03 Jun 21
Vietnam’s PDPA – Foolproof against new privacy legislation
Vietnam’s upcoming implementation of a Personal Data Protection Act (PDPA) aligns it regionally and globally with the accelerating trend of data privacy legislation. A consistent theme is that it, along with other regional legislation, broadly aligns with standards in other global legislation – in this case, the EU’s GDPR.
The second draft was released by the Ministry for Public Security (MPS) in February 2021 and the
second Draft Decree’s sourcing of public opinion concluded on 9 April 2021. While most decrees in Vietnam implement a specific law, the PDP Draft Decree does not, and will require a more stringent process for adoption, including review and approval by the National Assembly.
This updated draft has a more robust set of rules regulating specific rights of data subjects, cross-border transfer of data, and processing of sensitive personal data. Non-compliance may subject stakeholders to temporary suspension of operation, and/or revocation of permission for cross-border data transfer in addition to monetary fines.
Key takeaways include:
- Coverage is broad – subjects include all agencies, organisations and individuals that engage in activities relating to personal data.
- De-identification and anonymisation are introduced to protect identities, which will require robust data governance, as will requirements related to verifying the age and establishing parental consent prior to processing a child’s personal data.
- Heavy licensing requirements are mandated for the processing of sensitive personal data and for the transfer of personal data out of Vietnam.
- A local copy of the data is mandated, as is the 3-year storage of cross-border transfer records for personal data.
- The MPS will run an annual audit of Data Processors involved in transferring personal data out of the country.
- Data Processors run high risks for administrative fines which can go up to 5% of total revenue.
The heightened growth and focus on our data and the way it is handled will continue to accelerate, as do the sanctions for breaches. Given this, understanding the location of data and creating an operational blueprint of your organisation’s data is more critical than ever. Building out this blueprint can then be leveraged as an investment in your business. Knowing what data is held - and where it is held - enables better and more accurate deployment of data for business insights, ensuring actionable intelligence is generated in both an optimal and compliant way. Companies can be confident that they know where an individual’s data resides so that they can be compliant with requests that relate to it. This operational blueprint provides a competitive advantage as organisations ensure optimal data sources are used to derive actionable insights as better use of data intelligence drives revenue acceleration. Further leveraging this blueprint to data governance and transformation substantially reduces these costs.
Solidatus is uniquely placed to not just enhance compliance, but to also turn compliance into an operational blueprint that can optimise data governance, whilst reducing transformation risk, costs and driving efficiency.
Solidatus for PDPA in APAC
By using Solidatus, an organisation gains invaluable insight into its data landscape. Our product enables users to visualise and analyse lineage showing what type of data they have and how it moves through their systems. It is impossible for senior management to be completely confident that the organisation is not inadvertently contravening some aspect of PDPA without this, leaving them open to enforcement and reputational risks.
Solidatus plays a vital role in PDPA by:
- mapping the flow of data within an organisation
- allowing for full transparency on how it is used and by whom
- laying the groundwork should regulators ever ask a business to prove their compliance
Solidatus helps to build a digital dashboard which shows managers how personal data is being used and where it is stored. This provides a demonstrable compliance with cloud storage regulations, the Right to Access and Correction, in addition to both Do Not Call (DNC) and National Registration Identification Card (NRIC) legislation by understanding the flow and location of data.
Organisations need a tool to help them identify required consent and ensure that the use of personal data within their firm is, purposeful, appropriate and reasonable. Solidatus provides these essential elements to comply with PDPA.