As of now, Decree No. 13/2023/ND-CP is the current legal document regulating the protection of personal data and the responsibilities of enterprise in conducting personal data impact assessments. However, by the rapid development of digital technologies and e-commerce, it seems that Decree No. 13 may not fully anticipate all potential issues that could arise. Therefore, in order to meet the need to protect citizens’ rights and ensure data security in the digital environment, the draft Personal Data Protection Law has been developed. This law provides detailed regulations on the collection, processing, and use of personal data.

This article will assess the impacts of personal data processing under the provisions of the draft law, as well as analyze the role of the law in protecting citizens’ privacy in the current context.

1. Impact assessment of personal data processing and the responsibilities of the data controller

When starting the process of personal data processing, the data controllers and processors must create and maintain an impact assessment record. This is crucial for establishing a foundation to control and monitor the data processing activities, helping to mitigate potential risks right from the initial stage.

The storage of such records also ensures traceability and continuous monitoring by regulatory authorities, which enhances transparency and legal compliance.

Details of information in the impact assessment record:

• Contact information and responsibilities: The regulation requires organizations that control and process data to provide detailed contact information about the organization and data protection experts. This is to ensure that individuals can easily access information and request support when necessary, while also enhancing the accountability of the relevant organizations.
• Purposes and types of data processed: Clearly specifying the purposes and categorizing the types of personal data being processed will help improve control, prevent the collection and processing of data beyond the registered purposes, thereby reducing the risk of personal data misuse.
• List of data recipients and regulations on data transfer abroad: Publicly disclosing the identities of organizations and individuals receiving data, both domestically and internationally, helps to tightly control data sharing, especially in the context of varying data security requirements across countries. This is essential for protecting citizens’ rights when personal data may be transferred across borders and exposed to different security risks.
• Data processing and deletion period: Regulations on the processing duration and the planned deletion or destruction of data ensure that personal data exists only for a reasonable period, serving the stated purposes. Once this period expires, the data must be deleted or destroyed, preventing unnecessary retention that could lead to risks of data loss and leakage.
• Protective measures and compliance assessment: Data controllers are required to clearly describe the protective measures applied to personal data, as well as assess the level of compliance with legal data protection regulations. This not only ensures that data processing adheres to security standards but also facilitates the ongoing improvement of security processes over time.
• Risk assessment and mitigation measures:

A key aspect of Article 44 is the requirement for data controllers to assess the potential impact and forecast any unintended consequences or damage that may occur during the data processing activities. Through this assessment, organizations can identify risks and implement measures to mitigate or eliminate the likelihood of harm to users’ privacy and security.

Analyzing and preventing potential consequences leads to safer and more proactive data processing procedures, avoiding uncontrolled data handling that could result in security incidents.

• Requirement for data protection trustworthiness certification

The introduction of a data protection trustworthiness certification is a new feature aimed at evaluating and recognizing organizations that meet high standards in protecting personal data. This will provide citizens with an additional tool to identify and trust organizations that protect their data effectively.

At the same time, this certification serves as a factor to encourage competition among organizations and enterprises in improving their data protection measures, contributing to the creation of a safe and reliable digital environment.

Article 44 of the draft Personal Data Protection Law not only sets a specific legal framework but also encourages organizations and enterprises to prioritize responsibility in managing personal data. This regulation aims not only to reduce risks and protect individuals’ privacy but also to establish a sustainable foundation for the development of the digital economy. Strict compliance with these provisions will help Vietnam gradually align with international standards for data protection, strengthening public trust and support in the era of information and technology.

2. Regulations on the impact assessment record for personal data processing conducted by the data processor

According to the provisions in the draft Personal Data Protection Law, the data processor is responsible for creating and maintaining an impact assessment record for the data processing activities carried out on behalf of the data controller. This record ensures that data processing procedures are closely monitored and comply with the law, enhancing transparency and accountability for all parties involved.

The impact assessment record for personal data processing by the data processor must include the following information:

• Information and contact details of the data processor: Ensure that users can access and request support when needed, while clearly defining the responsibilities of the data processor in case any issues arise.
• Information about the organization and data protection experts: This highlights the role of experts responsible for data protection, ensuring the security and confidentiality of user data.
• Description of processing activities and types of personal data processed on behalf of the data controller: This ensures transparency in data processing activities, guaranteeing that the operations are carried out for the purposes agreed upon with the data controller and the users.
• Processing duration and expected time for data deletion or destruction: The processing and storage period must be clearly defined to limit the retention of data beyond the necessary timeframe, thereby protecting individuals’ privacy.
• Cases of personal data transfer abroad: Ensure transparency and security commitments when data is shared across borders, minimizing risks related to international data security.
• Data protection measures: The regulation requires the data processor to implement strict data protection measures to prevent unauthorized access or use of personal data.
• Assessment of compliance with personal data protection laws: The data processor is required to maintain and update the status of compliance with legal regulations, to prevent potential violations that could harm users’ privacy.
• Assessment of consequences and risk mitigation measures: This regulation helps the data processor anticipate potential risks and unintended damages, and implement specific measures to prevent them, ensuring the safety of personal data.
• Data protection trustworthiness certification: This is a tool for evaluating and recognizing the level of compliance with data protection regulations by the data processor, helping to enhance the organization’s reputation in the eyes of users.

The regulation on the impact assessment record not only ensures close monitoring of personal data processing procedures but also strengthens the data processor’s responsibility in safeguarding user information. Fully implementing the contents of the record not only helps minimize risks but also builds public trust in the safety of personal data, especially in the context of a rapidly developing digital economy.

The draft Personal Data Protection Law introduces two new requirements, namely “Impact assessment and risk mitigation measures” and the “Data protection trustworthiness certification,” compared to Decree No. 13/2023/ND-CP, creating new challenges for enterprises in compliance. The impact assessment and risk mitigation requirement demands that enterprises conduct in-depth analyses of potential risks to personal data and develop specific strategies to minimize damages in all possible scenarios. This not only requires enterprise to invest in robust security systems but also to establish detailed risk response procedures.

In addition, the requirement for a “Data protection trustworthiness certification” obliges enterprises to obtain certification or a rating for their level of personal data protection based on predefined standards. This not only helps build trust with customers but also demands complex processes and a high level of commitment to security.

Therefore, enterprises should promptly conduct a personal data processing impact assessment. Carrying out these procedures before the law takes effect will not only ensure readiness for compliance but also help avoid difficulties when legal procedures become more complex. Taking early action will allow enterprise to proactively prepare and optimize personal data protection measures, minimize legal risks, and build trust with customers in a context where laws on personal data protection are becoming increasingly stringent.

Time of writing: 30/10/2024

The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer  at  info@cdlaf.vn

You can refer for more information:

• How does the draft Personal Data Protection Law regulate the consent rights of data subjects?
• Increased Tariffs for Imported Products from China into the U.S.
• Summary of Tax obligations in Vietnam
• Foreign Organizations Establishing Employment Services in Vietnam