Studies show that companies have had an average of 22 days of downtime a year due to data breaches. Deepraj Emmanuel, Director and Head, Asia of ISP, shares why it is of utmost importance to consider how the overall data protection and privacy posture for an enterprise can be improved.

Critical infrastructure, health and financial services have all been impacted by disastrous data breaches, which has caused massive business disruption and an eroding of customer trust.

Therefore, the protection of personal data, privacy and sensitive information is a key consideration for any organization in Vietnam looking at competitive differentiation and incremental value to key shareholders, by executing a risk mitigated strategy for protected information.

Decree 13/2023/ND-CP clearly specifies personal data elements, so there is no ambiguity. The definition of personal data protection is provided as the activity of preventing, detecting, stopping and handling violations related to personal data in accordance with the law, where personal data can be stored for an appropriate amount of time and not beyond. Clear data processing principles are to be followed by the data custodians, and effective communication is to be provided in terms of data mishandled or lost, even in the account of a breach. Customer consent is critical for all forms of personal customer data stored, and a responsibility matrix for data protection with multiple stakeholder groups has significantly increased. The following paragraphs provide insights on best practices that organizations can adopt towards better overall alignment to the decree.

The focus on awareness and education for a risk culture; practical policies that help with identification of sensitive data; cultivating data protection strategies. and implementing robust data security capabilities, all work towards providing a secure environment that enhances data privacy. Best practices today focus on having a holistic plan that underpins business resiliency and risks that could be introduced due to the human element, as well as third parties in the supply chain.

It is essential for organizations to assess their data privacy posture, and possible areas of misalignment to regulatory data privacy governance laws and decrees. These assessments are to be performed against industry best practices and frameworks with continuous health checks on key data assets, targeting high impact areas such as strategic business change, digital transformation projects, business process outsourcing and third-party risk management. Organizations that provide services to clients in Europe and the Americas also need to align their data privacy posture to GDPR and other privacy regulations, so that they don’t become the weakest link for their clients, when faced with a data privacy audit.

Some of the key concerns that need to be addressed by organizations are around understanding where sensitive or confidential data resides in the organization and how it is used, including:

➤ Formulating a strategy for protecting data that meets compliance requirements without encumbering business productivity

➤ Proactively addressing users’ data needs in evolving technologies (mobile devices or the cloud)

➤ Recognizing that 3rd party business partners can put an organization’s data at risk

➤ Establishing policies and technologies to ensure any data shared is adequately protected

➤ Seamlessly integrating leading encryption, DLP, and database protection technologies to ensure holistic risk management.

Key distinctions between data that falls under the category of Intellectual Property (IP) and Regulatory Restricted Information (RRI) need to be made because additional management and more granular controls for RRI is required, even though both categories have process and technical controls to be optimized.

For organizations, the underlying business model needs to be based on the fundamental principles of accountability, incentives and respect for privacy.

From a business model principle standpoint, accountability is to be correctly assigned to those best placed to ensure that data is correct and up to date, while respect for employee and customer desires (and rights) for control over personal data is complemented by incentivizing right behavior at all stages of the data protection management process.

From a strategic standpoint, accountability is to be reinforced through process design and legislation – with clear rights and responsibilities assigned to data controllers and data subjects who have privacy safeguards

built in, as well as requiring individuals’ consent to how their personal data is used while limiting access to those who have a legitimate purpose.

It is also essential that effective, ongoing management processes to deliver privacy, security and data integrity are in place for the business, including ensuring that:

➤ Strong policies and procedures are in place

➤ Management and staff have required skills

➤ There is senior management accountability for privacy issues (e.g. a Chief Privacy Officer)

➤ Internal information management processes and secure/trusted systems are effective

In the case that issues are encountered, there need to be processes to erase, correct, or restore errors resulting from fraud, or incorrect watch lists. In addition, clients and employees must have recourse to legal rights, effective independent scrutiny (such as a regular audit), and access to an independent authority to raise concerns and enforce penalties for non-compliance.

From an execution standpoint, it is important to plan a privacy discovery assessment for key stakeholders to gain a better understanding of the current privacy posture across the organization. Secondly, establishing a collaborative agenda to drive assessments in order to get a better understanding of data security and privacy protection on key data sets. Post execution of assessments, identify and recommend best practices and their implementation path for a better overall privacy framework and applicability. Use various advised solutions and providers to ensure that the overall data protection posture is improved and in line with the privacy protection of customer and employee data. Finally, it is extremely important to ensure that there is the right level of sponsorship from the Chief Experience Officer (CXO) and at the department level to complete the execution.

Never miss an update about our events and articles
Tim Burrill
Membership Manager & Executive Assistant
If you would like to learn more about our events and membership, or have other questions, don’t hesitate to reach out to me.