In recent years, amidst the ascent of the global digital economy, the critical role of personal data has stood out across various sectors due to its intrinsic value.
For businesses in Vietnam, the issue of personal data protection sets out the necessity for enterprises to navigate this trajectory with a heightened emphasis on compliant and responsible management of personal data while also seizing new opportunities.
Contemporary context in Vietnam
In April 2023, Government Decree 13/2023/ND-CP on Personal Data Protection (Decree 13) was adopted in Vietnam with a reference to the model of the EU’s General Data Protection Regulation (GDPR), marking a milestone in the country’s national digital landscape. Amidst numerous data leaking cases reported recently, this regulation reflects the efforts of the Government of Vietnam in setting out a framework for safeguarding privacy and social security.
The issuance of Decree 13 also serves as the foundation to further improve the regulatory and economic framework in specific sectors. Two months after the issuance of Decree 13, the National Assembly adopted a new Law on the Protection of Consumer’s Rights, which highlights the measures on consumers’ information protection, either personal or non-personal, and downstream compliance responsibility. In another development, the State Bank of Vietnam is aiming to introduce a circular on open banking in July 2024, enabling credit institutions to share user data via a secure application programming interface (API) platform, and that scheme could only be implemented given the existence of a stringent personal data protection framework.
Personal data protection is not solely the story of any firm
Although the common belief is personal data protection mainly involves larger or tech firms, it is crucial to note that others are not exempt from this obligation as provided for in Article 1(2) of Decree 13. Some typical contexts that a firm, regardless of its size, might face are preventing personal data of its employees and clients in the computer system from being leaked, ensuring its video surveillance systems in public do not infringe privacy, etc., and followingly, handling data erasure requests of related data subjects. That requires each business to diligently assess the potential data risks in the course of its business to establish a data protection strategy.
A crucial caveat is a firm could not exempt its potential liabilities from data breach by simply outsourcing data processing to and relying on a third party. In particular, Article 38 of Decree 13 outlines the responsibilities of a data controller regarding security measures, careful selection of data processors, and also being responsible to the data subjects for damage caused by personal data processing. With such a similar approach to GDPR, Decree 13 could lead to some breach cases as happened under GDPR as follows: A ticket sales and distribution firm named Ticketmaster UK Limited was fined for a data breach affecting 9.4 million customers with the exposure of personal data, including payment card details. In this case, while Ticketmaster employed a third party for a chatbot, which was contractually warranted to be malware-free, they still held the obligation to implement layered security and rigorous risk assessments of the provided solution.
Beyond challenges are opportunities
It would be an oversight to perceive the protection of personal data solely as an obligation. Various research has pointed out the benefits of investment in the protection of this special asset for firms, notably branding, building loyalty and trust with customers, higher chance to win deals and many other competition advantages.
While it is true that consumers’ increased concern of data leaking may limit the list of contacts a business possesses, research at Columbia Business School reveals that 70% of the respondents are happy to share their data for relevant value from a company are also taking defensive actions at times to protect the data they share . This implies that it is indeed possible for businesses to create win-win relationships with consumers to expand their patron database.
Navigating through changes
To meet the demand for personal data protection, various recommendations could be referred to. Amongst them, some starting points are:
On the technical measures, the first simple step is to remove all the unauthorised software as most of them contain vulnerabilities. Meanwhile, authorised software should be regularly updated and patched. Next, deploying security measures including access control and authentication, logging, data back-ups, and last but not least, data disposal, are essential. In the case of outsourcing, careful vetting of third-party vendors and technical solutions based on recommended security standards, such as the internationally recognised ISO 27001, as well as clarifying security requirements in contracts with third parties are advised to minimise the legal risks of data breaches.
On the organisational measures, a firm should establish a clear data governance framework outlining procedures, roles, and responsibilities, including a response plan in case of data breach, conduct regular personnel training on data protection policies, and get familiar with reporting mechanisms. A set of well-designed organizational measures will contribute to gaining customers’ impressions and trusts.
After all, it is doubtless about the role of personal data as a key asset for current and emerging business environment, especially with the emergence of threats against data security, notably artificial intelligence. Based on the issuance of Decree 13, the framework of personal data protection will be elaborated and translated from paper to practice, and it will gradually shift societal behaviours and awareness surrounding this critical issue. It is high time for any business to embark on responsible data protection practices and leverage them as opportunities; otherwise, they will become victims of cyberattacks, face unwanted legal consequences, and be left behind in the digital economy. In other words, personal data protection is no longer an option, but a matter of hail or fail.
*TPIsoftware Corporation