Verification of Data Privacy Compliance in Sponsor Due Diligence

The Hong Kong Securities and Futures Commission (SFC) has signalled a material escalation in its scrutiny of sponsor due diligence practices, particularly concerning the verification of data privacy compliance. This shift is driven by two concurrent developments: the 2025 amendment to the Personal Data (Privacy) Ordinance (PDPO), which introduced mandatory data breach notification and a direct right of action for data subjects, and the SFC’s December 2024 consultation conclusions on sponsor liability (SFC, 2024), which explicitly extended the “reasonable steps” defence under the Securities and Futures Ordinance (SFO) to include verification of a listing applicant’s compliance with non-financial regulatory regimes. For sponsors holding a Type 6 (advising on corporate finance) or Type 6A (sponsor) licence under the SFO, this means that a failure to adequately verify an applicant’s PDPO compliance now carries direct enforcement risk, not merely reputational damage. The practical implication is that a sponsor’s due diligence programme must now incorporate a structured, documented assessment of an applicant’s data governance framework, breach history, and regulatory exposure, with the same rigour applied to financial due diligence. This article sets out the specific regulatory requirements, the verification methodologies that meet the SFC’s standard, and the documentation burden that sponsors must now bear.

The Regulatory Framework: PDPO 2025 and SFC Sponsor Obligations

The interplay between the amended PDPO and the SFC’s Code of Conduct for Persons Licensed by or Registered with the SFC (the Code of Conduct) creates a layered compliance obligation for sponsors. The 2025 amendments to the PDPO (Cap. 486) introduced three provisions of direct relevance to sponsor due diligence: Section 66A (mandatory data breach notification to the Privacy Commissioner within 72 hours), Section 66B (direct right of action for individuals suffering damage from a data breach), and Section 66C (increased maximum penalty for data users, up to HKD 5 million and 5 years imprisonment for intentional non-compliance). These provisions create material financial and legal exposure for a listing applicant that has not implemented adequate data governance, and by extension, for the sponsor that failed to identify this exposure during due diligence.

The SFC’s “Reasonable Steps” Defence

Paragraph 17.6 of the Code of Conduct requires a sponsor to take “all reasonable steps” to ensure that the information in a listing document is accurate and complete. The SFC’s December 2024 consultation conclusions on sponsor liability (SFC, 2024) clarified that this “reasonable steps” standard extends to verifying an applicant’s compliance with all material regulatory regimes, including data privacy. The SFC stated explicitly that a sponsor cannot rely on a simple management representation letter as sufficient verification for data privacy compliance; the sponsor must obtain independent evidence of the applicant’s data governance framework, breach history, and regulatory filings. This represents a departure from the pre-2025 practice, where data privacy was often treated as a secondary due diligence item, verified through a single question in the legal due diligence checklist.

The HKEX Listing Rules: Disclosure Obligations

The Hong Kong Exchange (HKEX) Listing Rules, specifically Main Board Rule 11.07 and its accompanying guidance letter HKEX-GL86-16 (2016, updated 2023), require a listing applicant to disclose all material risks, including regulatory risks arising from non-compliance with data privacy laws. The HKEX has taken the position that a material data breach occurring within the three-year track record period, or a systemic failure to comply with the PDPO, constitutes a “material adverse change” that must be disclosed in the prospectus. For a sponsor, this creates a dual obligation: first, to verify that the applicant has disclosed all material data privacy risks, and second, to ensure that the disclosure is accurate and complete. Failure to do so exposes the sponsor to potential enforcement action under Section 213 of the SFO (remedial orders) and Section 300 (market misconduct).

Verification Methodologies: From Policy Review to Independent Testing

The SFC’s expectation is that sponsor due diligence on data privacy compliance must be substantive, not procedural. This means moving beyond a review of the applicant’s privacy policy and data inventory to include independent testing of key controls, verification of breach history, and assessment of the applicant’s regulatory exposure. The following three areas represent the minimum verification scope that the SFC will expect in a 2025-2026 sponsor engagement.

Verification of the Data Governance Framework

The first verification step is to assess the applicant’s data governance framework against the six data protection principles under the PDPO (Schedule 1). The sponsor must obtain and review the applicant’s data inventory, data classification policy, data retention and destruction policy, and data subject access request (DSAR) procedure. The SFC’s 2024 consultation conclusions (SFC, 2024) indicated that a sponsor should obtain third-party verification of this framework, either through a privacy impact assessment (PIA) conducted by a qualified external consultant, or through a certification under the Privacy Commissioner’s “Privacy-Friendly” accreditation scheme. If the applicant cannot produce a PIA or certification, the sponsor must document the reasons and assess whether this gap represents a material risk.

The verification methodology must include a review of the applicant’s data processing record (DPR), which is now a mandatory requirement under the 2025 PDPO amendments (Section 66D). The DPR must record each data processing activity, the legal basis for processing, the categories of data subjects, and the retention periods. The sponsor must cross-reference this DPR against the applicant’s business operations, customer contracts, and employee records to identify any processing activities that are not recorded or that lack a valid legal basis. A mismatch between the DPR and the actual business operations is a red flag that must be escalated to the sponsor’s compliance officer and documented in the due diligence report.

Verification of Breach History and Regulatory Filings

The second verification area is the applicant’s data breach history and its compliance with the mandatory breach notification requirements under Section 66A of the PDPO. The sponsor must obtain a written representation from the applicant’s board of directors confirming all data breaches that have occurred in the three-year track record period, and must independently verify this representation by searching the Privacy Commissioner’s public registry of data breach notifications (established under Section 66E of the 2025 amendments) and by contacting the Privacy Commissioner’s office for any non-public enforcement actions.

The sponsor must also review the applicant’s internal incident response procedures and test whether these procedures would have resulted in timely notification to the Privacy Commissioner within the 72-hour window. If the applicant has experienced a data breach that was not notified to the Privacy Commissioner, the sponsor must assess whether this constitutes a material non-compliance that requires disclosure in the prospectus. The SFC’s position, as set out in its 2024 consultation conclusions (SFC, 2024), is that a failure to notify a material breach is itself a material risk that must be disclosed, regardless of whether the breach has resulted in enforcement action.

Verification of Third-Party Data Processors and Cross-Border Transfers

The third verification area is the applicant’s management of third-party data processors and cross-border data transfers. The 2025 PDPO amendments introduced Section 66F, which requires a data user to enter into a written contract with any data processor that processes personal data on its behalf, and to take reasonable steps to ensure that the processor complies with the PDPO. For a listing applicant that outsources data processing to third parties—whether in Hong Kong or in jurisdictions such as the PRC, Singapore, or the United States—the sponsor must obtain and review these contracts, and must verify that the contracts contain the mandatory provisions required under Section 66F, including the processor’s obligation to notify the data user of any data breach and to comply with the data user’s instructions.

For cross-border data transfers, the sponsor must verify that the applicant has obtained the data subject’s express consent for the transfer (Section 33 of the PDPO, which remains in force but has been strengthened by the 2025 amendments) or has established another valid legal basis, such as a contractual necessity or a binding corporate rule. The sponsor must also assess the data protection regime in the destination jurisdiction and document whether that regime provides an adequate level of protection. The PRC’s Personal Information Protection Law (PIPL) and the cross-border data transfer security assessment requirements under the PRC Cybersecurity Law are of particular relevance for Hong Kong listing applicants with operations in the PRC. The HKEX’s guidance letter HKEX-GL86-16 (2023 update) specifically requires disclosure of cross-border data transfer risks in the prospectus, and the sponsor must verify that this disclosure is accurate.

Documentation and Reporting: The Due Diligence Report

The SFC’s enforcement actions against sponsors in the past five years—including the 2023 fine of HKD 24 million against a major international sponsor for failures in IPO due diligence (SFC, 2023)—have established that the sponsor’s due diligence report is the primary evidence that the SFC will review in an enforcement investigation. The due diligence report must document the verification steps taken for data privacy compliance, the evidence obtained, the findings, and the sponsor’s assessment of materiality. The SFC’s 2024 consultation conclusions (SFC, 2024) confirmed that the due diligence report must be prepared contemporaneously with the due diligence process, and that retrospective reconstruction of the report will not be accepted as evidence of reasonable steps.

Structure of the Data Privacy Section

The data privacy section of the due diligence report should follow the structure set out in the SFC’s “Guidelines for Sponsors” (2022 edition, updated 2024), which recommends a risk-based approach. The report should first identify the material data privacy risks for the applicant, based on the nature of its business, the volume of personal data processed, the jurisdictions in which it operates, and its regulatory history. The report should then document the verification steps taken for each risk, including the source of evidence (e.g., PIA report, DPR, processor contracts, Privacy Commissioner registry search), the date of verification, and the person responsible.

For each verification step, the report must include the sponsor’s assessment of whether the evidence obtained is sufficient to conclude that the applicant is in compliance with the PDPO. If the sponsor identifies a gap or a red flag, the report must document the steps taken to address it, including any escalation to the applicant’s board, any remedial actions taken by the applicant, and the sponsor’s final assessment of materiality. The SFC’s expectation, as set out in its 2024 consultation conclusions (SFC, 2024), is that the sponsor must be able to demonstrate that it has exercised professional scepticism and has not simply accepted the applicant’s representations at face value.

The “Materiality” Assessment

A critical component of the due diligence report is the materiality assessment. The sponsor must assess whether any identified data privacy non-compliance is material to the listing applicant’s business and financial position. The assessment should consider the following factors: the number of data subjects affected, the sensitivity of the data involved, the potential financial penalty (up to HKD 5 million under Section 66C of the PDPO), the potential for civil claims under the direct right of action (Section 66B), the impact on the applicant’s reputation and customer trust, and the regulatory risk of enforcement action by the Privacy Commissioner. The sponsor must document its reasoning for each factor and must state whether the non-compliance requires disclosure in the prospectus.

If the sponsor concludes that the non-compliance is material, it must ensure that the prospectus contains a clear and prominent risk factor disclosure. The HKEX’s guidance letter HKEX-GL86-16 (2023 update) provides that the disclosure must include the nature of the non-compliance, the steps taken to remediate it, the residual risk, and the potential financial and operational impact. The sponsor must verify that the disclosure is accurate and complete, and must document its verification in the due diligence report.

Practical Implications for Sponsor Compliance Functions

The SFC’s heightened focus on data privacy compliance in sponsor due diligence has direct implications for a sponsor’s internal compliance function. The compliance officer must ensure that the firm’s due diligence procedures are updated to include the verification steps set out above, and that the due diligence team has the necessary expertise to assess data privacy risks. This may require the engagement of external data privacy consultants or the recruitment of in-house data privacy specialists. The SFC’s 2024 consultation conclusions (SFC, 2024) indicated that a sponsor cannot rely on the applicant’s legal counsel to perform the data privacy due diligence; the sponsor must take direct responsibility for the verification.

Training and Competency

The compliance officer must ensure that all members of the due diligence team receive training on the 2025 PDPO amendments and the SFC’s expectations for data privacy due diligence. The training should cover the verification methodologies set out in this article, the documentation requirements, and the materiality assessment framework. The compliance officer should also establish a system for monitoring changes in data privacy regulations in Hong Kong and in the jurisdictions in which the applicant operates, and for updating the due diligence procedures accordingly.

Record-Keeping and Audit Trail

The compliance officer must ensure that the firm maintains a complete and contemporaneous record of all data privacy due diligence activities, including the due diligence report, the evidence obtained, the correspondence with the applicant, and the internal escalation records. The SFC’s enforcement actions have consistently emphasised the importance of a clear audit trail that demonstrates the sponsor’s “reasonable steps” at each stage of the due diligence process. The compliance officer should conduct a periodic review of the data privacy due diligence files to ensure that they meet the SFC’s standards, and should document any deficiencies and the remedial actions taken.

Actionable Takeaways

1. Sponsors must update their due diligence procedures to require independent verification of an applicant’s data governance framework, breach history, and third-party processor contracts, moving beyond reliance on management representation letters.
2. The due diligence report must document the specific verification steps taken for each material data privacy risk, the evidence obtained, and the sponsor’s materiality assessment, with contemporaneous records that can withstand SFC scrutiny.
3. Sponsors must verify that the applicant’s data processing record (DPR) is complete and accurate, and must cross-reference it against the applicant’s business operations to identify any unrecorded or non-compliant processing activities.
4. The compliance function must ensure that the due diligence team has the necessary expertise to assess data privacy risks, either through in-house training or the engagement of external data privacy consultants.
5. Sponsors must monitor the Privacy Commissioner’s public registry of data breach notifications and the HKEX’s updated guidance on data privacy disclosures to ensure that their due diligence procedures remain current with regulatory developments.