Three Core Issues — Are You Prepared?
The recent incidents in Hong Kong reveal three critical issues that businesses often overlook: flawed design, poor execution, and weak technical safeguards.
Issue 1: Flawed System Design
Many companies fail to consider who can access data or how it should be protected when designing systems or workflows, leaving risks embedded from the very start.
- Testing center example: A doctor left a system logged in after use, allowing patients alone in the room to see other patients' names and medical records — a clear violation of the “minimum necessary” data principle.
- Online form example: A form was designed to let users see data submitted by others, unintentionally revealing names, phone numbers, and emails — because “security by design” was never prioritized.
Summary: Security gaps are created at the source when privacy protection is not embedded from the beginning.
Issue 2: Poor Execution
Some companies have policies and procedures in place, but employees fail to follow them, or training is inadequate, turning safeguards into mere formalities.
- Retailer example: An employee sent a mass email listing all recipients’ addresses in the “To” field, exposing them to everyone.
- Security guard example: Shared a resident’s phone number with a third party without authorization, directly breaching privacy rules.
- Government department example: A letter was folded incorrectly, revealing ID numbers through the envelope window.
Summary: Policies without proper implementation or training still lead to serious mistakes.
Issue 3: Insufficient Technical Safeguards
Many companies assume technology is inherently secure. However, without testing from an attacker’s perspective, vulnerabilities often go unnoticed.
- Airline example: A system update error caused members to accidentally log into other users’ accounts and view their personal data.
Summary: Without thorough testing and careful updates, critical technical gaps remain open.
The Cost of Missing Processes and Controls
Under Hong Kong’s Personal Data (Privacy) Ordinance, failing to take all practicable steps to protect personal data can lead to violations of Principle 4(1), with fines up to HK$1 million and potential compensation to affected individuals.
For companies operating internationally, non-compliance may also trigger severe penalties under GDPR — up to 4% of global annual revenue.
In these eight cases, nearly every breach stemmed from procedural or managerial lapses:
From doctors failing to log out and exposing patients' records, to letters improperly folded and revealing ID numbers, and retailers misusing email fields that leaked thousands of customer emails.
While these may appear to be “minor mistakes,” the consequences can be catastrophic:
- Severe fines and legal risks — not only monetary penalties but also impacts on supply chain eligibility, insurance coverage, and future business opportunities.
- Brand trust shattered instantly — a single incident can undo years of brand building.
- Loss of clients and partners — increasingly strict global supply chain compliance requirements mean data breaches can directly terminate partnerships.
- Massive hidden costs — including crisis PR, legal counsel, customer compensation, and system rebuilds, often several times more expensive than preventive measures.
Investing in processes and systems is essentially an “insurance policy against risk.” The real cost of a breach far exceeds proactive prevention by a hundredfold.
“Technology may be the final lock, but processes and governance are the master key.”
A 3-Line Defense to Safeguard Trust
First Line: Privacy Impact Assessment (PIA)
Most data breaches are not caused by hackers but by overlooked process design flaws — such as improper permission settings or careless data sharing.
A PIA acts like a “preventive surgery,” systematically identifying potential risks at each stage — from data collection to storage, transfer, and deletion — before launching new products, services, or workflows.
- Develop targeted improvement plans in advance
- Reduce legal and reputational risks caused by process oversight
- Ensure end-to-end compliance with regulations and best practices
A PIA is not a one-off checkbox exercise but a foundational “insurance” covering legal, operational, and trust aspects.
Second Line: ISO 27001 — Embedding Security into Culture
Many organizations have security policies on paper, but the real challenge is whether employees internalize and act on them daily.
ISO 27001 isn’t just about creating documents; it requires establishing a risk-based management system with continuous improvement (PDCA cycle), transforming “security” into an ingrained habit.
Examples:
- Centralized deployment of screen locking policy.
- Mandatory approvel of emails before sending to mass recipients in system design.
- Regular internal compliance monitoring and audits.
- Incident response procedures.
- Regular awareness training.
- Regular reviews on the effectiveness of ISMS.
When security becomes second nature, the risk of data incidents caused by human error or negligence is greatly reduced. This forms the backbone of brand reputation, supply chain trust, and compliance readiness.
Third Line: Penetration Testing (Pen Test)
Pen tests adopt the attacker’s mindset to simulate real-world attacks, proactively uncovering hidden vulnerabilities in IT systems and applications.
- Identify authorization flaws, weak encryption, improper validation, and more.
- Deliver detailed reports with risk points and concrete remediation steps.
- Help fix “invisible” technical weaknesses before an actual attack occurs.
- Source code reviews for new applications.
This technical line of defense completes the security loop and is crucial for a holistic data protection strategy.
Conclusion
Data security is not merely a compliance checkbox — it’s a long-term promise to your organization, customers, partners, and society at large.
Associated Services by DQS HK
