1. Data Privacy Services

Data management and the acquisition, storage, usage and destruction of 'Personally identifiable information' has become an important part of any modern business enterprise. Any information that can be used to distinguish one person from another and can be used for de-anonymising anonymous data can be considered PII.

Blue Dragon has experienced breach response, investigation, compliance preparedness and regulatory response procedures.


  • Crisis response - investigating the breach
  • Diagnostic and log assessments
  • Data process mapping
  • GDPR preparedness
  • Crisis Management
  • Security and threat / risk assessments
  • PDPO compliance
  • Dealing with regulatory bodies on behalf of the client
  • Investigating cause and risks
  • Evaluating ecommerce platforms
  • Redacting or special handling of personal data

  • 2. Case studies


    A HK company was subject to a well-publicised data breach. We investigated the breach, discovered the cause, and used our technical team to implement crisis response. We then assisted in replies and investigation for the Privacy Commissioner for Personal Data and were able to get the case closed successfully, having shown full understanding of the breach cause and needed remedial steps.

    A HK company was subject to a well-publicised data breach. We investigated the question of whether the breach was caused by a gap in security at the firm or by an external actor with malicious intent. We did technical and vulnerability assessments. The case was closed successfully.


    3. Practical guidance


      resume

    4. Data Protection Officer

    Not every Asian company in every Asian jurisdiction will require a DPO. For example, at present in Hong Kong there is no requirement for a data protection officer. This may change in the light of EU GDPR, but at present the PCPD encourages HK companies to have a person responsible for overseeing data user's compliance with the Personal Data (Privacy) Ordinance.

    Typical DPO duties we will perform include:

  • Handling subject access requests, liaising with the applicant, deciding what information should be provided and what should not.
  • Handling Data Protection complaints about the accuracy of personal data, data being shared against the subject's wishes.
  • Dealing with requests for personal data from regulators, police, insurance companies or lawyers.
  • Advising on privacy notices or fair processing statements.
  • Carrying out impact assessments for new projects / ideas.
  • Investigating data security incidents and actors.


  • Date Created: 1 June 2017   |   Date Modified: 18 December 2017   |  Author: Dmitri M A Hubbard