Hong Kong SAR outlines data privacy measures for businesses adopting AI systems

Building on compliance requirements first outlined in Hong Kong SAR’s ‘Guidance on the Ethical Development and Use of Artificial Intelligence’ – which was published in 2021 – the new guidelines, known as the ‘Artificial Intelligence: Model Personal Data Protection Framework’ recommend ‘best practice’ measures across four areas: governance; risk management; data management; and stakeholder communication.

According to the framework, businesses looking to adopt an AI system should have an internal AI governance strategy, which includes an ‘AI governance committee’ to oversee the procurement, implementation and use of the AI system suitable for their operations.

The guidelines also recommend that organisations evaluate the risks – including data privacy and cyber risks – involved in the implementation and management of AI systems.

For data security and cybersecurity, the guidelines recommend that organisations focus on the probability of personal data being leaked, and the likely impact on the organisation in the event of a data breach.

Customising AI systems to ensure the minimal use of personal data, and regular clear communication with stakeholders – including employees, AI suppliers, customers and regulators – are also highlighted as measures which will help businesses protect data privacy.

Jennifer Wu, a technology law expert at Pinsent Masons, said: “With changes in the regulatory landscape around AI across the globe and in Asia, it is time for companies to plan and align their AI strategy as digitalisation is increasingly embedded into our daily operations.”

Wu recently highlighted the need for businesses adopting AI to be proactive about data privacy, and to ensure data collection, processing and storage are in line with both internal policy and data protection laws.