What do businesses need to prepare for the new requirements on personal data protection in Vietnam?

On June 26, 2025, the National Assembly of Vietnam passed  the Law on Personal Data Protection 2025 (PDPL 2025), which will take effect from January 1, 2026, marking an important step forward in perfecting the legal framework for personal data protection in Vietnam. Along with Decree 13/2023/ND-CP (PDPD 2023), which came into effect on July 1, 2023, these regulations set new and stricter requirements for businesses to process personal data. In the context of strong digital transformation, personal data has become a valuable asset but also a target of abuse, from information leakage to unauthorized trading. So what do businesses need to do to comply with new legal requirements, mitigate risks and maintain a competitive advantage? This article will analyze the necessary preparation steps, from reviewing internal processes to implementing technical, legal, and administrative measures.

 

 

1. Understand new legal requirements

1.1. Overview of PDPL 2025 and PDPD 2023

PDPD 2023 is the first legal document in Vietnam to comprehensively regulate personal data protection, laying the foundation for data management in fields such as finance, telecommunications, healthcare, and e-commerce. However, with the nature of a decree, PDPD 2023 still has many limitations in scope and enforcement. PDPL 2025 was born to overcome these shortcomings, expand the scope of regulation, detail the rights of data subjects and apply stricter sanctions.

PDPL 2025 applies to all domestic and foreign organizations and individuals that process personal data in Vietnam, including data of Vietnamese citizens processed abroad. The law clearly defines basic personal data (full name, date of birth, phone number, etc.) and sensitive data (financial, biometric, medical information, etc.), and stipulates prohibited acts, such as unauthorized data trading, obstruction of data protection, etc.  with a fine of up to VND 3 billion or 5% of the previous year's revenue for violations of cross-border data transfer.

1.2. Main requirements for enterprises

1. Collecting Consent

Enterprises must collect voluntary and explicit consent from the data subject before processing, except for some exceptions such as protecting life, performing a contract or serving national security.

2. Data Processing Impact Assessment (DPIA)

Enterprises must prepare a DPIA dossier, submit it to the Ministry of Public Security within 60 days of data processing, and always be available for inspection.

3. Cross-border data transfer

Request a DPIA and a written agreement with the overseas data recipient, accompanied by appropriate safeguards.

4. Data subject rights

Businesses must ensure rights such as access, correction, deletion, withdrawal of consent and compensation for damages, with a transparent handling process.

5. Data security and deletion

Data must be encrypted, protected by technical measures, and erased or de-identified when it is no longer needed.

6. Sanctions

Violations may be subject to administrative fines, criminal prosecution or claims for damages.

2. Specific preparation steps for businesses

To comply with PDPL 2025 and PDPD 2023, businesses need to implement legal, technical and organizational measures. Here are some suggested solutions for businesses to consider and implement.

2.1. Review and update internal processes

Businesses need to comprehensively evaluate the processes involved in collecting, storing, processing and transferring personal data. The steps include:

• Determine the type of data: Classify the data being processed (basic or sensitive) and determine the purpose of the processing. For example, financial or biometric data requires stricter protection. In case of necessity, businesses can remove biometric data if it is not really necessary. Especially the biometric data collected in employee timekeeping.
• Review contracts and policies: Update employment contracts, partner contracts, software leases, and internal policies to ensure compliance with data protection requirements. For example, in the contract, it is necessary to clearly state the purpose of handling, security measures and responsibilities of the parties.
• Develop a notification process: Establish a mechanism to notify data subjects before processing, including the purpose, type of data, processing time, and their rights. The notice must be presented in writing or in a verifiable electronic format.
• Preparation of DPIA records: Preparation and retention of DPIA records, including the purpose of processing, protection measures, and risk assessment. An original copy must be sent to the Ministry of Public Security (Department of Cyber Security and High-tech Crime Prevention).

2.2. Implementation of technical measures

Data security is a core requirement of PDPL 2025 and PDPD 2023. Businesses need to apply modern technical measures to prevent data leakage and abuse:

First, businesses should encrypt data

The use of encryption technologies for sensitive data, both at rest and in transit.

Second, it is necessary to implement two-factor authentication (2FA)

Apply 2FA to limit unauthorized access to the data system.

Third, establish a firewall and monitoring mechanism

Set up firewalls, intrusion detection systems (IDS), and continuous monitoring to detect and prevent cyberattacks.

Fourth, proceed with data deletion and de-identification

Ensure data is securely deleted or de-identified when it is no longer needed, complying with Article 14 of the PDPL 2025.

Fifth, periodic cybersecurity checks

Perform cybersecurity checks on systems and devices before data processing.

It can be said that the above technical measures are effectively used by many of our customers in practice. However, depending on the system and human resources as well as finances, each business will apply customization to suit their business.

 

Source: Tuoi tre online

 

2.3. Training personnel and appointing a dedicated team

In addition to implementing technical measures as suggested above, businesses need to supplement the following activities to ensure good compliance with this field.

Personal data literacy training. Organize training programs for employees on legal regulations, personal data handling skills, and how to respond to data breaches. This is very important, as the company's personnel are only well compliant when they are fully and properly aware of the importance of protecting personal data.

Appoint personnel in charge. Appointing a department or individual dedicated to personal data protection (DPO) to oversee compliance and handle requests from data subjects is not only a good thing to do, but a mandatory requirement of businesses. For this position, businesses can recruit, or appoint from existing personnel or can be outsourced from law firms that provide this service.

Develop a request processing process. Businesses should establish a process for receiving and processing requests from data subjects, such as requests for access, correction or deletion of data, ensuring a response within the stipulated time limit set by law or decree. This will help businesses better comply in the process of enforcing personal data protection laws in Vietnam.

2.4. Preparing for cross-border data transfers

For enterprises, especially foreign-invested enterprises (FDI enterprises) with data transfer activities abroad, it is necessary to comply with strict requirements on personal data protection prescribed by Vietnamese law.

Firstly, businesses must prepare DPIA records on cross-border transfer of personal data

The dossier must be prepared according to the form with clear contents, detailing the reason, purpose of data transfer, consent of the subject, and data protection measures in the process of data transfer. Businesses also need to submit an original to the Ministry of Public Security within 60 days from the first day of transferring personal data abroad.

Second, conduct an agreement with the data recipient

Sign a written agreement with the overseas data recipient, clearly stipulating the responsibility for the protection of the transferred personal data. This will help businesses understand their responsibilities and have a direction to comply with each incident that occurs at their business.

Parties should also note that the PDPL 2025 allows exceptions in cases such as storing employee data on the cloud or the subject transferring the data itself, but still needs to ensure security measures.

2.5. Preparation for specific fields

The PDPL 2025 provides detailed regulations for areas such as children, finance, advertising, social media, AI, and biometric data. Specific fields are areas that are very prone to violations of personal data protection, or objects in need of special protection, or important and sensitive areas of the country. Therefore, the regulations for this specific field require higher and stricter compliance as well, especially in responding to incidents of personal data leakage.

2.6. Develop an incident response mechanism

Businesses need to prepare a response plan when violations occur in the collection, storage, processing and transfer of personal data abroad. A detailed, specific and easy-to-implement response plan will help businesses feel secure and ensure a good response without surprises when an incident occurs.

3. Many benefits of businesses when complying well with personal data protection laws

Compliance with PDPL 2025 and PDPD 2023 can be understood as both an expensive and difficult process for businesses. And it is even more difficult, when this is a new field and a new requirement of Vietnamese law in the period of deep integration with the world. However, complying with the law on personal data protection not only helps businesses avoid legal sanctions but also brings many benefits such as enhancing customer trust in the business. Transparency in data processing helps build credibility and trust from customers and partners. In addition, compliance also helps businesses improve their competitive advantage and minimize the risk of information leakage, which can cause great financial and reputational damage.

The Law on Personal Data Protection 2025 and Decree 13/2023/ND-CP mark Vietnam's transformation in building a safe and transparent digital environment. To comply with the new requirements, businesses need to proactively review processes, implement technical measures, train personnel and prepare legal documents. Despite facing many challenges, compliance is not only a legal obligation but also an opportunity for businesses to affirm their prestige and compete in the digital era. With the support of regulatory agencies and professional partners, businesses in Vietnam can fully meet these requirements, contributing to building a sustainable digital economy.