The Vietnamese Government announced the Personal Data Protection Decree (Decree 13/2023/ND-CP) on April 17, 2023, and it comes into effect in July 2023. The PDPD aims to fill these gaps in the fragmented legal framework and to provide a comprehensive and consistent approach to personal data protection, extending safeguards for personal data to over 97 million people in Vietnam.
What is the Personal Data Protection Decree (PDPD) in Vietnam?
Personal Data Protection Decree 13/2023/ND-CP, which came into effect on July 1, 2023 includes 44 articles marking a significant milestone in protecting personal data in the country.
- The Decree introduces key concepts and principles of personal data protection and sets out specific requirements for data processors and controllers.
- It establishes a regulatory framework for obtaining consent for data processing activities including the purchase and sale of personal information, as well as marketing and advertising, cross-border data transfers, and children data protection, which can contribute to safeguarding the privacy and security of individuals’ personal data.
Personal Data Protection Decree (PDPD) applies to all individuals and entities operating in Vietnam who engage in the provision, collection, or utilization of data for any purpose within the country. This includes:
- Vietnamese agencies, organizations, and individuals;
- Foreign agencies, organizations, and individuals in Vietnam;
- Vietnamese agencies, organizations, and individuals operating abroad; and
- Foreign agencies, organizations, and individuals directly participating in or related to personal data processing activities in Vietnam.
Personal Data Protection Decree 13/2023/ND-CP includes 44 articles marking a significant milestone in protecting personal data in the country.
The PDPD clearly defines:
- Definition and classification of Personal Data
- Definition of regulated parties, such as the recognition of “Personal Data Controllers and Processors” as a distinct legal entity, with a mixed nature
- Principles of processing Personal Data Consent requirement and exceptions
- Processing of Basic Personal Data and Sensitive Personal Data
- Cross-border Transfer of Personal Data
- Rights of Data Subjects
- Penalties: Non-compliance with PDPD can be subject to disciplinary action, administrative penalties, or criminal prosecution, depending on the severity of the violation
COMPLIANCE BRIEF
Data Security Compliance with the Personal Data Protection Decree (PDPD) in Vietnam
Explore solutions for Personal Data Protection Decree by simplifying compliance and automating security reducing the burden on security and compliance teams.
How Thales Helps with the Personal Data Protection Decree (PDPD) Compliance in Vietnam
Thales’ solutions can help organizations address 20 Articles in the PDPD by simplifying compliance and automating security with visibility and control, reducing the burden on security and compliance teams.
Application Security
Protect applications and APIs at scale in the cloud, on-premises, or in a hybrid model. Our market leading product suite includes Web Application Firewall (WAF), protection against Distributed Denial of Service (DDoS) and malicious BOT attacks, security for APIs and a secure Content Delivery Network (CDN).
Data Security
Discover and classify sensitive data across hybrid IT and automatically protect it anywhere, whether at rest, in motion, or in use, using encryption tokenization and key management. Thales solutions also identify, evaluate, and prioritize potential risks for accurate risk assessment as well as identify anomalous behavior, and monitor activity to verify compliance, allowing organizations to prioritize where to spend their efforts.
Identity & Access Management
Provide seamless, secure and trusted access to applications and digital services for customers, employees and partners. Our solutions limit the access of internal and external users based on their roles and context with granular access policies and Multi-Factor Authentication that help ensure that the right user is granted access to the right resource at the right time.
Address PDPD Article & Requirements
How Thales helps:
- Identify structured and unstructured sensitive data at risk on premises and in the cloud
- Identify current state of compliance, document gaps, and provide a path to full compliance
- Encrypt data at rest on-premises, across clouds, and in big data or container environments
- Pseudonymize sensitive information in databases
- Gain full sensitive data activity visibility, track who has access, audit what they are doing and document
- Protect data in motion with high-speed encryption
- Protect the root-of-trust of a cryptographic system within a highly secure environment
- Limit the access of internal and external users to systems and data based on roles and context with policies
- Apply contextual security measures based on risk scoring
- Leverage smart cards for implementing physical access to sensitive facilities
How Thales helps:
- Discover all of your data and categorize it based on sensitivity and value, allowing you to uncover hidden data risks
- Gain full sensitive data activity visibility, track who has access, audit what they are doing and document
How Thales helps:
- Uncover hidden risks with data discovery, classification, and vulnerability assessments
- Pseudonymize sensitive information in databases
- Gain full sensitive data activity visibility, track who has access, audit what they are doing and document
How Thales helps:
- Locate structured and unstructured regulated data across hybrid IT
- Pseudonymize sensitive information in databases
- Encrypt data at rest on-premises, across clouds, and in big data or container environments.
How Thales helps:
- Pinpoint sensitive data and ensure the proper user access rights are in place
- Data activity monitoring for structured and unstructured data across cloud and on-premises systems
- Protect sensitive data with real-time alerting or user access blocking of policy violations
- Remove keys from CipherTrust Manager can ensure secure deletion, digitally shredding all instances of the data
- Enable Multi-factor Authentication (MFA) with the broadest range of hardware and software methods and form factors
- Build and deploy adaptive authentication policies based on the sensitivity of the data
How Thales helps:
- Identify structured and unstructured sensitive data at risk on premises and in the cloud
- Gain full sensitive data activity visibility, track who has access, audit what they are doing and document
- Streamline reporting and analysis of user access rights to sensitive data
How Thales helps:
- Identify structured and unstructured sensitive data at risk across hybrid IT
- Identify the current state of compliance, document gaps, and provide a path to full compliance
- Encrypt data at rest on-premises, across clouds, and in big data or container environments
- Apply privileged access control to sensitive data
- Pseudonymize sensitive information in databases
- Gain full sensitive data activity visibility, track who has access, audit what they are doing and document
- Protect the root-of-trust of a cryptographic system within a highly secure environment
How Thales helps:
- Data activity monitoring for structured and unstructured data across cloud and on-prem systems
- Identify abnormal user behavior and provide a complete threat description with actionable intelligence for remediation
How Thales helps:
- Data activity monitoring for structured and unstructured data across hybrid IT
- Encrypt data at rest on-premises, across clouds, and in big data or container environments
- Pseudonymize sensitive information in databases
- Gain full sensitive data activity visibility, track who has access, audit what they are doing, and document
- Alert or block database attacks and abnormal access requests in real time
- Monitor file activity overtime to set up alerts on activity that can put the organization at risk
- Reduce third-party risk by maintaining on-premises control over encryption keys
- Ensure complete separation of roles between third party and your organization, restrict access to sensitive data
- Enable relationship management with suppliers, partners or any third-party user; with clear delegation of access rights
- Protect the root-of-trust of a cryptographic system within a highly secure environment
- Streamline reporting and analysis of user access rights to sensitive data
- Enable multi-factor authentication (MFA) with the broadest range of hardware and software methods
- Build and deploy adaptive authentication policies based on the sensitivity of the data/application
- Protect against phishing and man-in-the-middle attacks
How Thales helps:
- Identify abnormal user behavior and provide a complete threat description with actionable intelligence for remediation
Related resources
Other key data protection and security regulations
PCI HSM
MANDATE | ACTIVE NOW
The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. PCI HSM Compliance certification depends on meeting those standards.
DORA
REGULATION | ACTIVE NOW
DORA aims to strengthen the IT security of financial entities to make sure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks.
Data Breach Notification Laws
REGULATION | ACTIVE NOW
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.
GLBA
REGULATION | ACTIVE NOW
The Gramm-Leach-Bliley Act (GLBA)--also known as the Financial Services Modernization Act of 1999--requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.