Home' A Plus Magazine : June 2013 Contents June 2013 17
Deloitte Touche Tohmatsu and an Institute
member. “On the one hand there is a saving
in terms of cost and convenience. On the
other hand it imposes some risk to manage-
ment. If they get hacked, or some kind of
malware is installed, that device may leak
Koo says more than 50 percent of cor-
porate BYOD implementations fail. BYOD
policies are often top-down, he adds, giv-
ing the example of a chief executive who
buys a Samsung smartphone or an Apple
iPad and pushes his company ’s IT unit to
connect him to the corporate ser vers. “ The
most complex part of [data management]
is human beings,” Koo notes.
Of course, technology can help mini-
mize human error by limiting staff access
to only the information they need. “A com-
mon issue is that employees corrupt data
unintentionally,” says Christopher Hock,
IT audit manager at Mazars in Beijing, “but
this can only happen if the system doesn’t
restrict them from doing so.”
Data protection and privacy policies are
worldwide concerns. The results of a joint
sur vey conducted by the American Insti-
tute of CPAs and the Chartered Profes-
sional Accountants of Canada released last
month showed that managing and retain-
ing data is the top technology-related pri-
ority among accountants.
“Many organizations are facing in-
creased risks associated with data man-
agement because of an explosive growth in
volume and the complexity of information
being handled,” says Frank Colantonio,
director of continuing education at CPA
Canada in Toronto.
The Asia-Pacific region is also growing
more aware of data privacy. “ There has
been an increase in the number of jurisdic-
tions with data protection legislation,” says
Kershaw at FTI. “South Korea, Taiwan, Ma-
laysia and Singapore have all introduced
measures since 2010.”
In addition, natural disasters have un-
KNOW THE RULES,
USE BEST PRACTICES
Apart from the Hong Kong Personal Data (Privacy) Ordinance, and its recent
amendments, there are currently no specific Hong Kong regulations for
emerging technologies, such as cloud computing and social media applications.
“However, existing marketing, trade and consumer protection laws still
apply to the use of emerging technologies,” says Amy Chiang, a senior advisory
manager at Grant Thornton and a Hong Kong Institute of CPAs member.
Other jurisdictions have already responded to emerging technologies and
data platforms. In the United States, for example, regulatory bodies have already
taken steps to oversee social media activities and advanced mobile telephony.
Recent examples include the social media guidelines related to corporate
announcements issued by the Securities and Exchange Commission, and bills
introduced into Congress that aim to ban employers from asking employees for
social media passwords in order to scan their online activities and interactions.
Hong Kong companies, whether local or global, are advised to devote adequate
resources to assess how industry rules affect consumers and employees.
“Professional service providers can help by offering ongoing training and
other resources or tools to help compliance on a consistent basis,” says Henry
Shek, a partner at KPMG China in Hong Kong.
“All organizations collect and process personal information of some sort,”
says Shek, who recommends that organizations dealing with personal data
need to ask themselves several questions, such as:
Do you have an inventory of what you process?
Do you know how you collect, use and maintain this information?
A further checklist, in particular for companies that hold consumer
information, he adds, would include questions such as the following:
Have you understood how you currently use personal data for direct
marketing, transfer or sale?
and/or transfer of data for direct marketing?
Have you implemented a process to obtain consent from individuals?
Do you have a direct marketing database that records individuals who have
given consent for direct marketing and ensured that those have not given
consent are not in the database?
If you transfer personal data, do you have a process to track transfers so that
notifications can be sent, if required, at a later stage?
Chiang suggests that companies should refer to international best practices
or standards. Some of these include:
ISO/IEC 27001, the information security management system standard;
ISO/IEC 27002, which are best practice recommendations on information
security management; and
COBIT, an IT governance framework
Alan Lee, executive director, advisory services, at Ernst & Young and
an Institute member, notes that there are professional qualifications with
structured domain knowledge available in the industry for CPAs to acquire.
Examples include Certified Information Systems Auditor, Certified Information
Security Manager and Certified Information Privacy Professional.
info audit_v8.indd 17
4/6/13 9:24 PM
Links Archive May 2013 July 2013 Navigation Previous Page Next Page