From Innovation to Governance
Hong Kong’s policy focus on AI has evolved—from encouraging innovation to strengthening governance and accountability.
Together, the two PCPD publications form a dual-layer structure:
- Top layer: organisation-wide governance and oversight
- Bottom layer: practical workplace guidance for daily AI use
This framework reflects Hong Kong’s growing emphasis on transparent, fair, accountable, and secure AI management—principles now central to both global policy and local privacy practice.
What the Two PCPD Documents Say
This guidance focuses on daily workplace use of AI tools. It recommends that organisations:
- Define which AI tools and activities are permitted;
- Prohibit staff from uploading confidential or personal data;
- Require human review before publishing AI-generated content;
- Provide continuous training on data protection and ethical AI use.
It serves as a model internal policy for managing AI-related risks at the employee level.
This framework provides an organisational-level model encouraging companies to:
- Build an AI governance structure with clear leadership accountability;
- Conduct risk assessments and human oversight before deployment;
- Manage the AI lifecycle from data collection through continuous monitoring;
- Communicate transparently with the public and stakeholders.
Its message is clear: AI ethics must be embedded in corporate governance, not added afterwards.
ISO/IEC 42001 — Turning Policy into Practice
The ISO/IEC 42001: 2023 standard provides a global benchmark for AI governance.
It mirrors PCPD’s recommendations and establishes a structured management-system approach for risk control, accountability, and continuous improvement.
| PCPD Focus | ISO 42001 Clause | What It Means for Businesses |
| AI strategy and leadership | 5.1 Leadership / 6.1 Planning | Assign accountability and measurable objectives |
| Risk management and oversight | 8.3 Risk management | Apply risk-based controls to AI operations |
| Lifecycle and security | 8.4 Lifecycle / 8.5 Security controls | Ensure data protection throughout AI training and deployment |
| Transparency and communication | 9.2 Communication / 10.1 Improvement | Maintain openness and continual improvement |
By adopting ISO 42001, organisations can translate compliance expectations into auditable, globally aligned governance processes.
How Businesses Can Apply These Principles
Create a clear internal AI policy specifying:
- Which tools are approved;
- What can or cannot be done;
- Who is responsible for oversight.
Example: Marketing departments may use ChatGPT to draft non-confidential content, but customer service teams should not input any client or personal data.
- Step 2 — Identify the Risks
Audit current AI usage:
- Does it process personal data?
- Are automated decisions reviewed by humans?
- Are models and datasets securely maintained?
- Do you rely on third-party AI providers?
Example: A financial institution using AI for credit scoring should test fairness and monitor cross-border data flows.
- Step 3 — Build the System
Formalise governance:
- Appoint an AI officer or committee;
- Conduct pre-launch impact assessments;
- Maintain records for audit and improvement.
Example: Before deploying a chatbot, the IT team completes an AI risk assessment and obtains management approval.
Why This Matters for Hong Kong
Responsible AI governance is rapidly becoming a core business priority in Hong Kong.
Aligning PCPD guidance with ISO/IEC 42001 provides organisations with a roadmap for transparent, fair, and trustworthy AI operations.
This alignment demonstrates Hong Kong’s readiness for future AI policy developments and shows how companies can build long-term trust with customers, regulators, and partners.
FAQ
Q1. What is ISO/IEC 42001?
ISO/IEC 42001: 2023 defines the requirements for an Artificial Intelligence Management System (AIMS) to ensure responsible, transparent, and auditable AI practices.
Q2. What role does Hong Kong’s PCPD play in AI governance?
The PCPD issues non-binding guidance to help organisations establish accountability, transparency, and data protection when developing or using AI systems.
Q3. How can companies in Hong Kong prepare for responsible AI?
By aligning their internal management systems with PCPD guidance and adopting ISO/IEC 42001 frameworks for risk management and oversight.
Associated Services by DQS HK
