On 31 May 2023, an updated draft of the Cybersecurity Administrative Sanctions Decree for violations against the PDPD and Decree No. 53/2022/ND-CP guiding the Cybersecurity Law was released for public consultation in the context that the Decree No. 13/2023/ND-CP on Personal Data Protection (PDPD) will come into effect in the next couple of days (i.e., on 01 July 2023).Given the little time left until effective date of the PDPD, and risks of severe sanctions in the upcoming time, organisations should ensure that all necessary actions have been taken in order to ready themselves for PDPD compliance. This article shall take a deeper look at the PDPD to learn more about the action plan for PDPD compliance.
1. Self-assessment on the current data processing activities
For organisations engaged in personal data processing, undertaking a comprehensive self-audit with respect to PDPD compliance is of utmost importance. This, in particular, entails evaluating your current data processing activities, identifying potential risks, and implementing necessary action plan accordingly.
1.1. Categorise personal data
Some questions should be asked as follows:
What kinds of personal data are currently processed by your organisation?
The PDPD categorises personal data into (i) basic personal data (e.g., name, date of birth, gender, address, phone number, ID Card number, data reflecting an individual’s activities and history of activities in cyberspace, etc.) and (ii) sensitive personal data, which is subject to more stringent protection measures (e.g., political and religious views, physical and mental health conditions, genetic/biometric information, crime records, financial data, physical locations, etc.).
From which sources those personal data are collected?
Generally, an organisation can get personal data from various sources, depending on the nature of data and the context in which it is collected during the ordinary business course, which may include:
-
- Individuals: direct interaction, business cards exchange, etc.
- Online activities: website visits, social media, e-commerce, etc.
- Third parties: business partners, data brokers, publicly available sources, etc.
- IoT devices: smart devices, location data (e.g., GPS-enabled devices), etc.
- Human recourses: job applications, employee’s information, etc.
1.2. Identify personal data processing activities
Roles in personal data processing: Roles and corresponding responsibilities may vary depending on the specific business activities and what type of processing activities that your organisation is involving in. An organisation, under the PDPD, may be a data controller, data processor, data controller cum processor, or third party, each carrying distinct rights, functions and obligations.
As a matter of practice, it is advisable that data controllers should carefully review data processor selection process and relevant data processing agreements, while data processors and third parties (i.e., sub-processors) should ensure that their processing is in line with such relevant data processing agreements and the PDPD requirements.
Processing purposes: Personal data processing serves a diversity of purposes, depending on the certain context and needs of an organisation, such as workforce management, statistical analysis, market research, contractual obligations, legitimate or public interest, etc. However, as a principle of data minimisation, you should ensure that your collection and/or process of personal data is adequate and limited to the purposes for which it is processed only.
Cross-border data transfer: For PDPD compliance, it is crucial to have a check on whether there is any transfer of Vietnamese citizens’ personal data outside of Vietnam territory (e.g., to offshore affiliates or parent companies).
Technical/legal measures: For the purposes of gap assessment and risk identification, it is essential to review the technical and legal measures currently implemented in your daily business operations, such as:
- Technical measures: data encryption, access controls, data storage and transmission, data recovery/backup, etc.
- Legal measures: data protection policies, data processing agreements, consent/withdraw consent mechanisms, etc.
2. Acknowledgement of rights of the organisation involving in data processing and data subjects
Provided that all of the PDPD requirements have been satisfied, your organisation is allowed to collect, store, edit, delete/destroy personal data and provide/transfer personal data to other parties. Furthermore, in some specific exceptional cases you can proceed data processing without consents from data subjects.
While enforcing your organisation’s rights you should note that under the PDPD, data subjects are afforded a wide range of rights with respect to their personal data, including the right to consent/withdraw consent, request data processors to view/edit/delete/provide copies of their personal data, request data processors to terminate processing activities, claim damages, etc. As such, it is imperative to acknowledge these rights of data subjects, and ensure that they are honoured by your staff and internal procedures or policies.
3. Actions for Compliance
3.1. Consent: As consent is the primary legal ground for processing personal data (save for some exceptional cases under the PDPD where consent is not required), organisations are well advised to review their existing procedures for obtaining consent from data subjects, such as form of consent, how data subjects can technically give consent (e.g., box ticking, text message, selecting technical settings, or other equivalent actions), consent management, etc. In the recent dissemination workshop on the PDPD, however, the Department of Cybersecurity and Hi-tech Crime Prevention under the Ministry of Public Security (MPS) affirmed that the relevant data controller/processor shall not be obligated to re-obtain consent from data subjects for personal data that has already been provided before 01 July 2023.
Under the PDPD, a consent is only valid if the data subject gives consent voluntarily and is aware of the following: (i) types of personal data to be processed, (ii) purposes of personal data processing, (iii) organisation or individual permitted to process personal data, and (iv) rights and obligations of the data subject.
Given that data subjects shall have the right to withdraw their consent at any time, it is prudent to put in place a process to effectively address and respond to such withdrawals.
3.2. Internal procedures and regulations: Like said, one of the legal measures for safeguarding personal data is to promulgate internal policies on personal data protection, which is mandated by the PDPD. The current PDPD does not elaborate in details on how to prepare the above internal policies and we should await any further guidance from the MPS. However, based on the principles of the PDPD, it could be suggested that some basic provisions be incorporated in the policy, such as data protection principles, roles and responsibilities, data subjects’ rights and obligations, data breach management, training and awareness, review and updates, etc.
3.3. Obligations related to data processing
Data processing notification: Under the PDPD, organisations are required to serve notices to data subjects prior to processing their personal data.
Data breach notification: The PDPD requires the data controller/data controller cum processor to notify the MPS of any data breach or other violations of the PDPD within 72 hours of awareness.
Data provision to relevant parties: A data subject has the right to request the data controller/data controller cum processor to provide him/her or a third party with his/her personal data, within 72 hours after receiving his/her request, unless otherwise provided by laws.
Impact assessment: The PDPD requires the data controller/data controller cum processor/data processor/third party (if applicable) to conduct an impact assessment on (i) personal data processing and (ii) cross-border transfer of Vietnamese citizens’ personal data (if applicable) and maintain the assessment dossier for audit and evaluation by the MPS. In addition to that, it must also lodge the assessment dossier with the MPS for approval within 60 days from the time it starts processing personal data.
Personnel: In case of processing sensitive personal data, the relevant data controller/data controller cum processor/data processor/third party must designate a department and a data protection officer to oversee its data processing operations, whose information must then be exchanged with the personal data protection agency.
In conclusion, organisations should view the PDPD not merely as a legal puzzle, but also as a transformative opportunity to change their practices in collecting and processing personal data, which will ultimately foster trust among their customers/business partners/employees, build up their reputation in the market and especially integrate with the international businesses.
Authors: Nguyen Xuan Thuy, Partner, Nguyen Thi Anh Hong, Senior Associate, Ho My Ky Tan, Associate