Greetings from Hong Kong,

Yes, you read that correctly: I am not in Europe this week. I find myself in Hong Kong for the 39th International Conference of Data Protection and Privacy Commissioners. Hong Kong is, of course, famous for its iconic skyline — it doesn’t disappoint — a legendary kitchen, and a thriving and vibrant melee of tradition and modernity to keep you stimulated. This year is also the 20th anniversary of the establishment of the Hong Kong special administration region; there is much going on in this city to celebrate this milestone.

The key theme and focus of the event’s closed regulatory sessions were centered on government information sharing, taking account of issues such as risk mitigation, transparency and data protection, all while safeguarding global commercial innovation and data flows. Administrative and public data sets are increasingly used for statistical and predictive modeling to inform public policy — and, indeed, as our economies evolve into an increasingly digital world, our public sector needs to continue to evolve in tandem to keep pace: Public use of personal data is key to continued societal expectation for public service and policy relevance, striking a balance with individual privacy is an ongoing challenge. 

To coincide with the large gathering of privacy leaders in town, the IAPP hosted a Hong Kong KnowledgeNet, which was attended by more than 100 members. Bearing in mind the accentuated extraterritorial application of the GDPR, there was much interest in how Hong Kong legal entities would be affected by the regulation’s reach going forward. Lead by JoAnn Stonier, CIPM, chairwoman of the IAPP, and Trevor Hughes, CIPP, CEO of the IAPP, a star-studded cast of data protection thought leaders delivered comprehensive insight into practical tips and guidance. In addition, the IAPP organized a side event as part of the ICDPPC program, speaking to the increasing profile of the privacy pro on the global stage. 

We see organizational business models evolving toward risk-based approaches over purely compliance orientations. In parallel, we see privacy functions and job descriptions becoming more diverse and varied as organizations grapple to actively expand privacy culture as integral to their strategies. Sam Pfeifle and Omer Tene of the IAPP respectively set the stage for debate articulating how privacy governance research is shaping the privacy functions in the organization. Tene spoke to the wide offering of data protection credentials in the marketplace, with differing requirements and features. The ensuing discussion with the audience, as moderated by Stonier and Hughes, delivered a dialogue on creating the privacy workforce from a practical perspective — correlating privacy needs to organizational management. The common recurring elements in this session were, on the one hand, the attention to the independence required of the DPO function and how that is being addressed in companies, and, on the other, how to train and scale data protection "know-how" to organizations and practices as a whole with a high level of assurance and integrity.

Finally, in terms of the executive committee changes at the ICDPPC, it was announced that John Edwards would be standing down as chair of the ICDPPC after three successful years at the helm, and Isabelle Falque-Pierrotin, president of the CNIL, would be taking over as chair, ushering in a new era. Our host for the week, Privacy Commissioner Stephen Wong, closed the opening introductions, stating that Hong Kong had been waiting for 18 years to re-host the ICDPPC event and that the timing couldn’t be more relevant as we increasingly live “data-driven lives in data-driven economies.” Throughout the week, I have heard many compliments on the quality and professionalism of the event. Commissioner Wong and his team should be commended for being exceptional hosts — Hong Kong has certainly been memorable for us all.