取有用資訊,讓企業更明白用戶的需要,藉以提升營運,發掘商機。然而,使用用戶數據和資料難免帶來侵犯個人資料和私隱的隱憂,近期Facebook洩露用戶資訊的一連串事件便引起社會廣泛關注。為了保障用戶資料安全,歐盟於今年五月二十五日起實施《通用數據保障條例》(General Data Protection Regulation,縮寫GDPR),GDPR被部分人認為是史上最嚴的個人資料保護條例。

GDPR如何影響香港企業?

GDPR把個人資料的控制權交回用戶本身,賦予歐盟居民更大權力決定個人資料的使用。GDPR適用於所有涉及處理歐盟居民資料的企業,包括在歐盟以外的企業。換言之,任何香港公司如業務涉及歐盟居民資料處理,包括定期和有系統地監控大量個人資料,或其核心業務涉及處理大量敏感的個人資料,或與刑事定罪和犯罪有關的資料時,均須遵行GDPR。

GDPR強調問責原則,要求公司採取措施確保合規。根據GDPR,香港任何公司若業務涉及處理歐盟居民資料,必須遵行以下規定︰

  • 委任保障資料主任(Data Protection Officer),負責監督、建議該公司的GDPR合規事宜;

  • 在進行任何可能使個人權利面臨風險的數據處理活動前,須進行資料保障影響評估(Data Protection Impact Assessment);

  • 採取貫徹私隱的設計及預設設定(Privacy by Design and by Default ),即在決定資料處理方法時結合必要的保障措施,貫踐資料保護原則;

  • 保留資料處理活動的紀錄;

  • 為合規和問責的目標訂立政策和措施;

  • 如果發生資料外洩事故,公司須於發現違規行為後72小時內發出通告。

金融科技從業員應如何應對GDPR?

金融業每天處理大量敏感個人資料,容易受到監管機構和公眾的格外關注,金融科技從業員因而須特別留意GDPR的合規風險,確保公司奉行GDPR的條例。

GDPR的首要原則是保護歐盟居民的個人資料和私隱,因此金融科技從業員在訂立和實施技術和企業措施時須以保障用戶的權利和私隱為目標。在資料處理或監察資料處理工作時,金融科技從業員須

  • 確保有關服務僅按照控制者書面指示處理個人資料;

  • 保密處理數據;

  • 確保處理資料安全;

  • 回應用戶要求在完成資料處理後刪除或交還其個人資料。

GDPR強調用戶對個人資料的控制,因而用戶的同意和授權是資料處理活動合法進行的必要前提,金融科技從業員因此須在公司網站或服務平台以清晰易明的字句徵詢用戶的同意,並須知會用戶有權在任何時候撤回同意。用戶若未成年,企業仍須獲得其父母或合法監護人的授權。

除了須獲得用戶同意處理個人資料外,企業亦須尊重用戶有權希望如何使用其資料和使用的程度,包括滿足用戶對資料修改、反對、限制、刪除、被遺忘及資料可攜權等要求。金融科技從業員有必要審視其行業實踐是否切合以上的用戶權利。隨着金融科技的急速發展和廣泛行業應用,金融業愈趨收集和分析用戶資料,以預測行業趨勢和了解客戶需要,這和GDPR若干規例原則相違背,例如GDPR讓用戶有權反對任何資料處理和個人概況彙編活動,只要活動用作直接捉銷、涉及有關企業或第三方利益、以統計為目的等,為此金融科技從業員須為用戶提供反對和刪除資料處理的選擇。

金融科技從業員應把握機會根據GDPR檢視其業務實踐,以更可靠、安全的方法處理用戶數據,不但能夠建立客戶對企業的信任,並提高客戶服務水平,在保障大眾個人資料使用權的同時,加強企業服務,達致雙贏。

Research reveals 1 in 4 of the Hong Kong workforce will lose jobs to artificial intelligence within 20 years

Artificial intelligence (AI) has been a hot topic throughout the world over recent years. There have been lots of studies and discussions over how AI can substitute human workforce in so many positions and domains. Three days ago the One Country Two Systems Research Institute published a study on the impacts AI will cause to the Hong Kong market and workforce in the near future.

The study was conducted by Dr. Paul Duckworth with machine learning, which revealed that in the next 10 to 20 years, around 1 million population in Hong Kong will be threatened by 70% chances of being replaced by AI technologies. The affected population will constitute more than one fourth of the total workforce. The study further mentions policies such as universal basic income, robot tax, capital ownership over machines, etc. in better safeguarding the people in employment against AI. However Hong Kong has not developed any comprehensive development strategy concerning AI.

It is noteworthy that the study points out 3 weaknesses of the Hong Kong market against AI to invite more discussions. First, the 4 pillar industries in Hong Kong, namely finance, tourism, trade and logistics, and professional services, while making jobs for almost half of the workforce, are threatened by a rather high risk of being replaced by AI. Second, education on science and mathematics is rather weak, unable to nurture AI talents of the future. Third, workforce engaged in continuous education is low, making them susceptible to risks imposed by advanced technologies.

AI advancement and adoption are inevitable. Hong Kong has stepped up efforts in developing the innovation sector over recent years. For example, the 2018-19 Hong Kong Budget reserves 10 billion HKD alongside a series of initiatives to bolster innovation technology in Hong Kong. There are also supportive incubators for technology startups, such as Science Park and Cyberport that supply funding and help.

However, while help to IT companies has been strengthened, it should be just as vital to prepare citizens for the AI era. It is critical for citizens to understand what AI is capable of, and how AI can be of use to their life and jobs, in order to embrace AI in different domains instead of fearing it. STEM education, namely the curriculum on Science, Technology, Engineering, and Mathematics, has already been proactively launched across Hong Kong primary and secondary schools to cultivate technology interests and talents in young generations. But it is more difficult for adults to adapt to innovation, so more courses on AI and related areas should be provided to citizens with financial assistance to help them get adapted to AI adoption. A positive and healthy mindset toward AI encourages better transits on the part of citizens, and also allows for a culture conducive to creation and innovation with AI.


人工智能將在未來十至二十年取代香港近一百萬人的工作

近年人工智能(Artificial Intelligence)造成熱議,有關人工智能的研究和討論除了關注其應用外,更多圍繞技術如何在多個工種和範疇取代人類,造成大量失業。兩天前一國兩制研究中心發表一份「人工智能對香港就業市場的衝擊及如何迎接人工智能時代」的研究報告,分析人工智能在未來十至二十年對香港市場勞動力的影響。

研究由保羅·德沃夫博士(Dr. Paul Duckworth)以機械學習(Machine Learning)方式進行,結果顯示在未來十至二十年,香港約一百萬人在工作上面對70%的機會被人工智能取代,被影響人口多於整體勞動人口的四分一。研究亦提及數項保障市民的措施,如全民基本收入、機械人稅、機械資本所有權等等。然而香港現時尚未有任何全面的與人工智能相關的發展策略。

研究報告特別指出現時香港就業市場在面對人工智能的挑戰時存在着三大弱點,期望引起關注及更多討論。第一,香港的四大產業,金融、旅遊、貿易物流和專業服務,雖然為差不多近一半勞動人口帶來就業職位,但卻面臨較高的風險被人工智能取代。第二,科技和數理的教育偏弱,不能為香港未來培育優秀的創研人才。第三,投入可持續發展的人口偏低,其承受高科技衝擊的能力較弱。

人工智能的發展和應用是不能避免的,所以香港近年大力發展創新科技產業,例如二零一八至一九年度的財政預算案就預留了一百億港元外加一系列措施來重點發展本港的創新科技。除此,香港有多個創科培育中心,如科學園和數碼港等,為創新科技初創提供資金和幫助。

在創科公司得到加強的同時,市民亦不應被怱略,讓大眾為人工智能時代做好準備十分重要。具體而言,應讓市民明白人工智能的好處,了解人工智能在生活和工作上能如何得到應用,讓其在不同方面能接納人工智能,而不是一面倒的恐懼或擔憂。近年政府推廣STEM教育,培養中小學生在科學(Science)、技術(Technology)、工程(Engineering)及數學(Mathematics)上的興趣和才能,積極培育下一代的科研潛能,但成年人面對創科發展更難以適從,政府有必要向大眾提供協助,如為市民提供更多人工智能或相關領域的課桯及資金幫助,鼓勵市民接觸和認識,發展正面和健康的心態,不但能幫助其迎接人工智能時代,亦對發展科研文化和氣候有積極作用。