Vietnam’s Draft of Personal Data Protection Law: A New Step in Protecting Privacy

1. Why is the Personal Data Protection Law Important?

Vietnam's draft Personal Data Protection Law is built upon Decree 13/2023/ND-CP on personal data protection. With 68 articles divided into 7 chapters, this draft not only reinforces existing regulations but also expands to align with international data security standards.

The main objectives of the law include:

1. Unified Concepts: Providing clear definitions of personal data and data protection.
2. Clear Rights and Obligations: Defining the rights of individuals and the obligations of data processing organizations.
3. Strict Data Processing Management: Establishing specific rules on how to handle personal data.
4. Enhanced Protective Measures: Introducing necessary protective conditions to ensure the safety of personal data.

2. Key Highlights of the Draft Law

⮕ Broad Scope of Application: This bill applies not only to organizations and individuals in Vietnam but also to those processing data of Vietnamese citizens abroad.

⮕ Consent Requirements: Any processing of personal data requires clear and transparent consent from individuals, especially for sensitive data such as health or biometric information. Silence or non-response from data subjects is not considered consent.

⮕ Clear Distinction of Data Types: The law categorizes "basic personal data" and "sensitive data," with sensitive data requiring stricter protective measures.

⮕ Impact Assessments Required: Organizations must conduct Data Protection Impact Assessments (DPIA) and Transfer Impact Assessments (TIA) and update them every six months when changes occur.

⮕ Data Breach Notifications: Any data breach incidents must be reported to authorities within 72 hours, ensuring timely action to mitigate risks.

⮕ Prohibition of Personal Data Sale: The law completely prohibits the buying and selling of personal data. This applies particularly in sectors such as finance, banking, and credit services, to protect consumers' sensitive data.

Obligations of Businesses

Establish a Data Protection Department

Businesses are required to establish a data protection department or may outsource this function, with the appointment of at least one Data Protection Officer (DPO) required.

Exemptions for MSMEs

Micro, small, and medium enterprises (MSMEs) will be exempt from appointing a data protection department in the first two years. However, they must comply with all other legal obligations immediately.

Impact on Businesses

With the new regulations of the draft Personal Data Protection Law, businesses in Vietnam need to prepare for a series of changes:

• Marketing Practices: Businesses must obtain clear consent before using personal data in marketing campaigns.
• Data Localization: The requirement to store data in Vietnam will make local server solutions more popular.
• Compliance Challenges: Businesses need to invest in compliance infrastructure, including appointing data protection specialists and conducting regular assessments.

2 Necessary Steps for Vietnamese Businesses

For businesses operating in Vietnam, especially those using data analytics, digital advertising, or third-party services involving data transfer abroad, now is the time to take action to adapt to the new law.

2 simple, yet necessary steps include:

1. Transition to Domestic Solutions: Consider using technology solutions hosted in Vietnam to comply with cross-border data transfer regulations.
2. Ensure Valid Consent: Implement mechanisms to ensure user consent that aligns with the new law's requirements.

3. Compliance Solutions from R Digital

To help businesses meet the compliance requirements of Vietnam's draft Personal Data Protection Law, R Digital – a pioneer in providing digital privacy and data security solutions – has developed a range of supporting tools, prominently featuring AesirX Analytics & CMP.

AesirX Analytics & CMP is an integrated solution for Consent Management (CMP) and Data Analytics, suitable for popular platforms like WordPress and Joomla. This solution enables businesses to:

• Manage Data in Compliance with Laws: Ensure compliance with personal data protection regulations in Vietnam.
• Store and Process Data Securely: Data is stored domestically, in accordance with the draft Personal Data Protection Law requirements.
• Optimize User Consent: Support businesses in collecting and managing user consent transparently and clearly.

"Pioneer" Businesses in Compliance: Baconco

A prime example of successful compliance is Baconco, a leading agricultural company in Vietnam that has used AesirX Analytics & CMP solution to manage personal data and customer consent. With support from R Digital, Baconco has easily adapted to the new requirements of the draft Personal Data Protection Law, ensuring data safety and enhancing user trust.

4. The Future Path for Businesses

The draft Personal Data Protection Law represents an important step in protecting privacy and personal data in Vietnam. Businesses need to quickly prepare and adapt to these changes to ensure compliance, build trust with customers, and maintain sustainable operations.

With support from R Digital and advanced solutions like AesirX Analytics & CMP, businesses can easily adapt and ensure full compliance with data security regulations, thereby contributing to the protection of user privacy and sustainable development in a digitalized environment.

If your business is seeking solutions to comply with the Personal Data Protection Law, try our Free Privacy Scanner for a quick compliance check! 

For detailed consultation and support, please contact us at https://r-digital.tech/contact.

Sources:

1. Vietnam’s First Draft of New Personal Data Protection Law (PDPL) Released for Public Comments