By John Berven, Director of APAC, Solidatus
Vietnam is poised to pass a new decree that will bring the nation into line with its peers across APAC and internationally when it comes to personal data protection – and it’s providing a new impetus for businesses to look again at enhancing their data management.
On 9 February 2021, the Government’s Ministry of Public Security released the second version of its Personal Data Protection Decree, ahead of bringing the decree into effect on December 1st, 2021.
When passed, it will better align Vietnam’s legislation with its peers across APAC and globally, and create new obligations around personal data, as additions to the country’s legislation on Cyber Information Security Law on Cyber Security that are currently in place.
And, as the decree does not implement a new law itself, it will require a more stringent process for adoption, including review and approval by the National Assembly.
Businesses hit hard by leaks and breaches
There have been a number of high-profile data leaks and breaches in Vietnam in the past few years, putting the issue of data protection front of mind for citizens, businesses, and the government.
Breeches are becoming more frequent. For example, in March 2019, Toyota revealed that hackers in Japan had stolen the data of 3.1 million customers, with Toyota in Vietnam and Thailand making a similar data breach announcement at the same time. Just the month before, an attack had been attempted on Toyota Australia. Later that year in November, personal data from 2 million bank accounts of Hanoi-based Maritime bank were exposed online.
Large-scale breaches of personal data continued in 2020, with a devastating data leak affecting more than 80,000 customers, and possibly staff, at Vietnamese health technology firm, Innovative Solution for Healthcare (iSofH). It is also believed that an additional cyberattack removed an unknown number of records.
These cases are occurring against a backdrop of phenomenal growth for the Vietnamese economy, fuelled by digital developments. According to a report from Google, Bain & Co and Temasek, it is predicted to be worth $52bn by 2025 and has expanded by 29% in 2020. It is clear from the detail released on the incoming decree that the government views addressing these data privacy issues as an important role in sustaining this digital boom. Businesses around the region will need to focus on making data privacy and effective information management a key priority.
What will the new decree mean for businesses?
When enacted, the decree will introduce a number of measures that businesses will need to comply with around its storage and processing of personal data, to ensure privacy and security in the face of leaks and breaches like those outlined above. For businesses, the need to get their data in order has never been more important and urgent.
Covered subjects will include every agency, organisation and individual that engages in activities relating to personal data, which will be categorised into two types: basic and sensitive.
The decree will ensure that de-identification and anonymisation are introduced as part of the approach to protect the data subjects’ identities. Personal data processors must ensure compliance with the requirements on: consent of data subject; notification to data subjects; registration with the personal data protection committee; application of measures for personal data protection; and issuance of personal data protection regulations.
When it comes to data transfer, businesses will face heavy licensing requirements for the processing of sensitive personal data and for the transfer of personal data out of Vietnam, with a local copy of data mandated, as well as a 3-year storage of cross-border transfer records for personal data. The Ministry of Public Security will also run an annual audit of data processors involved in transferring personal data out of the country.
The decree will also create a new personal data protection committee to oversee and ensure compliance of covered subjects. A maximum fine of 5% of the total revenue generated in Vietnam can be imposed in case of a repeat violation. Non-compliance may also subject stakeholders to temporary suspension of operation, and/or revocation of permission for cross-border data transfer, in addition to monetary fines. The operational, reputational, and financial costs should provide businesses with additional incentives to get their data management in order.
What businesses need to do to prepare
Data challenges are well-known to business: silos, multiple data owners, duplicated and incomplete data, and data stored in multiple CRMs and ERPs. understanding the location of data and creating an operational blueprint of your organisation’s data is more critical than ever. But data challenges can be very time consuming, manual, and costly if not done correctly.
Deploying a tool that can map the flow of data within an organisation allows for full transparency on how it is used, laying the groundwork should regulators ever ask a business to prove their compliance processes. Such a tool will prove more efficient, agile, and reduce needless costs and staff hours when it comes to bringing data management practices up to new compliance levels, too.
Without these tools, it will be nearly impossible for senior management to be completely confident that their organisation is not inadvertently contravening some aspect of the decree, leaving them open to enforcement and reputational risks. They will also likely provide an interim mechanism to demonstrate to regulators that their organisations are working to achieve compliance – a core component of GDPR – to reduce some risk.
Businesses now have a new window of opportunity to find and implement solutions that will enable them to visualise and analyse data lineage, showing which types of personal data they have and how it moves through their systems. Such a tool will allow a business to identify required consent and ensure that the use of personal data within their firm is purposeful, appropriate and reasonable.