Page:Ransomware Attack on the Servers of The Hong Kong Institute of Bankers.pdf/10

   maintenance services should comply with those policies and requirements; and

Provide documentary proof to the Commissioner within two months from the date of the Enforcement Notice, showing the completion of items (1) to (4) above.

Recommendations

Through this report, the Commissioner would like to make the following recommendations to organisations that handle personal data with the use of information and communications technology (ICT):-

Stay Vigilant to Prevent Hacker Attacks: In the wake of different security vulnerabilities, organisations should always stay vigilant, and conduct regular risk assessments to review the potential impact of hacking on their systems, and enhance the protection of the systems which contain personal data such as servers, customer databases, etc.

Establish a Personal Data Privacy Management Programme: Organisations should have a robust personal data privacy management programme, use and retain personal data in compliance with the Ordinance, and manage the entire lifecycle of personal data from collection to destruction effectively, so that they could respond to data breach incidents promptly and gain trust from customers and other stakeholders.

<li>Appoint Dedicated Officer as Data Protection Officer: Organisations should clearly define the roles and responsibilities of a data protection officer, including monitoring compliance with the Ordinance and reporting to senior management, as well as incorporating data protection issues raised by staff and experiences and lessons on data breach incidents involving customers' personal data into the organisation's training materials.</li> </ol></li></ol>