Experts share solutions to help businesses, organisations in Vietnam implement Decree 13 effectively (Photo: VietnamPlus). Hanoi (VNA) - Decree 13 on the protection of personal data has officially been promulgated in Vietnam. However, many organisations and businesses are facing difficulties in implementing it.
The Government decree took effect on July 1, creating a legal corridor to effectively protect personal data in Vietnam, and minimise the risks and consequences of personal data breaches.
The document, issued on April 17, contains a lot of strict regulations on data protection and responsibilities of relevant agencies, organisations and individuals.
At a workshop on guiding and answering questions about the decree in Hanoi on November 23, Vu Ngoc Son, technical director of the Vietnam National Cyber Security Technology Corporation (NCS), said that the decree details the rights and responsibilities of relevant parties in personal data protection. It helps strengthen the legal framework and regulate activities in cyberspace.
Regarding difficulties in implementing the decree, Robert Tran, at Ernst & Young Vietnam Cybersecurity, said that organisations face obstacles in reporting and contacting third parties to collect relevant documents.
In addition, authorities do not have specific instructions on reporting, he said. There lacks a common standard on internal regulations required to manage and ensure compliance with data protection.
Another challenge is the coordination with third parties (partners) in protecting personal data, as it is difficult to create an effective coordination mechanism between parties when a personal data breach occurs, he stated.
In order for businesses to comply with the decree, Nguyen Thi Thu Quynh from Ernst & Young Law Vietnam Limited Liability Company (EY Law Vietnam) proposed building a personal data protection framework to better understand the necessary capabilities to meet data protection requirements under the decree.
According to Quynh, businesses should prepare impact assessment reports and ensure that contracts with data processors (partners) have agreements on personal data protection. Documents such as contracts between parties should be prepared in Vietnamese language or bilingual, including Vietnamese language, for the purpose of preparing evaluation reports in the coming time.
Nguyen Thi Thu Quynh from Ernst & Young Law Vietnam Limited Liability Company (Photo: VietnamPlus) She also recommended that businesses coordinate with third parties (partners) in protecting personal data, and ensure there are internal agreements or commitments for the transfer of personal data between the enterprise and its partners, parent company or affiliated companies.
Building and updating the internal policy framework requires reviewing all internal policy documents related to personal data, including guidance documents for employees and labour regulations to ensure consistency.
Son stated that Decree 13 does not actually stipulate mandatory solutions, but businesses can depend on the scale of their data and their data collection, processing, and storage to apply appropriate solutions. If there are no specialised personnel, enterprises can contact cybersecurity companies for advice and implement measures suitable for them.
Son took the occasion to introduce the National Cyber Security Operations Centre (NCSOC) for network security monitoring around the clock. The expectation is to provide technical solutions for businesses and organisations, especially small- and medium-sized enterprises, that can meet the requirements of the decree./.
