Key Notes for Businesses under Decree 13/2023/ND-CP on Personal Data Protection

On April 17, 2023, the Government of Vietnam officially issued Decree 13/2023/ND-CP on Personal Data Protection, which has come into effect on July 1, 2023. What are the key notes for businesses?

In this century, we are experiencing an unprecedented pace of development in telecommunication and the Internet, which marks a new turning point in the advancement of human society. This progress has paved the way for the 4.0 Revolution, contributing to the advancement of science and technology. However, this also carries significant risks to privacy rights, particularly the right to personal data protection, which is of utmost importance.

How will Vietnam’s PDPD affect investors and enterprises?

1. Personal Data Protection Decree (PDPD)

On April 17, 2023, the Government approved Decree No. 13/2023/NĐ-CP with the aim of protecting personal data, consisting of 44 articles that will officially take effect on July 1, 2023. In this Decree, Article 2, Clause 1 clearly defines personal data as information represented in the form of symbols, writing, numbers, images, sounds, or similar forms in electronic environments, relating to a specific individual or capable of identifying a specific individual. Personal data includes both basic personal data and sensitive personal data.

Some noteworthy highlights of Decree 13/2023/ND-CP that businesses should take note of are:

1.1. Sensitive Personal Data

Sensitive personal data represents personal information that, when violated, directly impacts the individual's privacy and legitimate interests. Types of sensitive personal data include:

Political and religious opinions of the individual.
Information about health status and private life recorded in medical records, excluding blood type information.
Information related to the individual's race and ethnicity.
Information about the individual's genetic or inherited characteristics.
Information about the individual's unique physical and biological traits.
Information about the individual's sexual life and sexual orientation.
Data on crimes and law violations collected and stored by law enforcement agencies.
Information about customers of credit institutions, foreign bank branches, intermediary payment service providers, and other organizations, including customer identification information, account information, deposit information, information about deposited assets, transaction information, and information about individuals and organizations acting as guarantors at financial institutions.
Data about the individual's location determined through positioning services.
Other types of personal data specified as special and requiring appropriate security measures (Clause 4, Article 2, Decree No. 13/2023/ND-CP).

1.2. Violation of Personal Data Protection Regulations may lead to Criminal Prosecution

Entities and individuals that violate the regulations on personal data protection will face appropriate measures depending on the severity of the violation, including:

Disciplinary actions: Imposing disciplinary measures on officials, employees, and members within the organization or institution who violate the internal regulations.
Administrative sanctions: Applying administrative penalties such as fines or other corresponding penalties according to the degree of violation as stipulated by the laws on personal data protection.
Criminal prosecution: Applying criminal prosecution measures as prescribed if the violation involves crimes and criminal offenses according to the current laws and regulations. (Article 4, Decree No. 13/2023/ND-CP).

1.3. 5 Exceptions for Personal Data Processing without the Consent of Data Subject

In urgent cases where the life and health of the data subject or others need to be protected, parties such as the Personal Data Controller, Personal Data Processor, Personal Data Controller and Processor, as well as relevant third parties, are responsible for demonstrating the urgent reasons for processing the related personal data.
The disclosure of personal data must comply with the provisions of the law.
State authorities with jurisdiction are allowed to process data in cases of urgency related to national defense, national security, public order and safety, major disasters, dangerous epidemics, as well as to prevent security threats and national defense risks that have not reached the level of declaring a state of emergency, and to prevent and combat riots, terrorism, crimes, and violations of the law as prescribed by law.
The processing of personal data can also be carried out to fulfill the obligations under contracts between the data subject and relevant agencies, organizations, and individuals, in accordance with the provisions of the law.
Furthermore, the processing of personal data may be conducted to serve the activities of state agencies as prescribed by sector-specific laws (according to Article 17, Decree No. 13/2023/ND-CP).

1.4. Measures to Protect Personal Data

Measures to protect personal data are applied from the beginning and throughout the process of personal data processing. These measures include:

Measures of management implemented by organizations and individuals involved in the processing of personal data.
Technical measures implemented by organizations and individuals involved in the processing of personal data.
Measures implemented by competent state management agencies in accordance with the provisions of this Decree and related laws.
Investigative and prosecutorial measures carried out by competent state authorities.
Other measures as prescribed by law (Article 26, Decree No.13/2023/ND-CP).

1.5. Conditions for Ensuring the Operation of Personal Data Protection

Personnel for personal data protection:

Specialized personnel for personal data protection are assigned to the agency responsible for personal data protection.
Departments and personnel with functions related to personal data protection are designated within agencies, organizations, and businesses to ensure compliance with regulations on personal data protection.
Organizations and individuals are mobilized to participate in personal data protection.
The Ministry of Public Security develops specific programs and plans to develop human resources for personal data protection.
Agencies, organizations, and individuals are responsible for disseminating and promoting knowledge, skills, and raising awareness of personal data protection among agencies, organizations, and individuals.
Ensuring physical facilities and conditions for the operation of the agency responsible for personal data protection. (Article 30, Decree No. 13/2023/ND-CP).

1.6. Authority Responsible for Personal Data Protection

The Department of Cybersecurity and High-Tech Crime Prevention - Ministry of Public Security is designated as the authority responsible for personal data protection and is responsible for supporting the Ministry of Public Security in implementing national management on personal data protection (according to Article 29, Clause 1 of Decree No. 13/2023/NĐ-CP).

With the increasingly complex nature of online fraud activities, spam calls, and personal information breaches, the issuance of Decree 13 on Personal Data Protection is highly necessary. This decree applies to all parties involved in personal data, including data subjects, data controllers, data processors, and related third parties. All parties have a shared responsibility to comply with the regulations on personal data protection, rather than solely focusing on the responsibilities of data controllers and processors. This decree will establish a legal framework for state management agencies to assess, inspect, and monitor compliance with personal data protection regulations by agencies and organizations.

Businesses need to pay attention to the Personal Data Protection Decree

2. The Importance of Cloud technology to Personal Data Protection

In Vietnam, the right to personal data protection is a fundamental right, and its protection is paramount given the rapid pace of technological advancement as of now. With the majority of information now being stored in physical and cloud storage, there are always risks of data breaches and information loss. Hence, protecting personal data must be a top priority. As for investors, the Vietnam Personal Data Protection Law will affect their handling of personal data and compliance with new regulations.

The right to personal data is a fundamental aspect of privacy that safeguards our autonomy and uniqueness. This right allows us to establish boundaries with others, control the flow of information, and shape our interactions with society. Violations of this right can undermine our status in the community, thus, making personal data protection essential for a democratic, civilized, and sustainable society. With the growing amount of data being stored and processed online, cloud computing offers a secure and reliable way to manage and protect personal data:

Cloud storage services provide encrypted data storage, which ensures that data is safe from unauthorized access.
Cloud-based backup and recovery services can help protect personal data in the event of a system failure, human error, or a cyber-attack.
Cloud-based security solutions can also be used to protect personal data from malware and other cyber threats. Therefore, cloud technology is an essential component of personal data protection in today's digital age.

3. Global Cloud Backup Market Facts & Figures

According to Modor Intelligence, the Cloud Backup Market will experience a compound annual growth rate (CAGR) of 25.3% from 2023 to 2028. Businesses are increasingly turning to cloud backup solutions to address the challenges of rapid innovation and intense competition in the market, driven in part by the growing prevalence of cloud computing among both large and small enterprises. This need for agility and flexibility is the primary driver of cloud backup adoption.

Chart: Cloud Backup Market – Growth Rate by Region (Source: Modor Intelligence)

Data loss has become a major worry for industries across the board. A recent survey revealed that approximately 33% of data loss was attributed to hardware or system malfunction, while 29% was due to human error or ransomware attacks. In the event of a disaster where servers are down for 10 or more days, it is estimated that up to 93% of affected organizations will file for bankruptcy within the next 12 months, with 43% of them never being able to reopen.

Cloud adoption has witnessed substantial growth in recent years, and the global digital technology adoption rate has been further boosted by the COVID-19 pandemic. According to IBM's analysis, a single manufacturing facility can produce over 2,200 terabytes of data per month, while a single production line can generate more than 70 terabytes of data daily. Despite these staggering figures, the majority of this data remains unanalyzed and unprotected. To secure and effectively utilize data, companies are shifting towards cloud storage.

In addition, the COVID-19 pandemic has highlighted shortcomings in enterprise disaster recovery and business continuity planning, particularly in areas such as remote access, networking, SaaS applications, and ransomware. Several organizations have reported that handling vast amounts of data has become progressively intricate and difficult to manage.

IBM has also disclosed that 90% of the world's data was created in just the last two years. As data production continues to grow at an exponential rate, there is a growing need for cost-effective data backup and storage solutions among companies. Services like automated backup, malware protection, encrypted cloud storage, file-level recovery, and point-in-time restore are among the popular trends in the market.

Cloud backup solutions are among the most comprehensive tools for safeguarding against cyber-attacks and data breaches. Nonetheless, if left unmanaged, attackers can easily penetrate the backup server's database and exploit it to their advantage. As a result, security and privacy concerns pose significant obstacles to the adoption of cloud backup solutions.

4. Empower Your Personal Data Protection with VNG Cloud

In Vietnam, major players in the market are ramping up their investments in cloud technologies, especially after Decree No. 53/2022/ND-CP regarding Cybersecurity Law was issued. To stay ahead of the curve, in December, VNG Corporation launched the Uptime Tier III Certified Data Centre in Ho Chi Minh City. This new data center will enable both customers and service providers to seamlessly migrate more applications and data to VNG Cloud while also providing secure, cost-effective and user-friendly protection for cloud data and applications.

IAM helps secured access to companies’ resources

4.1. Identity and Access Management (IAM)

Identity and Access Management (IAM) is provided for all resources and services of VNG Cloud. This is a critical aspect of cloud security, it enables organizations to control and manage access to their digital resources, applications, and data by ensuring that only authorized users can access them. IAM offers a range of benefits for data protection, manages resources for all users, from a business entity to an individual. As a result, IAM is a useful tool to help enhance personal data protection.

Benefits of IAM:

Ensure that the right person has access to the right data: This means that access can be controlled based on roles, responsibilities, and permissions, ensuring that sensitive data is only accessed by authorized personnel.
Fine-grained control over access to each API on each server in the system: This level of control allows administrators to manage access to data at a very granular level, ensuring that only authorized personnel can access specific data.
Each account represents a separate user, authenticated by multiple security layers: This multi-layered approach to authentication ensures that even if one layer of security is breached, there are still additional layers of protection in place to prevent unauthorized access.
SSO (Single Sign-On) capabilities: This simplifies access management for administrators while still maintaining security. With SSO, users only need to authenticate once, and they will be granted access to all systems without having to log in separately to each system. This simplifies access management for administrators while still maintaining strong security measures.

4.2. Data Backup & Recovery with vBackup

vBackup provides a solution for creating backup copies of your Server and storing them in a secure location, preventing loss or damage to the original data. Once created, these backup copies can be used to restore the original data to a new Server.

Here are some tasks you can perform with vBackup:

Create and centrally manage backup copies.
Set up automated backup actions based on predefined schedules.
Manage backup copies in a secure location in the cloud (vStorage).
Monitor backup history for users.

The main components of the vBackup solution include:

Server Backup
Backup Policies
Backup Location
Backup History.

These above solutions are designed to ensure the confidentiality, integrity, and availability of your valuable data. By utilizing VNG Cloud's services, you can rest assured that your data is protected from cyber threats and accidental loss. With a team of experts and a commitment to innovation, VNG Cloud is the ideal partner for businesses seeking reliable and scalable data protection solutions.