Navigating a stricter data privacy legal landscape

In April, the Vietnamese government issued Decree No.13/2023/ND-CP on personal data protection (PDP), which is the first-ever consolidated and comprehensive legal instrument on the issue introduced in Vietnam. Decree 13 is set to take effect on July 1 and will have a significant impact on businesses in Vietnam by introducing a series of new concepts and comprehensive requirements.

Michael Beckman, partner at EY Law Vietnam (left) and Robert Tran, partner at EY Vietnam Cybersecurity Services

Decree 13 outlines the responsibilities for PDP and clearly states its application to both local and offshore entities directly involved in or related to personal data processing activities in Vietnam.

Under Decree 13, personal data is categorised into two types: basic and sensitive. Customer information held by financial organisations is classified as sensitive personal data, resulting in stricter regulations and higher compliance requirements for the processing of such information.

The decree provides definitions for personal data, and regulated subjects’ terms, establishes eight principles concerning data processing, and grants data subjects 11 rights. These rights include the right to know what data is being processed, the right to consent to processing, the right to erasure, the right to restrict data processing, the right to request the provision of data, and the right to object to data processing and right to self-defence. Data subjects also have the right to complain, denounce or initiate lawsuits and to claim compensation for damages.

The regulatory framework requires obtaining the data subject's consent and a one-time notification prior to any legal data processing activities, except in exceptional cases. It also mandates the submission of data processing and cross-border data transfer impact assessments to the Department for Cybersecurity and High-tech Crime Prevention, along with Form 04 or Form 06 respectively, within 60 days from the start of processing. Additionally, it outlines data protection measures, including technical, managerial, organisational, and other measures.

Cyber and privacy threats are on the rise, with 59 per cent of Southeast Asia organisations having experienced a significant or material breach in the past 12 months.

Proactive navigation

According to the EY Global Information Security Survey 2020, cyber and privacy threats are on the rise, with 59 per cent of Southeast Asia organisations having experienced a significant or material breach in the past 12 months. However, despite this growing risk, only 43 per cent of related organisations involve cybersecurity right from the planning stage of new business initiatives.

In Vietnam, cyber and privacy threats have been a paramount concern for financial organisations. Illegal collection and trade of personal data has been widespread in recent years with the largest recorded data breach reaching nearly 1,300 GB, cited from a dissemination conference on the new decree.

Violating laws on regulations on PDP not only damages financial organisations’ reputations, but also can result in substantially financial penalties. Prior to Decree 13, different countries had already enforced data protection regulations, such as the General Data Protection Regulation in the EU since 2018 and the California Consumer Protection Act in the US since 2020.

Getting those laws wrong can be costly, as cumulative fines from EU supervisory bodies have totalled over $500 million. Recently, an American multinational tech conglomerate was faced with a $1.3 billion fine from European Union regulators for violating EU privacy laws by transferring the personal data of their users to servers in the United States.

With the evolving cybersecurity threats and the upcoming implementation of Decree 13, financial organisations operating in Vietnam and offshore must proactively navigate the complex regulatory requirements to avoid potential severe financial penalties, as proposed in the latest version of the Draft decree on Penalties in Cybersecurity area.

Notable penalties include basic a monetary fine of up to VND200 million ($8,500) or, for more serious violations, 2-5 times the basic monetary fine or even up to 3-5 per cent of the total revenue in the latest fiscal year in Vietnam. Furthermore, companies may face a wide range of additional and remedial measures.

As such, we recommend financial organisations to take the seven steps below to maintain compliance: Implement data inventory to keep track of personal data and data flows within financial organisations’ operations; conduct the data privacy gap assessment between the current practices and the requirements under Decree 13; develop or review data protection frameworks, policies, consent form, processing notification, relevant contracts, and procedures on PDP, internal management, and third-party risk management as well as breach management; prepare the data protection impact assessment for processing such data and cross-border data transfer; establish a Data Protection Department and designate a data protection officer; design and conduct data protection awareness training for employees; and implement managerial and technical measures to safeguard data effectively.

Future consumers will play a more active role in controlling how companies use their data to create value.

Going beyond compliance

When all our personal data can be monetised, will privacy be a luxury for the rich? Future consumers will play a more active role in controlling how companies use their data to create value. Financial organisations must build an effective culture of data privacy, not only to comply with Decree 13, but to maintain customer trust and stay competitive in the evolving business conditions.

It's crucial to recognise that there is no universal approach to building an effective culture of data privacy. We recommend seven steps to foster a culture of data privacy and protection. However, for it to succeed, it must be customised to each financial organisations' culture and work practices.

Leadership should demonstrate a strong commitment to data privacy and protection by setting the tone at the top. They should actively promote and prioritise data privacy initiatives and ensure resources are allocated for implementation.

There should be clearly defined policies and procedures. Organisations need to develop comprehensive data privacy and protection policies and procedures that clearly outline expectations for all employees. These policies should cover data handling, access controls, data retention, and incident response, among others.

As for employee training and awareness, training sessions and awareness programmes should be regularly conducted to educate employees about the importance of data privacy and protection.

Privacy considerations should be incorporated into the design and development of systems, processes, and products from the outset. Implement privacy impact assessments to identify and address privacy risks in new initiatives or changes to existing systems.

In terms of data access and controls, strong access controls and least privilege principles should be implemented to ensure that employees only have access to data necessary to perform their job duties. Regularly review and audit user access rights to prevent unauthorised access.

Regular assessments and audits should be conducted to evaluate the organisation's compliance with data privacy regulations and internal policies. Identify areas of improvement and take corrective actions as necessary.

Organisations should also establish clear incident response plans to handle data breaches effectively. This includes defining roles and responsibilities, communication protocols, and a process for timely reporting and resolution of incidents.

By following these steps, organisations can create a culture where data privacy and protection are prioritised, ingrained in daily operations, and embraced by all employees.

Nuts and bolts of new personal data decree Last month the government in Vietnam finally issued Decree No.13/2023/ND-CP on personal data protection (PDP). The decree will take effect from July; however, micro, small, and medium-sized enterprises as well as startups (excluding data processing companies) are optionally exempted for two years.

Vietnam working hard to protect personal data The Government’s Steering Committee for Human Rights has issued a plan on communications activities towards the 75th anniversary of World Human Rights Day (December 10), heard a press conference in Hanoi on May 18.

Data protection heads digital banking efforts Vietnamese authorities have been busy at work dismantling an illicit information network involving bank employees, as local lenders prioritise data protection and digital infrastructure for customer privacy and growth.

Efficient and reliable planning at forefront of digital evolution As the number of Vietnamese businesses recognising the importance of data rises, they prioritise developing a data-driven culture and foundation in digital transformation, addressing challenges in aligning metrics, and enhancing financial education.