August 30, 2021
Vietnam’s upcoming data compliance policy: Head of Compliance Bruno Sivanandan
Interview Credify’s Head of Compliance Bruno Sivanandan
Vietnam is preparing to implement its new Decree on Personal Data protection at the end of 2021. Currently, it already has many regulations that govern the collection, receipt, transmission, and use of data, still many cases of infringement persist. In this interview, we had a discussion with Bruno on what Vietnamese businesses can expect and prepare for themselves when the decree comes into practice.
From his early working experience, Bruno soon realized the difficulties of companies to adapt their systems to such regulations. Now being the Chairman of Eurocham Digital Sector Committee, Bruno can bring discerning insights to Vietnamese businesses affected by this new decree. He also shares his case study at Credify on data compliance that can save many businesses in transforming their system architecture and coping with the growing complexity of the digital economy.
*Disclaimer: The comments of this article only reflect the opinion of Bruno Sivanandan and by no means those of the Eurocham or the Digital Sector Committee. Moreover, they are based on the draft decree and will be only relevant provided the actual decree does not change extensively comparatively to the draft.
What do you think about this new decree on personal data in general?
The draft Decree on Personal Data Protection is to be analyzed in relation to an array of policies pertaining to data and privacy protection, such as the Cyber Security Laws or the Decree 72 on the management, provision, and use of Internet services and online information. This regulation is absolutely necessary for Vietnam, where the digital share of the economy is growing dramatically. Without clear rules and guidance, it is likely that personal data would be handled inappropriately. This would leave the privacy of the citizens at risk and, on another scale, limit the perspectives of the inclusion of Vietnam in the global economy.
We are currently witnessing forced digitization of the economy, especially in Ho Chi Minh, with the strict regulations related to COVID-19. We always use more services and those are always handling more sensitive data… Even our financial and health data transit through applications nowadays. The framework in which these internet-based services operate has to ensure our safety and privacy. This is the challenge Vietnam is tackling with those regulations.
What would be the impact on Vietnamese people, to specify, the consumers and data owners?
The daily experience of the users will not change much. The main difference would be that upon accessing a service, users will have better information about why their data is collected, and to whom it is provided. The idea is that citizens be confident that any digital service they access on Vietnamese soil will respect their privacy and that authorities will actually enforce infringements.
Moreover, citizens will be entitled to specific rights on their data they can use to force a service provider to erase their records or print out their data for them.
What does this decree mean for Vietnamese firms? How would it impact their business?
The private sector is likely to be the most impacted by the decree on Personal Data Protection and related laws mentioned above. Companies that are processing personal data will have to obtain a license to do so. First, this license will require proof that one’s system is secure enough, preventing hackers from getting their hands on the intimacy of the citizens. Secondly, companies need to prove that they are processing the data legitimately, i.e that the user gave his consent with sufficient details about the processing itself. Thirdly, that all the third parties involved in processing the data are themselves compliant.
In practice, such requirements are very costly to set up and enforce. Ideally, it means that all companies processing personal data, and that is a lot of companies, should be audited before having a license to operate, which is absolutely impractical.
However, where to find such resources is a problem that every single country is facing, amid a rise in cyber attacks. Only wealthy corporations are able to pay for such massive transformation projects. But what about the rest of the economic actors, how can we build a trusted network? We need new services on the market that lower the cost of compliance to acceptable levels. That is where Credify enters the dance!
What does this decree mean for international enterprises located both in Vietnam and overseas?
This is the million-dollar question. Cross-border data transfer is a Gordian Knot nobody has slashed at the moment. The most formidable example is probably the Privacy Shield breakdown by the Schrems II court decision. This means that European and American companies are not able to legally exchange personal data since the 16th of July 2020… it is obvious is the million-dollar question. Cross-border data transfer is a Gordian Knot nobody has slashed at the moment. The most formidable example is probably the Privacy Shield breakdown by the Schrems II court decision. This means that European and American companies are not able to legally exchange personal data since the 16th of July 2020… it is obvious that we have a problem here. This is one of the main topics we are working on at the Digital Sector Committee, we are working on solutions with the input of relevant governmental bodies.
What measures from governments can be taken to enhance the practice of this new decree?
Governments, in general, need to issue guidance that is as clear as possible for businesses to follow. From general legislation that states the spirit in which the law has been written, there is a need for precise “how-to” manuals for each industry. For example, in the e-commerce industry, what are major platforms supposed to do? How are they supposed to make sure their system is secured and that users are sufficiently aware of what is going on with their data?
This is where we mix the legal field with the IT engineering field, and typically where Best Practices need to be detailed measures by measures. The best way to achieve this is to let experts in each industry gather in working groups and issue “Codes of Conducts” for their peers to follow. Such precise guidelines clarify what exactly needs to be implemented to gather a user’s consent, encrypt a password, protect your system from an array of cyber attacks, and so on.
What advice would you give for Vietnamese businesses to prepare before the decree comes into effect?
Any business needs to have a digital transformation strategy, the Covid crisis has only accelerated a trend that has been ongoing for a few decades and made it critical to have one! In my opinion, the main elements are to focus on what is your core business and to outsource the rest to companies you trust. One example is the cloud computing services: most companies prefer to outsource this responsibility to trusted companies like AWS, Azure, GCP, it has become too costly and even less secure to buy your own servers, build your data center, cool it, assess the personnel, maintain backups and so on… If it’s not your business, leave it to people who focus on it!
The methodology I advise is first to map your system, document all the business processes, the data each one is handling, under whose supervision, and so on. This is tedious work, but it will serve as the basis of any compliance program for the Vietnamese regulation, the GDPR, an ISO certification, and much more.
The most impacted businesses are obviously those relying on personal data to provide their services. It is especially important for such companies to convey to their users the exact list of sensitive data they are processing, for what purpose, and with the help of which subcontractor(s). At the scale of a company, it is challenging to keep this documentation up to date, as it requires real discipline from the workforce.
A general thought process is to imagine an auditor inspecting the system of your company. The auditor will want to make sure that every data flow is secured with adequate technical measures, relative to the sensitivity of the data. It is up to the company to be able to demonstrate their compliance.
How is Credify responding & contributing to this new decree on data protection?
If you were to remember one idea of this article, I would go with that one: Credify is an enabler for the economic actors to take part in the digitization of the economy with minimal effort, leaving the burden of compliance to Credify.
Credify has a cutting edge technology to transfer data between two systems with a high level of security while dealing with consent gathering and audibility. The vision of Credify is two-fold: first create a trusted network of companies relying on personal data, enabling them to access personal data sitting in another system while complying with the regulation, the details of how to comply are dealt with by Credify, that is our serviceX product. Secondly, empower the user with their data, that they can use to access different services, that is idX.
The level of security required to operate this data bridging service is extremely high, and one needs to add all the constraints mentioned above that come from the regulation. It becomes clear that handling sensitive data is becoming a craft of its own. Companies will need a reliable partner to do it, just like they do with Cloud computing.
This is where Credify displays its value! We are building a network where members can exchange users’ data securely, under the supervision of the users. This enables, with minimal efforts, traditional businesses to make a first step in the digital economy, or for tech-savers businesses to dramatically enhance the exposure of their services in the trusted network of Credify.
About the Head of Compliance
As the Chairman of Eurocham Digital Sector Committee, Bruno takes the role of enabling members of the committee to express their opinion about the Vietnamese Digital regulatory Landscape. Their purpose is on one hand to clarify the regulation for the business community, and on the other to give their opinion on key policies.
He earned his Computer Engineering degree in the National Institute of Applied Sciences of Lyon, a leading engineering university in France. He then had a diverse experience when decided to come to Vietnam, step out of the engineering world and try himself at doing business.
Bruno is now the Head of Compliance of Credify. Thanks to the knowledge he brings about data protection and privacy regulation, coupled with his insights from being the chairman of the digital Sector committee of the European Chamber of Commerce, and his IT background, Bruno can share a valuable perspective on the products and strategy of Credify.
Credify’s products, idX and serviceX, both have data privacy and cyber security at the core of their design. Therefore, Bruno’s role is to help streamline the production processes of the company to ensure everything we ship is secured, as well as designing the contractual structure with our customers to fit in the regulatory landscape that is being built.
On another hand, he is involved in gathering intelligence about the potential markets Credify can reach through this new industry of “data bridging”. This intelligence is then projected in the way we package our technology for the actors of e-commerce, insurance, finance, healthcare etc.
#TalkwithCredify’sLeaders is a series of 4 discussion articles in which our leaders will share their opinions and experiences on a compelling topic of their expertise.