Data Protection and Privacy

Data privacy protection is a priority

Companies are increasingly facing reputational risk, enhanced scrutiny and legal and financial consequences for mismanaging personal identifiable information. There are notable reasons for this, including:

Digitalisation and personalisation

Increased digitalisation and personalisation leveraging user data has made our world more connected and convenient. However, this can come at, literally, a significant cost. Personal data is a prime target for cybercriminals. It has real monetary value on the dark web. Banking credentials, health information, drivers' licenses, credit cards, social media, social security and other personal data can be bought and sold on the dark web. 

Shifting consumer sentiment

Recent news of high-profile data breaches and data misuse has impacted user attitudes towards personal data collection. In this connection, many users have changed privacy settings, removed a social media account or declined terms of service. Companies are expected to do more to protect the data privacy of their internal and external stakeholders. 

Increased regulatory requirements

To comply with privacy regulations like Personal Data (Privacy) Ordinance (PDPO), the General Data Protection Regulation (GDPR), among other privacy requirements, companies need to invest in data protection strategies by defining their policies and determining the necessary controls to protect personal information. 

Innovative new uses of data

The proliferation of artificial intelligence and machine learning applications to collect and analyse consumer data is a double-edged sword without fully established data privacy and security controls. If this technology is used properly, it enables organisations to make more meaningful business decisions, but in the wrong hands, and if breaches go undetected, this technology becomes a weapon and can create untold operational chaos.

The onus is on the company to protect data privacy through internal control measures and cybersecurity resilience. Personal identifiable information may encapsulates a broad sense of personal information, such as commercial, electronic, behavioral, biometric, financial and educational information, amongst others. When formulating data privacy measures, company shall ensure compliance with the principles as stated in the PDPO, including:

  • Purpose and manner of collection
  • Accuracy and duration of retention
  • Use of data
  • Data security
  • Openness and transparency
  • Access and correction

The questions below may trigger your thoughts on whether your company's business model may interact with data privacy and further actions may need to be taken to mitigate associated risks:

  • Does your company collect personal identifiable information?
  • Does your company transfer personal information to third parties?
  • Does your company collect electronic network activity data?                    
  • Does your company determine the purposes and means of processing personal information?

BDO partners with its clients to ensure compliance with data privacy regulations. Our data privacy capabilities and expertise allow us to serve companies in on data privacy and information governance. BDO's pragmatic approach ensures a cost-effective and efficient road to compliance. Our legal, operational, IT and privacy expertise provides a multidisciplinary team that works seamlessly across your organisation.

We offer full range of data privacy services

Managed services

  • Individual rights administration
  • Privacy by design operations
  • Maturity assessments
  • Privacy watch
  • External DPO or internal DPO support


  • Data privacy readiness assessment
  • Data privacy audit /due diligence
  • Annual privacy health check
  • Data mapping/data flow diagramming
  • Data protection assurance/certification

Implementation and remediation

  • Data privacy strategy and implementation
  • Privacy project management
  • Privacy notices, policies and procedures development
  • Technical controls implementation
  • Third-party processor remediation
  • Data minimisation, retention, erasure and classification policies, and process development

Technology support

  • Design and review of planned and existing architecture. 'Data privacy by design'
  • Data privacy impact assessments & implementation of technical measures
  • Data subject rights management
  • Data privacy management tools: tool/software selection plan, design & implementation of tools
  • Data masking & data encryption tool
  • Security assessments: vulnerability scanning, penetration testing, ethical hacking & social engineering

Other support

  • Advice on data subject requests and data breaches
  • Advice on contractual arrangements with third parties
  • International data transfers policies and registers development

Your key contacts