What is the GDPR?

The EU general data protection regulation (GDPR) is the strongest privacy and security law in the world.

This regulation updated and modernized the principles of the 1995 data protection directive. It was
adopted in 2016 and entered into application on 25 May 2018.

The GDPR defines:

 individuals’ fundamental rights in the digital age

 the obligations of those processing data
 methods for ensuring compliance
 sanctions for those in breach of the rules

Rights of individuals
Info-graphic - Data protection regulation
The GDPR lists the rights of the data subject, meaning the rights of the individuals whose personal data is
being processed. These strengthened rights give individuals more control over their personal data,
including through:

 the need for an individual's clear consent to the processing of his or her personal data
 easier access for the data subject to his or her personal data
 the right to rectification, to erasure and ‘to be forgotten’
 the right to object, including to the use of personal data for the purposes of ‘profiling’
 the right to data portability from one service provider to another

The regulation also lays down the obligation for controllers (those who are responsible for the processing
of data) to provide transparent and easily accessible information to individuals on the processing of their
data.

Obligations for businesses and organisations

The GDPR establishes the general obligations of data controllers and of those processing personal data on
their behalf (processors).

These include the obligation to implement appropriate security measures, according to the risk involved
in the data processing operations they perform.

Controllers are also required in certain cases to provide notification of personal data breaches. All public
authorities and those companies that perform certain risky data processing operations will also need to
appoint a data protection officer.

Application of data protection rules

The regulation confirms the existing obligation for member states to establish an independent supervisory
authority at national level and establishes a mechanism to create consistency in the application of data
protection law across the EU.

The GDPR establishes that a single supervisory decision is taken in cross-border cases where several
national supervisory authorities are involved. This principle, known as the ‘one-stop-shop’ principle, means
that a company with subsidiaries in several member states will only have to deal with the data protection
authority in the member state of its main establishment.

The European Data Protection Board makes sure that the GDPR is fully applied. This board consists of
representatives of all 27 independent supervisory authorities.

Individuals can lodge a complaint with a supervisory authority and have the right to judicial remedy and
compensation. They have the right to have a decision by their data protection authority reviewed by their
national court, irrespective of the member state in which the data controller concerned is established.

Severe sanctions are provided for against controllers or processors who violate data protection rules. Data
controllers can face fines of up to €20 million or 4% of their global annual turnover.

Transfers to non-EU countries

The GDPR also covers the transfer of personal data to non-EU countries and international organizations.
The European Commission is in charge of assessing the level of protection given by a territory or
processing sector in a non-EU country.

Where the Commission has not taken an adequacy decision on a territory or sector, transfer of personal
data may still take place in particular cases or when there are appropriate safeguards in place.

Corporate Cybersecurity Issues in

Vietnam and How to Address Them
Cyber attacks are common around the world and Vietnam is no exception. Here’s how firms
can protect themselves against cyber attacks and threats in Vietnam.

In March 2022, the Ronin Blockchain belonging to Vietnamese video game wunderkind Sky Mavis,
the makers of COVID - viral video gaming Axie Infinity, was hacked to the tune of US$620 million in
cryptocurrency.

The hackers were able to infiltrate the system through a fake job offer, which tricked an employee
into downloading a PDF file containing a virus that spread throughout the system.

Unfortunately, this type of attack is not unique to Vietnam and businesses in the country are just as
susceptible to cyber attacks, such as phishing emails and distributed denial of service (DDoS)
attacks, as anywhere else in the world.

Each year, cybercriminals make millions of dollars finding security vulnerabilities in computer
systems to exploit or trick firms into handing over system access. However, there are measures that
companies can take to protect themselves against these threats.

Performing cyber risk assessments regularly, ensuring system access is protected by both strong
passwords, and multifactor authentication and developing a cybersecurity strategy are all effective
ways to keep nefarious actors at bay.
Firms can minimize the impact of cyber attacks by ensuring they regularly back up their critical
information and have a clear response plan in the event of a security breach.

Preventing cyber attacks in Vietnam

Perform a cybersecurity risk assessment

FIND BUSINESS SUPPORT

Complete Cybersecurity and Data Compliance Solutions for your Asia Business ⟶

The first step to effectively protecting a firm from cyber security threats in Vietnam is to perform a
risk assessment. This process will help to identify vulnerable digital assets and data, and assess
their level of exposure to a cyber attack.
This is essential for identifying a firm’s strengths and weaknesses and will inform the development
of an overarching strategy for mitigating the risks of cyber attacks in Vietnam.

During a risk assessment, sensitive data such as health records, employees’ personal information,
or financial information should be identified. Additionally, data critical to a business’s operations
such as intellectual property, operational processes, or industrial design assets should also be
identified.

After identifying this data as critical information, a risk assessment will audit who has access to
what. It is standard practice for staff in different positions to have access to different data.
Understanding this can be crucial to protecting a firm from malicious actors.

Furthermore, a cybersecurity audit will involve reviewing procedures used to access key data, then
looking for vulnerabilities and gaps in the methods and measures being taken to protect them. This
includes not just scoping out technical measures but also the security measures involving people
and processes.

In addition, a comprehensive cybersecurity assessment should also include a mapping of where

data is stored, both online and offline. It’s important to note that data stored in different jurisdictions
may be subject to different laws and regulations. For example, in Vietnam, personal data is
protected by the Personal Data Protection Decree, which is set to be effective from July 1st of this
year. It’s crucial to understand these regulations and ensure that data storage and handling
practices are in compliance with them.

Use strong passwords and multifactor authentication

Passwords

A password is often the first line of defense against hackers. This makes a good, sturdy password
incredibly important in preventing cyber attacks or cyber thefts.

Vietnam’s New Personal Data Protection Decree: Compliance Requirements

Webinar | Thursday, June 15, 2023 | 3:30 PM Vietnam / 4:30 PM China / 11:30 AM CET

Vietnam’s Personal Data Protection Decree (PDPD, Decree No. 13/2023/ND-CP is a significant
step for the country and is expected to have a profound impact on both local and foreign-invested
companies doing business in and with Vietnam. In this webinar, Toan Quoc Doan, Manager of IT &
Technology Service of Dezan Shira & Associates Vietnam, will explain the fundamentals of
complying with the new.
.

Join us in this free seminar!

In this light, companies should ensure their staff follow best practices when creating their
passwords. This means that they should include both lowercase and uppercase characters,
symbols, and numbers and ensure passwords are of a meaningful length. Staff should also ensure
that their passwords do not reflect real-world references. For example, a pet’s name or date of birth.

The more complex and difficult a password is to guess, the more secure it will keep corporate data.
It is, however, not foolproof, and additional measures should be taken when securing data, like
multifactor authentication.

Multifactor authentication

Multifactor authentication (MFA) is the process of authenticating a user through two or more
security checks. This usually means a password followed by a secondary security measure, such
as a random passcode generated by a soft token sent to a mobile phone in the form of an SMS
message or a push notification.

Furthermore, more complex MFA solutions can combine a password and passcode with a series of
context checks. Things like geography, the type of device, and the IP address can all be used to
determine whether or not a login attempt is genuine. When an abnormal login attempt occurs, these
systems can notify an organization so that appropriate action can be taken.

This additional security measure helps to negate problems with user passwords. For example,
using the same password across multiple platforms.

In fact, it is common for the same password to be used on both personal accounts – Facebook,
Gmail, Instagram, etc.– and corporate accounts. But this can be a bigger problem than it might at
first appear.

Users may think that it is safe to use the same password on a forum under the misunderstanding
that hackers do not have access to a user’s personal details, like their workplace. However, hacking
methods are well advanced, and with a number of tools and frameworks like open-source
intelligence (OSINT), it can be relatively easy to locate a user using a range of data like their mobile
number, IP address, or email address. In doing so, a user may inadvertently give a hacker access
to their corporate digital accounts.

Staff training in cybersecurity and data protection

Hackers will often use phishing emails to lure unsuspecting workers into handing over access to
important data. In this light, making sure that staff can identify and deal with cyber threats may be
the most critical preventative measure an organization can take for enhanced cybersecurity in
Vietnam.

Firms should train staff to avoid opening emails from sources that are unfamiliar and to regularly
change their passwords. The potential business impacts of a successful cyber attack should be
made clear and staff should be trained as to how to protect their passwords both online and offline.
Limiting the damage of a cyber attack in Vietnam
Unfortunately, there are times when despite having complex and detailed cybersecurity protocols in
place, cybercriminals may still find a way to access a firm’s network. This can cost firms hundreds
of millions of dollars depending on the scale of the hack. With this in mind, there are a number of
measures firms can take to limit the impact of a cyber attack in Vietnam.

Backup data regularly

Both onsite backups and offsite backups are important. After a cyber attack, it can take IT services
a long time to find and eliminate a cyber threat. With backups, firms can quickly recover data after
threats are contained and mitigated, and continue working.

When the backup strategy is well planned and practiced, firms will easily evaluate the impact and
know at which point of data they are able to start working after the recovery process is finished.

It is important, however, to ensure that backups are stored separately to ensure they are not
compromised in a data breach. A firm may choose to set up their own private network or they could
engage the services of a cloud computing provider. It is common for firms to employ a combination
of both.

Have a clearly defined cyber attack response plan

In the event that a cyber attack does occur, firms should have a response strategy prepared. This
could include who is in charge of the situation, who should be told about the situation and in what
order, and how individuals should respond. For example, immediately changing passwords or
surrendering compromised equipment.

A firm could also choose to practice business continuity exercises to ensure that processes and
procedures are in place, strictly followed, and well understood. They could also rehearse switching
to an alternative system and restoring data using both online and offline backups.

By having a clear response plan, firms can mitigate the damage a cyber attack may inflict and can
reduce company downtime as a result.

Cybersecurity in Vietnam: Regulations

There are a number of laws and regulations in place with respect to cyber security. It is important
firms understand these requirements and what they need to do to ensure they do not run afoul of
these laws.

Law on Cybersecurity

On June 12, Vietnam’s National Assembly passed the Law on Cybersecurity with a huge majority.
The law will be coming into effect on January 1, 2019. The major provisions in the law include data
localization, government control over online content, and setting up local offices in Vietnam.
Although the law has been adopted, there are still some issues that lack clarity, and more changes
are expected to be introduced and implemented before it comes into effect.