On 25 May 2018, the EU General Data Protection Regulation (GDPR) will replace current data protection laws in every European Union (EU) country. The GDPR represents the most significant change to data protection law in Europe in more than two decades.

Why should Hong Kong companies care?

Although the GDPR is European legislation, its reach will not be limited to Europe. This article highlights how international businesses, including those Hong Kong, will be affected by the GDPR. The GDPR will potentially impact companies in Hong Kong – and anywhere else in the world – if they are offering products to individuals within the EU or monitoring the behaviour of EU-based individuals.

It may also impact Hong Kong companies as group policies and many international business partners will mandate compliance with GDPR standards, the latter through contractual terms, and consumer expectations around privacy are higher than ever.

Why is the GDPR important?

The way we generate and handle data has changed beyond recognition in the last 20 years. The GDPR aims to strengthen the control that individuals have over their personal data and to improve transparency about how that data is processed. It also seeks to facilitate business by simplifying rules for companies in the digital market in the EU.

The GDPR will replace the current EU Data Protection Directive 95/46/EC, which every EU country implemented at country level and on which the Hong Kong Personal Data (Privacy) Ordinance (PDPO) was largely modelled. It will automatically apply to every EU member state from the effective date. It is expected that the GDPR will be incorporated into the European Economic Area (EEA) Agreement and apply in Norway, Liechtenstein and Iceland from 1 June 2018.