To avoid risks and penalties for non-compliance with Decree No. 13, organizations and businesses operating in Vietnam should study and have plans to comply with the regulatory requirements as soon as possible, Mr. Michael Beckman, Partner, EY Law Leader, at EY Law Vietnam Limited Liability Company (EY) told the “Decree 13 on personal data protection: Impacts on the Financial sector” seminar.
Held on May 31 in Hanoi by EY and Mastercard, the seminar aimed at shedding light on the regulatory landscape surrounding personal data protection and its impact on businesses and organizations in the financial sector. It also introduced best practices to participants on how to build an effective culture of data privacy.
Lawyers and professionals from EY and Mastercard took the stage to share their expertise on several key topics, including key considerations of Decree No. 13/2023/ND-CP on personal data protection, released on April 17, 2023, Vietnam’s cyber threat landscape and security controls across the data lifecycle, with highlights on financial sector, and how to build an effective culture of data privacy.
Amid regulatory changes and escalating cyber and privacy threats, personal data protection has become a paramount concern for organizations and businesses.
Mr. Robert Tran, Partner, Cybersecurity & Technology Risk Leader, at EY Vietnam emphasized the importance of fostering a culture of data privacy within businesses.
“To earn and maintain customer trust in products and services quality, data privacy must be ingrained within organizations,” he said. “Failure to respect the culture of protecting personal data can lead customers to believe that their personal data is not respected, ultimately damaging the business’s reputation.”
For her part, Ms. Winnie Wong, Country Manager for Vietnam, Cambodia and Laos at Mastercard, said that as individuals increasingly embrace digital-first lifestyles, safeguarding data has become paramount for businesses to protect consumers and mitigate the consequences of data breaches. Mastercard aligns and complies with the Vietnamese Government’s efforts to enhance personal data protection.
“As a central player in the digital ecosystem, Mastercard is committed to leveraging its global expertise to help businesses and partners navigate the regulatory changes, improve cyber readiness, and implement robust data protection practices, and in doing so, bolster Vietnam’s cyber security,” she said.
Decree No. 13, released on April 17, 2023 and scheduled to take effect on July 1, 2023, signifies Vietnam’s efforts to constitute a first-ever consolidated and comprehensive legal instrument on personal data protection, which potentially paves the way for it to be more in alignment with the international standards of the EU’s General Data Protection Regulation (GDPR) issued on April 27, 2016 by the European Union.
Decree No. 13 is anticipated to reshape the local regulatory landscape and have far-reaching impacts due to its extraterritorial scope. Irrespective of whether an organization operates within Vietnam or abroad, the Decree is likely to capture all entities engaged in the processing of Vietnamese personal data, including foreigners residing in the country. In releasing Decree No. 13, Vietnam joins groups of other ASEAN countries, most of which have already set and implemented their laws and regulations on personal data protection.
One month before becoming effective, Decree No. 13 is expected to have a deep impact on current practices in personal data processing. Entities and individuals falling under Decree No. 13 must perform several activities, such as implementing new technical solutions on data protection, developing new policies and procedures, modifying communications approaches with clients, and preparing new types of reports to submit to authorities.
According to the EY Global Information Security Survey 2020, cyber and privacy threats are on the rise, with 59 per cent of Southeast Asian organizations experiencing a significant or material breach in the past 12 months. However, despite this growing risk, only 43 per cent of regional organizations involve cybersecurity right from the planning stage of new business initiatives. Furthermore, 53 per cent allocate less than 15 per cent of their cybersecurity budget to new initiatives.