1. PDPD and other personal data protection laws: Comparison
Many countries and regions around the world have now enacted personal data protection regulations and laws to protect users' privacy and security. Here are some examples:
- Vietnam's Personal Data Protection Decree (PDPD)
- General Data Protection Regulation (GDPR)
- Singapore’s Personal Data Protection Act (PDPA)
- California Privacy Rights Act (CPRA)
- Brazilian General Data Protection Law (LGPD)
Compliance with both the PDPD and the aforementioned laws is critical for businesses operating in the Vietnamese and international markets. Here are some comparisons between the PDPD and other personal data protection laws:
Applicability
- PDPD: Applies to the processing of personal data in Vietnam and even if the processing occurs outside of Vietnam.
- GDPR: Applies to the processing of personal data both inside and outside the EU (if processing data of EU citizens and residents).
- CPRA: Applies to the processing of personal data both inside and outside the United States (if processing data of California citizens and residents).
- LGPD: Applies to the processing of personal data in Brazil.
Application Scope
- PDPD and LGPD: Apply to both organizations and individuals involved in the processing of personal data.
- GDPR and CPRA: Typically apply to businesses and commercial entities.
Principles
- PDPD: Transparency, legality, purpose limitation, proactiveness, security, and restrictions on cross-border data transfer until requirements are met.
- GDPR, CPRA, LGPD: include similar principles such as legality, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.
Data owners' rights
- PDPD: Access, correction, deletion, and objection to personal data processing.
- GDPR, CPRA, LGPD: Also ensure access, correction, deletion, and objection rights, as well as data portability and the right not to be subject to automated decision-making.
Noncompliance penalties
- PDPD: Administrative fines (up to 100 million Vietnamese dong) and criminal penalties (up to 7 years of imprisonment).
- GDPR, CPRA, LGPD: Impose higher administrative fines (up to 20 million euros or 4% of the global annual revenue under GDPR).
Some examples of penalties for violating customer privacy rights include:
In 2018, Cambridge Analytica, a data analytics firm associated with US President Donald Trump, used the personal information of over 87 million Facebook users for political purposes. Facebook later acknowledged security breaches, including the compromise of millions of users' personal information. This incident resulted in a nearly $5 billion fine for Facebook, equal to approximately 9% of their revenue in 2018.
In March 2021, Meta - then known as Facebook - was ordered to pay $650 million for privacy violations related to facial recognition technology in Facebook's photo tagging feature.
In France, Google was fined €150 million (over $169 million) in January 2022, and Facebook was fined €60 million (over $67 million) for using customer activity history (cookies) to coordinate advertising information.
Cathay Pacific Airways was also fined £500,000 for data breaches involving customer passport information. The Marriott hotel chain was fined nearly £100 million for exposing the data of 339 million customers, and British Airways was fined £183 million for customer data breaches as well.
2. Five steps to establishing a personal data protection law compliance process
To be in compliance with the Personal Data Protection Law and avoid penalties, every individual, organization, and business must understand the regulations and principles outlined in the PDPD, GDPR, and other similar regulations. The following is a step-by-step guide to developing a highly beneficial compliance process:
Step 1: Create a data mapping reference
Organizations must have a data protection monitoring department and a Data Protection Officer (DPO). A DPO must understand where the organization's data is stored as well as the content of that data.
If the organization's data mapping reference is incomplete or insufficient, the DPO should consult with relevant parties in the organization's Information Technology (IT) department to develop a comprehensive data governance plan.
Note: If the organization contracts with and transfers personal data to subcontractors or third-party service providers such as cloud services or data storage companies, the data mapping reference and requirements for complying with the Personal Data Protection Law also apply to those subcontractors.
Step 2: Identify types of personal data processed
Organizations and businesses must understand the nature of their customers' personal data in addition to knowing where it is currently stored. Personal data is classified into two categories under the Personal Data Protection Decree Vietnam 2023: basic personal data and sensitive personal data. Organizations must understand and ensure that data collection, processing, and storage comply with legal requirements.
Step 3: Obtain the customer's consent
The consent of data subjects is essential for storing and transferring their personal data. Organizations must provide clear and transparent information to customers in order to obtain their consent for the storage and processing of personal data.
Each individual has the right to know where their personal data is stored and how it is processed. They also have the right to file a complaint if the organization stores inaccurate information and to request that it be corrected or deleted.
Note: Consent does not only apply to the processing of personal data. Decree 13, like GDPR, requires compliance with principles, namely process data (i) lawfully; (ii) transparently; (iii) for purpose(s) disclosed; (iv) limited purpose and scope; (v) using appropriate and updated data; and (vi) confidentially; whilst (vii) ensuring data is stored for the appropriate retention period, and (viii) be accountable.
Step 4: Data security and data breach notification/reporting
Organizations and businesses must engage in technical support activities to ensure information security and prevent the leakage of customers' personal information. However, if an information breach occurs, the incident must be reported to both the business and the affected individuals.
The Personal Data Protection Law in Vietnam, like the GDPR regulations, requires businesses to notify the authorities of any personal data breaches within 72 hours of the breach occurring.
Step 5: Keep track of data transfers
The PDPD, like the GDPR, establishes stringent requirements for restricting the transfer of personal data. Businesses must have provisions and measures in place to prevent unauthorized data transfers. The transfer of personal data to foreign countries must comply with the regulations of Decree 13 as well as the provisions on data content access.
In cases where the transfer of personal data violates national interests or security, the Ministry of Public Security has the authority to prohibit any activities involving the transfer of personal data abroad.
3. How can R Digital's technology solutions help businesses?
When the Personal Data Protection Decree Vietnam 2023 goes into effect, businesses must not only prepare documentation and procedures to meet the requirements of the Decree, but also change their technology to align with the organization's management and business operations. This is an important and necessary step to ensure regulatory compliance and minimize legal risks as well as negative effects on the organization's reputation.
R Digital assists businesses in implementing open-source technology that prioritizes privacy and user data protection. These are some examples:
- AesirX Analytics technology
AesirX Analytics is the best free and compliant alternative to Google Analytics currently available.
Although Google Analytics (GA) offers a free analytics tool, many data protection agencies in various countries believe that this tool is no longer usable because it does not meet the General Data Protection Regulation (GDPR) standards.
Furthermore, GA employs cookies to collect data and generate statistical reports. Many browsers are increasingly blocking and banning cookies, resulting in data deficiencies and ineffective GA analysis due to visitor refusals and tracking disallowances.
R Digital's AesirX Analytics solution, on the other hand, fully complies with GDPR, CPRA, and other regulations. AesirX Analytics, in particular, collects first-party data, conducts legal analysis, and outperforms traditional tools by more than 30%.
- AesirX SSO technology
Individuals and organizations can benefit from the SSO solution in a variety of ways. A single sign-on, for example, allows access to multiple websites/applications with a single login, reducing the likelihood of password forgetfulness and encouraging users to use stronger, more secure passwords. It increases productivity and decreases login time while lowering costs and workload for personnel and IT teams. It also improves security and customer experience.
- AesirX WEB3 ID authentication solution
The AesirX WEB3 ID solution employs Concordium zero-knowledge security technology and blockchain to safeguard personal information. It is a new identity verification solution that prioritizes privacy by allowing users to verify their identity without revealing personal information.
Compliance with the Personal Data Protection Law is a critical requirement for businesses. From data collection and storage to the processing of personal information on the Internet, appropriate safeguards must be put in place. R Digital understands the importance of data privacy and current regulations. We are ready to assist businesses in implementing new legal technologies and improving their existing digital solutions. Contact R Digital for a free consultation and assessment of your website's compliance with personal data protection laws and e-commerce solutions.
