Email Compliance With PDPO – Hong Kong

The Personal Data Privacy Ordinance 486 (PDPO) is the primary legislation in Hong Kong that aims to protect the privacy of individuals concerning personal data and classes of transferees and regulate the collection, holding, processing, or use of personal data based on a set of data protection principles.


Legal Requirements And Protection Laws For PDPO

The PDPO came into force on 20 December 1996 and was amended by the Personal Data Privacy Amendment Ordinance in 2012. Most amendments took effect on 1 October 2012, mainly to introduce a new regime governing the use and provision of personal data in direct marketing. They introduced further amendments to the PDPO in 2021.

In January 2020, the Constitutional and Mainland Affairs Bureau issued a discussion paper around regulatory requirements, which sent out proposed amendments to the PDPO that were under consideration by the Hong Kong Special Administrative Region Government as the supervisory authority. Possible modifications under contemplation included introducing a mandatory data breach notification mechanism, defining reasonable grounds, increasing fines and sanctioning powers, and introducing direct regulations over data processors.


The Office of the Privacy Commissioner for Personal Data (PCPD) is one of the relevant authorities which enforce the PDPO in Hong Kong. The PCPD maintains full enforcement authority over PDPO. The PCPD has also issued various codes of practice and enforcement notices that provide practical guidance for organizations regarding the requirements under the PDPO.

Territorial Scope

The PDPO will apply to collecting and processing personal data irrespective of where the collection or processing occurred, provided that a data user controls the personal data in Hong Kong.

The PDPO applies both to the private and public sectors. The law contains additional provisions imposing further compliance requirements, such as privacy impact assessments (PIAs) and security audits. The subjects of personal data are the data subjects or owners. People who control the collection, holding, use, or disclosure of personal data are data users. Data Processors are individuals who process personal data on behalf of someone else. Data Processors aren’t directly regulated under the Personal Data Protection Ordinance. Instead, data users must make sure their data processors comply with the law. DPPs ensure personal data is collected fairly and transparently. They must store securely and use personal data for the original purpose it was collected. Individuals may access and correct their data.

DPP4 Data Security


DPP4 provides that data users must use all practicable steps to protect personal data against unauthorized or accidental processing, erasure, loss, or use.

Data protection laws require that data users take all workable steps, including describing the level of protection on the data from unauthorized or accidental access, processing, or erasure. The Personal Data Protection Ordinance (PDPO covers both manual and electronic records containing personal data), and there are no national exemptions.

Data owners must adopt contractual or other measures to ensure that the data processors comply with data security requirements, including an adequate data and email encryption level.

Due to the growth of IT outsourcing, the PCPD issued an information leaflet entitled ‘Outsourcing the Processing of Personal Data to Data Processors’ in September 2012. According to this leaflet, they recommend that data users incorporate contractual clauses in their service contracts with data processors to impose obligations to protect the personal data transferred to them.

Role Of Data Loss Prevention in PDPO Compliance

DLP is an effective tool for managing sensitive data. Businesses involved with using or handling the PII of individuals must follow security guidelines to avoid penalties.

Data Loss Prevention solves three significant objectives that apply to most organizations.

  • First, is the organization collecting and storing consumer users’ personally identifiable information?
  • Second, does the organization have the process and capability to remove the client’s data upon request?
  • Third, does the organization have a secure access policy to enable multi-factor authentication based on user actions?

DLP solutions can classify intellectual property in unstructured and structured forms. The solution can set policies and controls to prevent unauthorized access. Data visibility helps organizations gain insight into how individuals interact with data. DLP remediates various security challenges, including insider threats, office 365 data security, and user behavior.

  • Data breaches cause damage to the brand, regulatory violations, and loss of trust with customers.
  • Data Loss Prevention solutions require involving stakeholders.
  • Data Loss Prevention solutions must be implemented correctly and well maintained.
  • Data Loss Prevention solutions are complex. Encryption is necessary because it protects data.

Email Encryption And DLP – One Solution For PDPO Compliance

The hacker community knows that most security adaptive controls rarely get fully deployed, except for organizations that spend big dollars outsourcing to an MSSP or MSP service.

The following events are some of the leading causes of data leaks in 2022.

  • Misconfigured Software Settings.
  • Social Engineering
  • Recycled Passwords
  • Poor Encryption
  • Software Vulnerabilities
  • Use of Default Passwords.

Gartner often references in their security reports the challenges of misconfigured security solutions impact expected outcomes of SecOps protection strategies.

Data Loss Prevention identified protected compliance content within the email message in parallel with email encryption. It instilled rules to prevent PDPO-protected data from leaving through the email channel by enacting email encryption to protect information attempting to leave the organization unprotected.

As the PDPO privacy compliance is implemented, enterprises need to review their controls to ensure proper governance. The organization should also check its policies covering encryption, data sensitivity, and granular visibility.

Enterprises should review:

  • Encrypt any email with PDPO information. Enabling DLP policies as a system-wide adaptive control will ensure all messages that match a PDPO privacy rule encrypt the outbound message.
  • The organization must enable policies and standards monitoring for risky behavior, external threats, and intentional violation of PDPO.

Email Encryption Solution From Trustifi

Trustifi One-Click Compliance™ and Data Loss Prevention features make it easy to prove PDPO compliance and ensure your data remains secure, even if an organization collecting consumer data forgets to encrypt an email manually. The email administrator quickly selects which standards and Data Loss Prevention policies must comply with PDPO. Trustifi’s intelligent AI Engine will scan all outbound emails for sensitive content such as student records and automatically encrypt them.

With Trustifi’s One-Click Compliance™, the solution takes the complexity out of compliance.

For an additional layer of security between potential attackers and your sensitive data, you can request that recipients verify their identities via multi-factor authentication(MFA).

With Trustifi, organizations collecting consumer information can send secure encrypted emails without remembering to click the encrypt email button. Just as quickly, recipients open an encrypted email with a single click even if they don’t have Trustifi themselves.

The email administrator sets all the DLP and email encryption policies on the backend to prevent accidental data loss of PDPO confidential information being sent externally. Other solutions require users to log in to a portal to access encrypted emails, adding complexity to sending and receiving messages.

“One-Click” Encrypt And Decrypt With Trustifi

Trustifi makes sending and opening emails simpler than ever. No log-ins, portals, or passwords are needed.


Groundbreaking Technology Supporting Optical Character Recognition Technology


Trustifi’s OCR technology uses machine learning to scan email attachments such as images and PDF files. It recognizes elements such as a credit card scan or a screenshot of a financial statement and categorizes those attachments as sensitive. The attachment file is automatically encrypted, reducing the opportunity for employees/individuals to transmit unprotected confidential material.


Emails Get Automatically Scanned


The system automatically scans outgoing emails, applies the rules your administrator sets, and then finds the no input from the user. This ensures that sensitive data and attachments are not at risk before reaching their intended recipient.




Trustifi’s email security services feature a comprehensive suite of email tools for advanced threat protection, easily configurable Data Loss Prevention, and enterprise email encryption. Trustifi’s easy-to-use software is unmatched in its user-friendliness, flexibility, and cost-effectiveness. Trustifi’s time to value, ease of deployment, and lower cost of ownership for SecOps make the company culture secure and a financial match for any client seeking email security, data exfiltration, and message encryption.

Why Trustifi?


Trustifi is a cyber security firm featuring solutions delivered on software as a service platform. Trustifi leads the market with the easiest to use and deploy email security products, providing both inbound and outbound email security from a single vendor.

Trustifi has an extensive roster of clientele throughout North and South America, Europe, and the Asia Pacific. As a global cybersecurity provider of both inbound and outbound email protection, Trustifi currently supports customers from countries including the USA, Canada, Brazil, the Dominican Republic, the UK, the Netherlands, India, the UAE, China, and Japan, Cyprus, the Philippines, and more. The company has also developed “One-Click Compliance” capabilities that cater to world security regulations, including PDPO for Hong Kong, POPI for South Africa, GDPR for Europe, and LGPD for Brazil.

Request A Demo: Trustifi: Email Security Solutions


Whether you’re looking for an extra layer of protection in your existing email environment or a complete suite solution, the expertise and simplicity Trustifi offers will exceed your expectations. Let’s talk about a customized email security plan that perfectly fits your needs.