Skip to content
All articles
Digital Transformation3 July 202615 min read

PDPO Compliance Checklist 2026 for Hong Kong Businesses

The actionable PDPO compliance checklist Hong Kong businesses use in 2026 — the 6 principles, the AI guidance, and what to fix first. Includes a downloadable format.

KL
Karl Li
CEO & Lead Architect

Hong Kong's Personal Data (Privacy) Ordinance (PDPO) is the cornerstone data-protection law every business operating here must comply with — and in 2026, the Office of the Privacy Commissioner for Personal Data (PCPD) is enforcing it more actively than ever, especially where AI is involved. This checklist is the practical, actionable version we use with clients. It covers the six Data Protection Principles, the AI-specific guidance, and exactly what to do to satisfy a review.

Note: This is general guidance, not legal advice. For a formal PDPO compliance review of your specific systems, book a free PDPO health check at the end. But this checklist will tell you where you stand today.

What PDPO actually requires (the 6 principles)

PDPO is built around six Data Protection Principles (DPPs) that govern the entire lifecycle of personal data. Compliance means satisfying all six, not just the ones that feel convenient.

DPP1 — Purpose and manner of collection

You must collect personal data for a lawful purpose directly related to your function, and collect only what is necessary. Tell the individual why you are collecting it and the classes of people it will be disclosed to.

  • State the purpose of collection at the point of collection (e.g. on the form, in the privacy notice).
  • Collect only data you actually need — no 'just in case' fields.
  • Inform individuals of their right to request access and correction.

DPP2 — Accuracy and duration of retention

Personal data must be accurate and kept only as long as necessary for the purpose of collection.

  • Have a documented data retention schedule — define how long each data type is kept.
  • Dispose of data securely when it is no longer needed (not just delete the database row).
  • Give individuals a way to correct inaccurate data.

DPP3 — Use of personal data

Personal data must not be used for a new purpose without the individual's prescribed consent.

  • Do not reuse data collected for one purpose (e.g. a sale) for another (e.g. marketing) without consent.
  • Track where consent was given and for what — an audit trail.
  • Make withdrawal of consent easy and honour it promptly.

DPP4 — Security of personal data

Take all practicable steps to protect personal data against unauthorised access, processing, erasure, loss, or use.

  • Implement access controls — least-privilege, role-based.
  • Encrypt data at rest and in transit.
  • Maintain audit logs of who accessed what.
  • Align to a recognised standard — ISO/IEC 27001 is the de facto benchmark.
  • Run regular vulnerability assessments and penetration testing.

DPP5 — Information to be generally available

You must be open about your data policies — individuals should be able to find out what data you hold and what you do with it.

  • Publish a clear, accessible Privacy Policy (you have one on your site — keep it current).
  • State the categories of personal data you hold and how they are used.
  • Provide a contact point for data protection enquiries.

DPP6 — Access to and correction of personal data

Individuals have the right to request access to their personal data and to correct it.

  • Have a documented process for handling data access requests (within 40 days, per PDPO).
  • Have a process for correction requests.
  • Charge no more than a reasonable fee, if any.

The 2026 PDPO compliance checklist

Work through these in order. Tick each one honestly — 'we will get to it' is a fail.

Foundations (do these first)

  • We have a current, published Privacy Policy that accurately describes our data practices.
  • We have a documented data inventory — we know what personal data we hold, where, and why.
  • We have a data retention schedule and dispose of data when it expires.
  • We have a named Data Protection Officer (DPO) or responsible person.
  • We have a process for handling data access and correction requests within 40 days.
  • We have a process for handling consent withdrawal.

Security

  • Access to personal data is role-based and least-privilege.
  • Personal data is encrypted at rest and in transit.
  • We maintain audit logs of access to personal data.
  • We run regular vulnerability scans and penetration tests.
  • We are aligned to (or certified to) ISO/IEC 27001.
  • Our cloud providers and sub-processors are under written data-protection agreements.

Breach response

  • We have a documented data breach response plan.
  • We know when we are legally required to notify the PCPD (without undue delay for serious breaches).
  • We have an internal incident log and post-incident review process.

AI and automated processing (the 2026 layer)

The PCPD has published specific guidance on AI. If you use AI on personal data, these apply.

  • We have assessed whether our AI use involves personal data (it usually does).
  • We have conducted a Data Protection Impact Assessment (DPIA) for AI systems touching personal data.
  • Personal data is not used to train shared/external models without a lawful basis.
  • AI systems that make or inform decisions about individuals have human oversight.
  • We can explain how an AI system reached an outcome involving personal data (explainability).
  • Where AI uses personal data, data residency and the model vendor's data-handling are documented.

Cross-border transfers

  • We know where our personal data is processed (which countries/regions).
  • Where data leaves Hong Kong, we have contractual safeguards ensuring equivalent protection.
  • We can demonstrate the basis for each cross-border transfer.

PDPO and ISO/IEC 27001 — how they relate

These are different but complementary. PDPO is the legal requirement (what you must do). ISO/IEC 27001 is the management system standard (how you do it, provably). Achieving ISO/IEC 27001 certification gives you the controls, documentation, and audit trail that make PDPO compliance far easier to evidence — which is why most regulated Hong Kong businesses pursue both together. Our own information security is ISO/IEC 27001 certified, and we help clients achieve the same.

Common gaps we find in PDPO audits

  • No data inventory — the business does not actually know what personal data it holds or where.
  • No retention schedule — data accumulates forever, which is both a compliance and security risk.
  • Privacy Policy out of date — does not reflect current AI or analytics use.
  • AI models trained on customer data without a documented lawful basis.
  • Sub-processors (SaaS tools) not under data-protection agreements.
  • No breach response plan — discovered after an incident occurs.
  • No DPIA for AI systems — increasingly expected by the PCPD.

What to do if you find gaps

Do not panic, but do not delay. Prioritise by risk: fix the security and breach-response gaps first (these are the highest-consequence), then the documentation gaps (inventory, retention, policy), then the AI-specific items. If the gaps are significant or you operate in a regulated industry, get a formal PDPO compliance review — it is far cheaper than a breach or a PCPD enforcement action.

Note: We run a free PDPO health check that scores your compliance against this checklist and gives you a prioritised remediation roadmap. It takes 1–2 weeks and there is no obligation.

Frequently asked questions

Does PDPO apply to my Hong Kong business?

Yes, if you collect, hold, or process personal data in Hong Kong — which essentially every business does. PDPO applies regardless of company size. There is no SME exemption.

Do we need a Data Protection Officer?

PDPO does not strictly mandate a DPO for all businesses, but many benefit from one. We recommend naming a responsible person even if not formally a DPO — someone who owns data protection. We provide DPO advisory if you need it.

Does PDPO apply to AI?

Yes. The PCPD has published specific AI guidance. If your AI uses personal data, DPPs apply — especially around purpose limitation, security, and the right to explanation. A DPIA for AI systems touching personal data is increasingly expected.

Is ISO/IEC 27001 the same as PDPO compliance?

No, but they complement each other. PDPO is the legal requirement; ISO/IEC 27001 is the management system that makes compliance provable. Most regulated businesses pursue both. Achieving 27001 makes PDPO compliance far easier to evidence.

What counts as a notifiable data breach?

A breach likely to result in significant harm or loss to the data subjects must be notified to the PCPD without undue delay. Having a documented breach response plan is essential — the plan should define what 'significant' means for your context.

Can we use AI on customer data?

Yes, if you have a lawful basis, have assessed the risks (DPIA), ensure human oversight, can explain outcomes, and handle the data per PDPO. Grounding models in your own boundary (rather than sending data to external APIs) is the safest pattern.

Ready to apply this to your business?

Get a free PDPO health check
TagsPDPO compliance checklistPDPO Hong Kongdata protection Hong KongISO 27001 Hong Kongprivacy complianceHong Kong

Apply this to your business

Tell us your industry and your hardest operational problem. We will come back within one business day.

Start a conversation

Resurrect Technology (Hong Kong) · Central District, Hong Kong