Are Vietnamese companies ready for the upcoming Personal Data Protection Decree (PDPD)?
Our findings - September 2021
|
50% say they currently have defined access control policies and procedures in place to ensure restricted access to personal data. |
66% state they are either seeking advice on or have yet to create a roadmap to ensure compliance with the PDPD. |
41% are aware of the pending requirement to inform data subjects of all activities related to processing their personal data but don’t know how to prepare for this. |
52% do not have data breach/incident response procedures in place. |
|
The road towards PDPD compliance will be challenging
Vietnam recently published the Draft Decree on Personal Data Protection which will impact all entities processing personal data. Companies that fail to protect personal data and comply with PDPD aren’t just risking financial penalties. They also risk operational inefficiencies, intervention by regulators and most importantly permanent loss of consumer trust.
Our survey on PDPD readiness was sent out to the Vietnamese public from 19 July 2021 to 9 August 2021. Participants were asked to answer a list of questions relating to their current treatment of personal data and to ascertain their knowledge of, and readiness of the pending PDPD. The 48 survey respondents were evenly spread across all sectors in Vietnam, with the largest group (21%) coming from the manufacturing sector.
Key findings
Many organisations in Vietnam are not ready for the proposed Draft Decree.
- Over half (66%) of our respondents have little to no roadmap plan to comply with PDPD and local data privacy regulations
- 41% are aware of the pending requirement to inform data subjects of all activities related to processing their personal data, but don’t know how to prepare for this or have no knowledge of what is required under the PDPD.
- Only 21% have an official DPO (Data Protection Officer) to manage all related personal data protection issues.
Organisations in Vietnam have prepared for PDPD to a certain degree but current data privacy practices vary
How organisations currently take to restrict access to personal data that it holds to the data subject:
- 50% of respondents say they have defined access control policies and procedures in place to ensure restricted access to personal data.
- 29% use passwords and two-factor authentication as technical measures.
- 13% conduct personal data risk assessment.
Measures to prevent unauthorised access to devices used to process personal data or to read, copy, alter or delete personal data
- 65% of respondents state that they defined and implemented access control processes and solutions to prevent unauthorised access.
- Only 12% are not aware of the PDPD requirements and currently do not have any measure to manage this process.
Expected restrictions on cross-border personal data transfer poses a significant risk for many organisations in Vietnam.
- 60% indicate they currently either store data on the cloud or outside Vietnam.
- 52% do not have any third-party risk management processes to manage personal data protection when sharing/transferring to the third parties.
- 52% do not have data breach/incident response procedures in place.
What do you need to know about the Draft Decree?
- Organisations must have a department supervising personal data protection and Data Protection Officer(s) (DPO).
- Personal Data Processor must develop and issue its own set of personal data regulations.
- Cross-border transfer of personal data can only be performed when 5 specific conditions are fulfilled.
- the data subject agreed to the transfer of the data;
- original personal data is stored in Vietnam;
- the country of recipient imposes the same or higher level of data protection;
- Personal Data Protection Commission (PDPC) agrees to the transfer in writing;
- the companies will need to register the sensitive personal data with the Personal Data Protection Commission.
There are eight key data protection principles that each data processor will need to follow when processing personal data.
- Lawfulness: Personal data is only collected when necessary in accordance with the law.
- Purpose: Personal data is only processed for the purposes registered or announced.
- Data minimisation: Personal data is only collected within the scope necessary to achieve the specified purposes.
- Restricted use: Personal data is only used with the consent of the data subject or with the permission of the competent authority.
- Data quality: Personal data must be up to date and complete to ensure data-processing purposes.
- Security: Protection measures must be applied to personal data in the course of data processing.
- Individuality: Data subjects must be aware of and informed of activities related to the processing of their personal data.
- Confidentiality: Personal data must be kept confidential during data processing.
One of the aims of PDPD is to empower individuals and give them control over their personal data. PDPD introduces what are usually referred to as ‘data subject rights’ concerning the protection of individuals’ personal data. Right to access personal data;
- Right to limit personal data processing;
- Right to claim compensation for loss caused by a breach during the provision of personal data;
- Right to give or withhold consent to the collection and processing of personal data;
- Right to be informed of the purposes of collection and processing;
- Right to complain to the Personal Data Protection Committee (PDPC) in which their personal data is compromised or wrongly processed or their rights are breached.
