Page 158 - ISC PROCEEDINGS 21.4
P. 158
of consent is simple, accessible, and no more burdensome than the act of giving consent.
This is essential because the legitimacy of data processing in commercial settings often
depends on whether users retain genuine control over subsequent data uses.
Second, the framework should strengthen corporate accountability obligations. For
high-risk processing activities, businesses should be required to conduct a form of data
protection impact assessment or equivalent risk evaluation before processing begins.
Enterprises should also maintain internal records of processing activities, adopt internal
compliance procedures, and designate a responsible person or unit for data protection
governance. Comparative experience shows that personal data protection is more
effective when the law combines individual rights with organizational accountability.
Third, the legal regime should clearly regulate data breach notification. Where a
breach creates material risks for data subjects, the responsible business entity should be
required to notify the competent authority and, where appropriate, affected individuals
within a legally specified timeframe. Without such a mechanism, data subjects may be
unable to protect themselves promptly, and authorities may lack the information
necessary to supervise systemic risks.
Fourth, the sanctioning system should be made more proportionate and effective.
Instead of relying only on relatively low fixed penalties, the law should consider a more
differentiated structure based on the seriousness, scale, and consequences of the
violation. In serious cases, sanctions linked to turnover or the economic benefit derived
from unlawful processing may be more effective than symbolic administrative fines.
Additional sanctions, such as suspension of specific processing activities or temporary
restrictions on data operations, may also be considered where necessary to ensure
deterrence.
Fifth, Vietnam should improve the institutional structure of enforcement. The law
should clearly define whether personal data protection is to be supervised by a
specialized regulatory authority, a lead coordinating body, or an integrated inter-agency
mechanism. In any case, overlapping mandates should be reduced and procedural
coordination should be clarified. Effective enforcement depends not only on the existence
of legal rules but also on institutional clarity regarding supervision, complaints,
inspections, and sanctions.
Finally, future legal development should more clearly articulate the relationship
among personal data protection, privacy rights, cybersecurity regulation, and consumer
protection law. In business practice, these fields frequently overlap, especially on digital
platforms. A more integrated legal understanding would help reduce interpretive
uncertainty for both businesses and enforcement bodies and would support more
coherent compliance in the digital economy.
5. Conclusion
Personal data protection in business is now a central issue of legal governance in
Vietnam’s digital economy. However, the significance of the topic lies not merely in its
urgency, but in the specific legal difficulties involved in regulating business-related data
processing in a coherent and enforceable manner. This paper has argued that, after the
entry into force of the Law on Personal Data Protection 2025, the core challenge is no
longer the absence of a dedicated law, but the continuing need to address conceptual
fragmentation, overlapping regulatory obligations, and enforcement weaknesses within
the broader legal framework.
157
