PCPD 2026 AI Privacy Compliance Checklist: 6 Things Hong Kong Businesses Should Do Before Using AI
A Hong Kong retailer wants AI to organize WhatsApp inquiries, member data and online shop orders. An education provider wants AI to match students with courses. A professional services firm wants AI to prepare first draf
PCPD 2026 AI Privacy Compliance Checklist: 6 Things Hong Kong Businesses Should Do Before Using AI
A Hong Kong retailer wants AI to organize WhatsApp inquiries, member data and online shop orders. An education provider wants AI to match students with courses. A professional services firm wants AI to prepare first drafts of client follow-up notes. These are practical use cases, but management will quickly face the same question: if AI touches customer names, phone numbers, purchase histories, registration details or contract content, who decides what it can read, how long the data is kept, and what happens when something goes wrong?
This is no longer a distant compliance issue. On May 19, 2026, the Office of the Privacy Commissioner for Personal Data (PCPD) published the findings of a new round of compliance checks on the impact of AI use on personal data privacy. The checks covered 60 organisations across sectors including banking, education, retail, logistics, property management, food and beverage, accounting, innovation and technology, and public services. The PCPD reported that 57 of the 60 organisations, or 95%, were already using AI in day-to-day operations. Among them, 24 organisations collected or used personal data through AI systems.
For Hong Kong businesses, the question is not whether AI can be used. The practical question is whether enough governance exists before AI is placed inside customer service, reporting, sales, HR or compliance workflows. The following six items form a useful starting checklist for SMEs, operations teams and IT managers.
1. Build an AI inventory before tools spread across departments
Many companies first discover AI risk not through a formal system, but through informal tool use. Marketing uses AI to write ads. Customer service uses AI to summarize inquiries. HR uses AI to rewrite job descriptions. Management uses AI to summarize reports. Each use case may look small on its own, but together they create an unmanaged data processing environment.
The PCPD's Model Personal Data Protection Framework recommends that organisations establish an AI strategy and AI inventory. Businesses should know which AI systems are being used, what each one is for, whether personal data is involved, which department owns it, and whether it is provided by a third-party vendor.
For example, a clinic or training centre can start with a simple inventory listing use cases such as "customer service reply drafts", "course recommendations" and "meeting note summaries". For each item, record the data source, whether identity documents, payment records or health information are involved, and whether staff approval is required before output is sent. The inventory does not need to be complex, but it becomes the foundation for permissions, contracts, training and risk assessment.
2. Separate general AI assistance from personal data processing
Not every AI use case carries the same level of risk. Using AI to polish generic marketing copy is very different from using AI to analyze customer complaints, member spending records or applicant CVs.
In its May 19, 2026 findings, the PCPD noted that the 24 organisations collecting or using personal data through AI systems used tools such as chatbots, OCR, text, image, video and presentation generators, and data analysis tools. The lesson is direct: once an AI tool reads, organizes, transforms or outputs information relating to individuals, it should be governed as a privacy matter, not treated as ordinary office software.
For example, a logistics company may use AI to produce a generic delivery delay notice with relatively low risk. But if AI reads a customer's address, phone number, order number and delivery time to prepare a personalized response, the process involves personal data. The company should confirm the collection purpose, retention period, vendor processing method and staff review workflow before deployment.
3. Update PICS, privacy policies and retention rules
When AI is introduced, existing documents often need to be updated. This includes the Personal Information Collection Statement (PICS), privacy policy, internal data retention schedule and vendor contracts. The PCPD's checks found that organisations collecting or using personal data through AI systems all provided PICS on or before collection. However, only about 29% specified the use of AI tools in processing personal data in their PICS.
This is a useful signal for SMEs. A business does not need a lengthy AI policy on day one, but it should be transparent about why personal data is collected, whether AI tools may process it, whether third parties may receive it, how long it is kept, and when it is deleted.
For example, an online shop using AI customer service to organize inquiries can update its collection pages and privacy policy to explain that AI may be used to classify inquiries, draft replies and improve service workflows. The system should also define how long inquiry records are retained, such as deleting or anonymising records after after-sales service is completed according to a set rule, rather than leaving them indefinitely inside a support tool.
4. Set employee GenAI boundaries instead of relying on verbal reminders
Many AI privacy risks come from manual copy and paste. An employee may paste customer data into an unapproved AI tool simply to finish a report faster, but the business may have no clear way to trace where the information went afterwards.
The PCPD's 2026 checks found that all 24 organisations collecting or using personal data through AI systems permitted employees to use generative AI at work. Among them, about 71% had formulated internal policies or guidelines, and about 21% planned to do so. In practice, a generative AI employee policy is no longer only for large enterprises.
For example, an accounting or professional services firm can divide AI use into three groups: allowed, approval required and prohibited. Allowed use may include rewriting emails that contain no client data. Approval-required use may include summarizing anonymised client inquiry trends. Prohibited use may include pasting full contracts, identity documents, financial statements or confidential business information into a personal AI account. The policy should be supported by actual tool access controls and training, otherwise it becomes a document without operational effect.
5. Keep humans in the loop for high-risk workflows and keep approval records
AI can improve efficiency, but it should not automatically make every decision. The PCPD's findings show that among the organisations using AI systems involving personal data, about 79% adopted a human-in-the-loop approach so that human actors retained control of decision-making. The remaining organisations used a human-in-command approach, where humans monitored system operations and intervened when necessary.
For Hong Kong businesses, a practical model is to divide AI permissions into three levels: read, suggest and execute. The closer a workflow is to payment, contracts, complaints, service denial, employee assessment or sensitive personal data, the stronger the human approval requirement should be.
For example, a property management company can let AI classify resident maintenance requests into plumbing, electrical, lift or security issues. But decisions involving payment, complaint responses, personal data correction or incident responsibility should only be issued after staff approval. The system should also record who approved the output, when it was approved and what content was changed, so the business has an audit trail later.
6. Run a PIA before launch, then schedule audits and incident response drills
An AI system is not finished once it goes live. Models, data sources, vendor features, employee habits and regulatory expectations change over time. In the PCPD's 2026 findings, about 79% of organisations using AI systems involving personal data conducted privacy impact assessments before implementation. About 92% formulated data breach response plans, and about 63% conducted regular internal audits or independent assessments.
SMEs may not need a large audit programme immediately, but they should at least have pre-launch checks, periodic reviews and an incident response process. This is especially important when using AI agents. The PCPD specifically reminded organisations to consider the nature and sensitivity of personal data, grant only the minimum access rights necessary for the task, and be careful with plugins, skills and official download sources.
For example, a training provider planning to use an AI agent to follow up unpaid students can start with a two-to-four-week pilot. In the first phase, the AI only reads course name, payment status and contact channel, then generates reminder drafts for staff approval. At the end of the pilot, the team reviews whether messages were sent incorrectly, whether too much data was exposed, whether students complained, or whether staff bypassed the workflow. Only then should the company decide whether to expand the workflow to more courses.
AI compliance does not slow innovation; it makes AI usable for the long term
The PCPD's May 19, 2026 findings do not suggest that businesses should stop using AI. On the contrary, the data shows that AI has already entered daily Hong Kong operations, including administrative support, customer service, marketing, risk management, R&D, HR and corporate communications. The difference is that mature businesses manage AI as a system capability instead of letting departments experiment with disconnected tools.
For Hong Kong SMEs, the most useful first step is not buying the most complex AI platform. It is building the foundation: an AI inventory, clearer data flows, updated PICS and privacy policies, employee GenAI guidelines, human-in-the-loop approvals, privacy impact assessments, audits and incident response routines.
technine.io helps Hong Kong businesses design AI workflows, build maintainable web and mobile systems, integrate CRM, booking, documents and cloud data, and plan governance into permissions, approvals, logs and data protection. When AI touches customer data and daily decisions, technical implementation and compliance readiness should begin together.
