Organisations can leverage lessons from implementing GDPR and other international data laws to address Vietnam’s new Personal Data Protection Act, writes John Berven.
Vietnam is fast becoming a digital juggernaut. While other countries across the Asia Pacific region saw significant downward impacts on their economies during 2020, Vietnam instead saw its highest ever level of GDP growth.
A major contributor to this was the country’s strong digital economy, backed by one of the fastest growing online populations in the world. This, in turn, is leading to a swathe of new digital laws and regulations on the part of the Vietnamese Government – the latest of which, the Personal Data Protection Act, is set to be implemented before the end of the year.
This move brings Vietnam in line both regionally and globally with other data privacy legislation, chief among these is the GDPR which is now celebrating its third anniversary. In just this short time however, GDPR’s international influence has been massive. It has generated numerous other international and regionally specific data privacy regulations.
The proliferation of said international and locally specific regulation is making the issue of compliance a critical one for large multinational businesses, particularly given the threat of sizable fines for non-compliance. As an idea of scope, Vietnam’s proposed regulation includes a robust set of rules which cover the rights of data subjects, cross-border data transfers, and the processing of sensitive personal information.
It is a similar implementation to the descendants of GDPR including Brazil’s LGPD and California’s CPRA/CCPA. The implications of non-compliance are similarly grave: temporary suspension of operations, and/ or revocation of permission for cross border data transfer, alongside monetary fines.
For businesses now used to absorbing additional sets of data regulations, it may seem unreasonable to have to enact another set of preparatory measures to ensure compliance with another country-specific set of principles. However, there is a good chance that many of the tenets of Vietnam’s new regulations are in fact already in place operationally.
Businesses that have taken a data-first approach to international regulation preparation will be readily able to identify these measures and understand whether or not there are issues with this latest set of rules. In contrast, those who approached the introduction of GDPR and subsequent projects in isolation may find themselves going back over some well-trodden operational data territory, and in a pretty costly way.
Cast your minds back to May 2018. A PwC report around GDPR’s introduction suggested that over three-quarters (77%) of businesses were projecting to spend over USD 1 million on compliance, and nearly one in ten businesses (9%) were planning on spending over USD 10 million.
Consider multiplying that spend over and over again for each subsequent piece of internationally-relevant data privacy legislation introduced in the last three years. With potential fines so high, many businesses who don’t have a tight grip on their own data management practices may have considered those costs acceptable given the alternatives. However, they are very much avoidable.
We are finding that it is much easier to map the data legislation itself, and apply any required changes to the business rather than attempting to graft the business to the legislation, over and over. It is much easier to find the differences to existing regulations and outlying criteria which vary in the new rules, than it is to slog through the Vietnamese introductions as an entirely new project.
By taking this approach, businesses who have already gone through the rigours of preparing for GDPR, LGPD and other international data laws may find they already meet or even exceed the new Vietnamese guidelines.
Understanding where the new legislation differs is key; for example, heavy licensing requirements are necessary for the processing of sensitive personal data and for the transfer of personal data out of Vietnam. Businesses must also retain a local copy of the data, and store records on cross-border transfers of personal data for three years.
Ultimately, compliance considerations around constantly changing data privacy legislation boil down to one core question: does the business have a tight hand on the reins of its data management? Knowing what data is held, and where, enables better and more accurate deployment of that data for business insights, ensuring actionable intelligence is generated in both an optimal and compliant way.
Maintaining an operational blueprint like this of data flows can even give a competitive advantage, as organisations ensure optimal data sources are used to derive actionable business insights and efficiencies.
The volumes of data passing through an organisation will only increase from here. Countries all over the world have accelerated their digital economies to protect their citizens and to remain competitive. Data privacy legislative updates are not a one-off exercise; they are a continual fact of life, and more will be coming to the Asia Pacific region and well beyond.
The only way that complex multinationals can ensure their compliance is by keeping up with these continual updates to data privacy rules. In order to prepare for any legislative checks on their compliance, firms need to ensure a flexible and innovative approach to operational data management which can be called on to give a comprehensive picture at any time.
John Berven is the APAC Head of Solidatus, having joined the firm three years ago and incorporated the Singapore office in January 2019. He previously spent 18 years at State Street Global Markets.