Personal data decree poses compliance challenges

Robert Trong Tran and Thach Thi Cam Tran

Almost eight months into the enforcement of Decree 13/2023/ND-CP (Decree 13) on personal data protection, businesses are facing compliance challenges. With the potential for administrative sanctions on the horizon, it is now more crucial than ever for businesses to understand the challenges and relevant risks of compliance as well as identify appropriate measures.

Risks beyond challenges

Decree 13, officially authorised in July 2023, offered enterprises a 2.5-month window for compliance preparation. The novel requirements, combined with scarce internal resources, have resulted in businesses facing significant challenges in complying with the decree.

While anticipation builds for the rollout of an administrative sanctions decree, it's worth noting that in March, the Ministry of Public Security put forward a proposal to develop a law on personal data protection .

This, combined appropriately with the ministry's proposal to implement a credit rating system for businesses' data protection practices, underlines the critical need for enterprises to prioritise compliance assessments and implement measures to close existing gaps.

There are significant risks associated with non-compliance, and the stakes extend beyond administrative penalties.

Failure to securely secure personal data could expose businesses to financial and reputational damage, little customer trust, lost business opportunities, and even operational disruptions.

Therefore, strengthening the safety of personal data should go beyond regulatory compliance.

It should be strategically integrated into the organisation's risk management efforts, highlighting the importance of boosting security measures as a part of their sustainability and growth.

Drawing from our extensive experience working with clients and conducting a thorough analysis of the decree, we have identified seven main challenges that enterprises should pay close attention to.

Challenges in complying Decree 13

1. Accurately identify the overall landscape of personal data processing activities within their organisations: Given that processing activities have become increasingly complex, it's difficult for businesses to properly identify the types of personal data processing, their roles, processing activities, and data ownership at each stage of the data lifecycle.

2. Obtaining consent and notifying data subjects: The “transparency” principle in Decree 13 mandates that data subjects are informed and provide their consent prior to data collection.

The consent must meet multiple requirements in terms of mandatory contents, means of consent obtainment, voluntariness of the data subjects, for single purposes, among others.

Therefore, enterprises might find it hard to design the consent form, set up appropriate obtainment mechanisms (ie, online forms, phone calls, direct communication, or paper-based form), manage the consent, and record evidence to comply.

3. Developing or enhancing a data protection framework: While Decree 13 mandates that data controllers or processors must formulate regulations on the protection of personal data, there is no available industry best practice or common standard in Vietnam.

Furthermore, many enterprises may lack the necessary resources to develop or review all internal policies related to personal data protection.

4. The data protection officer's (DPO) role: Ideally, the DPO should possess not only a comprehensive understanding of personal data protection and internal operations of the business, but also legal and technical aspects related to this field. However, given that Decree 13 is a relatively new regulation, the market is currently experiencing a shortage of skilled personnel with expertise in personal data protection to take on this role.

5. The deficient level of employee awareness: Employees are both the primary data subjects and the persons who directly process personal data on behalf of the enterprise.

However, many employees lack understanding of regulations and internal frameworks. This knowledge gap increases the likelihood of inadvertent violations.

6. Collaborating with third parties: This involves businesses' renegotiating and establishing agreements on personal data processing with both current and potential business partners.

This process can be time-consuming and may impact business opportunities, as some enterprises may not possess a comprehensive understanding of Decree 13 and may be reluctant to sign any agreements.

7. Completing and submitting the data processing impact assessment (DPIA) and cross-border transfer impact assessment (CTIA): Since the templates for DPIA and CTIA, as provided in the Decision No. 4660/QD-BCA-A05 dated July 4, 2023, contains numerous fields of information to be completed, enterprises may face difficulties in accurately filling out the forms.

Furthermore, obtaining supporting documents from data processors and third parties, such as licenses, DPO appointment decisions might be challenging. Additionally, documents in foreign languages ​​must be translated into Vietnamese and/or notarized or legalized, which can be costly and time-consuming for enterprises.

Legal and technological recommendations to the compliance challenges

Given the challenges, enterprises should adopt a comprehensive approach to comply with the requirements of Decree 13 by fostering a culture of privacy protection, which can be divided into three following interconnected domains for action.

Framework enhancement: In response to challenges (2), (3), (6), and (7), enterprises are advised to strengthen their personal data protection frameworks by incorporating (i) Consent and notification forms; (ii) Data subjects' requests; (iii) Internal data management mechanism; (iv) Data breach response policy; (v) Third party risk and contract management; (vi) Data retention and disposal; (vii) Processing impact assessment and cross-border impact assessment; and (viii) Privacy governance structure.

Regarding third-party management, enterprises must ensure that agreements for the transfer of personal data between the enterprise and relevant parties are always in place before any sharing.

Personnel: To address challenges (4) and (5), periodic training sessions on Decree 13 and all the internal frameworks should be organized.

This is to ensure all employees clearly understand their responsibilities and appropriate procedures in certain scenarios, for example consent collection, data breach response, data retention or deletion.

It is recommended that this training should be tailored to target different groups, for example: (i) the DPOs, and (ii) other employees.

When designing a Data Protection Department or DPO role, it is advised that the appointment be formalized in written form, clearly stating the rights and obligations.

These may include but not limited to, adherence to compliance, formulating policies, developing and refining processes, managing relations with data subjects, carrying out administrative procedures, promoting awareness, and monitoring compliance.

Technology: Technology plays a vital role in integrating personal data protection into daily operations, fostering efficiency, and streamlining processes.

Technological solutions can significantly assist organisations in addressing challenges (1), (2), (3), (5) and meeting other goals. These include identifying and classifying personal data, obtaining and managing consent, safeguarding data from unauthorised access, limiting disclosure of personal data, substituting sensitive data with pseudonyms, and tracking and reacting to data compiled.

In conclusion, it is recommended that enterprises conduct a comprehensive gap assessment of their personal data processing landscape.

These diagnostic evaluations are crucial foundations in helping businesses identify possible pitfalls, weaknesses, and potential risks that could stem from non-compliance with these emerging regulations.

The insights drawn from these assessments then become the bedrock upon which enterprises can devise and implement corrective strategies by mobilizing either internal resources, consulting the relevant authorities, and/or seeking support from external consultants.

These recommendations, spanning improvements in framework, personnel, and technology, are aimed at reducing the identified risks at every stage of the data lifecycle.

*The views reflected in this article are those of the authors and do not necessarily

reflect the views of the global EY organisation or its member firms.

Navigating a stricter data privacy legal landscape As the first comprehensive personal data protection legal framework in Vietnam is about to become effective, businesses are scrambling to comply. Michael Beckman, partner at EY Law Vietnam, and Robert Tran, partner at EY Vietnam Cybersecurity Services, discover the impact of the regulations on the financial sector and what to do to build a culture of personal data privacy.

Compliance with quality standards – a must to bolster fruit exports: insiders Farmers and businesses must improve product quality, and strictly follow the rules of origin and ensure food safety to boost fruit exports, experts say.

Businesses take easy EPR compliance route Many businesses are wrestling over the decision to pay emissions fees or organize recycling themselves, even though extended producer responsibility regulations have already been in effect for a couple of months.