Here is the converted article in markdown format:

Vietnam’s New Data Protection Regulations Set to Come into Effect

The Vietnamese government is set to introduce new regulations on personal data protection, aimed at strengthening the country’s data security and compliance with international standards.

Background

The draft Personal Data Protection (PDP) Decree outlines strict conditions for transferring personal data offshore. To comply, entities must obtain consent from the data subject, store the original data in Vietnam, and demonstrate that the recipient country or region has an equal or higher level of personal data protection than required under the PDP Decree.

Key Provisions

Data processors will be required to develop a system to store data transfer history for three years.
The decree emphasizes the importance of physical, technical, and managerial measures to protect personal data, as well as developing and issuing internal policies on personal data protection.

The PDP Decree allows for certain exceptions to consent requirements in specific circumstances, including:

National and public security concerns
Emergencies that threaten the freedom and health of individuals or the general public
Investigations into legal violations
Research and statistics collection

However, it remains unclear if this extends to internal investigations against employees.

Enforcement

The decree introduces a range of penalties for data breaches, including:

Disciplinary or administrative fines ranging from VND50 million to VND100 million (equivalent to USD2,000 to USD4,350)
Repeat offenders may face temporary or permanent bans on processing or transferring data, as well as turnover-based penalties extending up to 5% of their revenue in Vietnam

How to Stay Ahead

To comply with the new regulations, companies and individuals are advised to adopt a “privacy by design” approach, integrating security into their core operations. This can be achieved through:

Mapping data sources and locations to identify risks
Reviewing the importance and relevance of collected data
Keeping certifications and technology up to date
Developing safeguards against potential breaches
Ensuring third-party contractors have adequate security measures in place

Conclusion

The PDP Decree is expected to come into effect soon, and it is essential for companies and individuals to be aware of the new regulations and take steps to ensure compliance. With its broad discretion and penalties for non-compliance, the decree aims to strengthen Vietnam’s data protection regime.

KPMG Vietnam: Your Partner in Data Protection

As a leading professional services firm, KPMG Vietnam is committed to helping clients navigate the complex world of personal data protection. Our team of experts provides tailored solutions to ensure compliance with local and international regulations, including the PDP Decree.