Lieutenant Colonel Trieu Manh Tung is deputy director of the Department of Cyber ​​Security and High-Tech Crime Prevention and Control - A05 under the Ministry of Public Security (MPS), and is Head of the Inspection Committee of the National Cyber ​​Security Association. He said Decree 13 has laid a very important legal foundation for the involved parties, including data owners, data processors and data inspectors.

MPS said in 2023 alone, it issued warnings and dealt with tens of million of cases related to personal data breaches.

However, Tung stressed that despite the decree, the breaches in personal data protection still occur regularly. At this moment, A05, as a specialized agency of MPS, is assessing, verifying and dealing with hundreds of groups of people that illegally buy or sell and use personal information.

“The data purchases and sales occur in the open air. Most data for sale consist of important personal information, from information about family relationships, health conditions, to information about consumption behaviors,” Tung said. 

A05, after checking, has found that 1.2 million businesses are covered by Decree 13, but the number of businesses reporting to the agency remains very small, with about 1,000 dossiers.

After analyzing the 1,000 dossiers, A05 has found that businesses face lot of difficulties implementing regulations on personal data protection.

Dao Duc Trieu from the National Cyber ​​Security Association said the personal data protection in Vietnam has improved over the last year, after Decree 13 came out.

He emphasized that the decree is the first legal document of Vietnam that clearly stipulates the 11 rights of data owners. Businesses need to deploy policies and procedures to satisfy the requirements, from data collection to data analyses, to processing and elimination.

“We have begun receiving complaints that users’ personal data are being used for services,” Trieu said.

However, Trieu, agreeing with A05, noted that though Decree 13 took effect one year ago, the purchase, sale, appropriation and illegal use of personal data are still rampant.

MPS said from early 2023 to early 2024, it discovered many cases in which individuals and organizations sold personal data. Some large-scale data appropriation and trade cases in Vietnam have been discovered.

Discussing the problems enterprises meet implementing Decree 13, Trieu said it is personal data overcollection, the lack of a legal framework in collecting personal data; inability to define data processing flows; inability to get consensus from data owners; and personal data owners’ refusal to give opinions, in addition to difficulties in implementing technical solutions.

“The biggest obstacle is that many agencies and units still don’t understand all the content of Decree 13. Many units just pay attention to building administrative procedures and dossiers for impact assessment, and they don’t research to understand and identify the problems their businesses face,” Trieu said.

Tran Cong Quynh Lan, deputy CEO of VietinBank, a unit covered by the decree, said compliance with the decree is a must to protect users’ data and ensure the bank’s prestige.

However, this poses challenges in terms of investment, management and compliance supervision costs, in data classification, data processing impact assessment and worker training.

Many information systems are impacted by the decree, so commercial banks have to make heavy investments to adjust their existing systems. Banks also need to have a system to manage and control compliance with the rules.

Lan said that it is difficult for banks to define which kinds of personal data clients have the right to full ownership, which kinds of data that need to be collected as requested by the laws, and which data can be used by banks for authentication or as evidence in disputes.

Banks also have to spend time and money to train workers about the new regulation and security measures.

Van Anh