On September 24, 2024, Vietnam's government unveiled the first draft of the new Personal Data Protection Law (PDPL) for public consultation. Set to potentially come into effect on January 1, 2026, this draft represents a significant advancement in Vietnam's commitment to safeguarding personal data. As someone based in Vietnam and deeply engaged in the tech industry, I believe this development is both timely and crucial for businesses and individuals alike.
Why the PDPL Matters
The draft PDPL, developed by the Ministry of Public Security (MPS), expands upon the existing Decree No. 13/2023/ND-CP on Personal Data Protection (PDPD). With 68 articles spread across seven chapters, it provides a comprehensive legal framework that aligns with international data protection standards.
The primary goals of the PDPL are to:
- Unify Legal Terms: Establish consistent definitions related to personal data and its protection.
- Specify Rights and Obligations: Clearly outline what data subjects can expect and what is required of data controllers and processors.
- Enhance Data Processing Regulations: Strengthen rules around how personal data is handled during processing activities.
- Ensure Protective Measures: Implement conditions and actions necessary for effective personal data protection.
Key Features of the Draft PDPL
- Expanded Scope: The law applies to all Vietnamese and foreign organizations and individuals involved in data processing activities within Vietnam, as well as those processing data of Vietnamese citizens abroad.
- Strict Consent Requirements: Affirmative and informed consent is mandatory for processing personal data, especially sensitive data like health records or biometric information. Silence or non-response does not equate to consent.
- Detailed Definitions: The law distinguishes between "basic personal data" and "sensitive personal data," with the latter requiring more stringent protection measures.
- Mandatory Assessments: Organizations must conduct Data Protection Impact Assessments (DPIA) and Transfer Impact Assessments (TIA), updating them every six months or upon significant changes.
- Obligations for Enterprises: Companies are required to establish a data protection department, which can be outsourced, and appoint at least one personal data protection expert.
- Exemptions for MSMEs: Micro-enterprises, SMEs, and startups are exempt from appointing a data protection department for the first two years but must comply with all other obligations immediately.
- Data Breach Notifications: Any data breach must be reported to authorities within 72 hours, ensuring prompt action to mitigate risks.
- Prohibition on Selling Personal Data: The law prohibits the buying or selling of personal data, particularly emphasizing restrictions in specific industries like finance, banking, and credit services.
Implications for Businesses
The PDPL introduces significant changes:
- Marketing Practices: Organizations must obtain explicit consent to use personal data in marketing and must cease such activities upon the data subject's request.
- Data Localization: Companies must be cautious about cross-border data transfers, making local hosting solutions more attractive.
- Compliance Challenges: Investing in compliance infrastructure is no longer optional. Appointing data protection officers and conducting regular assessments will be necessary.
Urgent Steps Vietnamese Businesses Should Take Now
For business owners in Vietnam, especially those using analytics, digital advertising, or third-party services that send Vietnamese citizens' data abroad, this draft law is a wake-up call. The PDPL's strict regulations on data processing and cross-border data transfers mean that continuing current practices without adaptation may result in non-compliance with the new law.
Businesses should:
- Consider First-Party Alternatives: Transition to solutions that are hosted within Vietnam to ensure data remains within national borders.
- Obtain Valid Consent: Implement mechanisms to secure explicit consent from users, as required by the new law.
At AesirX, we have anticipated these changes. Our AesirX Analytics & CMP platform is fully compliant with the upcoming PDPL and is hosted first-party in Vietnam. This allows businesses to:
- Keep data within Vietnam, aligning with the PDPL's cross-border data transfer regulations.
- Ensure valid consent is obtained and managed effectively.
- Avoid reliance on third-party services that may not comply with Vietnamese laws.
Success Stories: Early Adopters Leading the Way
A prime example of a Vietnamese business proactively adapting to these changes is Baconco. They have successfully implemented AesirX’s first-party consent and analytics solution which is compliant with the forthcoming PDPL. By doing so, they not only enable compliance but also build greater trust with their customers by demonstrating a commitment to data privacy.
Read the Baconco Case Study to see how our solutions can help your business achieve
compliance, automate processes, and build customer trust in the era of Vietnam’s new
Personal Data Protection Law.
AesirX Analytics & CMP for WordPress and Joomla!
AesirX offers a free and open source Analytics & Consent Management Platform (CMP) specifically designed for WordPress and Joomla!, which power 50% of websites in Vietnam. With a 1-click install, it’s never been easier to ensure your website complies with the new PDPL. Plus, it comes with full Vietnamese language support, making it accessible for everyone.
By using AesirX Analytics & CMP, you can ensure that data stays within Vietnam, meeting PDPL’s data localization requirements while gaining control over user consent and compliance.
No cost, no barriers – everyone can now access a robust, compliant solution for their website.
Local Support for a Smooth Transition
For businesses seeking to adapt quickly, local support is invaluable. R Digital (https://r-digital.tech) offers implementation and support services in Vietnam. They can assist with:
- Deploying compliant first-party analytics and consent management platforms.
- Providing expert guidance on PDPL requirements.
- Providing an outsourced Data Protection Department and Expert.
- Offering ongoing support to ensure continuous compliance.
Looking Ahead Towards Implementation
The PDPL is open for public consultation until November 24, 2024, providing an opportunity for stakeholders to voice their concerns and suggestions. With the law expected to be adopted by the National Assembly in May 2025, time is of the essence for businesses to assess their readiness.
Vietnam's draft PDPL is a significant step toward aligning with global data protection norms. While it presents challenges, it also offers an opportunity for businesses to strengthen their data protection practices and enhance consumer trust.
As we move toward the potential enactment of this law, I encourage all businesses, regardless of size, to:
- Review and Understand: Familiarize yourself with the draft PDPL's requirements.
- Assess Current Practices: Identify any third-party services that may send data abroad and consider local alternatives.
- Engage Early: Begin implementing necessary changes to your data protection practices.
- Learn from Peers: Look at companies like Baconco as examples of successful compliance adaptation.
- Provide Feedback: Participate in the public consultation process to contribute valuable insights.
At AesirX, we are committed to upholding the highest standards of data protection. Our compliant solutions help businesses adjust to this new regulatory environment. In today’s digital world, where personal data is a prime target for malicious actors, protective legislation and strict enforcement are crucial to safeguarding individuals’ privacy. Adapting to these changes goes beyond compliance – it’s centered on protecting people’s rights and building trust in a connected world. This law is not just about regulation; it’s about positioning Vietnam as a leader in data privacy on the global stage.
If you have any questions or need guidance on preparing for the PDPL, feel free to reach out. We're here to help you make the transition smoothly and securely.
Ronni K. Gothard Christiansen // VikingTechGuy
Creator, AesirX.io