Stricter regulations and higher requirements
On 17 April 2023, the Vietnamese government issued Decree 13/2023/ND-CP on personal data protection (Decree 13), which is the first-ever consolidated and comprehensive legal instrument on personal data protection introduced in Vietnam. Decree 13 is set to take effect on 1 July 2023 and will have significant impacts on businesses in Vietnam by introducing a series of new concepts and comprehensive requirements.
Decree 13 outlines the responsibilities for personal data protection and clearly states its application to both local and offshore entities directly involved in or related to personal data processing activities in Vietnam.
Under Decree 13, personal data is categorized into two types: basic and sensitive. Customer information held by financial organizations is classified as sensitive personal data, resulting in stricter regulations and higher compliance requirements for the processing of such information.
The decree provides definitions for personal data, and regulated subjects’ terms, establishes eight principles concerning personal data processing, and grants data subjects 11 rights. These rights include the right to know what data is being processed, the right to consent to processing, the right to erasure, the right to restrict data processing, the right to request the provision of data, and the right to object to data processing and right to self-defense. Data subjects also have the right to complain, denounce or initiate lawsuits and to claim compensation for damages.
The regulatory framework requires obtaining the data subject's consent and a one-time notification prior to any legal data processing activities, except in exceptional cases. It also mandates the submission of data processing and cross-border data transfer impact assessments to the Department for Cybersecurity and Hi-tech Crime Prevention (A05), along with Form 04 or Form 06 respectively, within 60 days from the start of processing. Additionally, it outlines data protection measures, including technical, managerial, organizational, and other measures.
Proactively navigate the complex regulatory requirements
According to the EY Global Information Security Survey 2020, cyber and privacy threats are on the rise, with 59% of Southeast Asia (SEA) organizations having experienced a significant or material breach in the past 12 months. However, despite this growing risk, only 43% of SEA organizations involve cybersecurity right from the planning stage of new business initiatives.
In Vietnam, cyber and privacy threats have been a paramount concern for financial organizations. Illegal collection and trade of personal data has been widespread in recent years with the largest recorded data breach reaching nearly 1,300 GB, cited from the Dissemination Conference: Decree 13/2013/ND-CP on personal data protection organized by the Ministry of Public Security, on 7 June 2023.
Violating laws on regulations on personal data protection not only damages financial organizations’ reputations, but also can result in substantially financial penalties. Prior to the Decree 13, different countries had already enforced data protection regulations such as, the General Data Protection Regulation (GDPR) in the EU since 2018, and California Consumer Protection Act (CCPA) in USA since 2020, Personal Information Protection Law in China since 2021. Getting those laws wrong can be costly as cumulative fines from EU supervisory bodies have totaled close to US$0.58b, cited from EY article: “How to successfully embed a culture of Privacy by Design”[1]. Recently, an American multinational technology conglomerate was faced with US$1.3b fine from European Union regulators for violating EU privacy laws by transferring the personal data of their users to servers in the United States.[2]
With the evolving cybersecurity threats and the upcoming implementation of Decree 13, financial organizations operating in Vietnam and offshore must proactively navigate the complex regulatory requirements to avoid potential severe financial penalties, as proposed in the latest version of the Draft decree on Penalties in Cybersecurity area. Notable penalties include basic a monetary fine of up to VND200m or, for more serious violation, 2 - 5 times the basic monetary fine or even up to 3%- 5% of the total revenue in the latest fiscal year in Vietnam. Furthermore, companies may face a wide range of additional and remedial measures.
As such, we recommend financial organizations to take the seven steps below to maintain compliance:
- Implement data inventory to keep track of personal data, data flows within financial organizations’ operations.
- Conduct the data privacy gap assessment between the current practices and the requirements under Decree 13.
- Develop or review data protection frameworks, policies, consent form, processing notification, relevant contracts, and procedures on personal data protection, internal management, third party risk management as well as breach management.
- Prepare the data protection impact assessment for processing personal data and cross-border data transfer.
- Establish Data Protection Department (DPD) and designate Data Protection Officer (DPO).
- Design and conduct data protection awareness training for employees.
- Implement managerial and technical measures to safeguard personal data effectively.
Going beyond compliance
When all our personal data can be monetized, will privacy be a luxury for the rich? Future consumers will play a more active role in controlling how companies use their personal data to create value. Financial organizations must build an effective culture of personal data privacy, not only to comply with Decree 13, but to maintain customer trust and stay competitive to the evolving business conditions.
It's crucial to recognize that there is no universal approach to build an effective culture of personal data privacy. We recommend seven steps below to foster a culture of data privacy and protection. However, for it to succeed, it must be customized to each financial organizations' culture and work practices.
- Leadership commitment: Leadership should demonstrate a strong commitment to data privacy and protection by setting the tone at the top. They should actively promote and prioritize data privacy initiatives and ensure resources are allocated for implementation.
- Clearly defined policies and procedures: Develop comprehensive data privacy and protection policies and procedures that clearly outline expectations for all employees. These policies should cover data handling, access controls, data retention, and incident response, among others.
- Employee training and awareness: Conduct regular training sessions and awareness programs to educate employees about the importance of data privacy and protection.
- Privacy by design: Incorporate privacy considerations into the design and development of systems, processes, and products from the outset. Implement privacy impact assessments to identify and address privacy risks in new initiatives or changes to existing systems.
- Data access and controls: Implement strong access controls and least privilege principles to ensure that employees only have access to data necessary to perform their job duties. Regularly review and audit user access rights to prevent unauthorized access.
- Regular assessments and audits: Conduct regular assessments and audits to evaluate the organization's compliance with data privacy regulations and internal policies. Identify areas of improvement and take corrective actions as necessary.
- Incident response and breach management: Establish clear incident response plans to effectively handle data breaches or privacy incidents. This includes defining roles and responsibilities, communication protocols, and a process for timely reporting and resolution of incidents.
By following these steps, organizations can create a culture where data privacy and protection are prioritized, ingrained in daily operations, and embraced by all employees.
The article was first appeared in Vietnam Investment Review, 20 July 2023
Disclaimer
The views reflected in this article are the views of the authors and do not necessarily reflect the views of the global EY organization or its member firms.