The Vietnamese government continues to revise legislation on data and data protection as a response to the escalation of security threats. The National Assembly passed the new Personal Data Protection Law. The Law on Data is enacted from the 1^st of July. A draft Cybersecurity Law will combine the Law on Network Information Security and the Law on Cybersecurity. Learn more about the changes related to the Personal Data Protection Law and its effect on businesses operating in Vietnam.

Information security threats continue to escalate in Vietnam. In 2024, 10 terabytes of data were encrypted by criminals as a result of attacks. More than 14 million accounts were leaked. The number of DDoS attacks increased by 34% compared to the previous year and reached 924,000 attacks. Authorities detected more than 1,200 fake sites and unauthorized brand usage. 71% of all recorded attacks targeted finance and banking sectors.

To address security challenges, Vietnamese authorities are actively reforming the legal field. For instance, the Law on Data took effect on the 1st of July 2025. It regulates data processing and clarifies major terms like “important data” and “core data”. The Law of Data also sets a framework for cross-border data transfers.

Representatives of the Cybersecurity and High-Tech Crime Prevention Department (A05) under the Ministry of Public Security stated that there are 54 legal documents in the cybersecurity sector that need to be revised or changed. For instance, one of the upcoming documents is the new Cybersecurity Law 2025. It is supposed to combine the 2015 Law on Network Information Security and the 2018 Law on Cybersecurity. The draft cybersecurity law will cover updated Ministry of Public Security responsibilities and is expected to be submitted to the National Assembly in October 2025.

The National Assembly passed one such updated law, the new Personal Data Protection Law (PDPL), on June 26. The law will enter into force on the 1st of January, 2026. The PDPL makes major changes and introduces new concepts in comparison with the current Decree No. 13/2023/ND-CP on personal data protection. However, the full text of the passed law is expected to be published soon. Let’s make a short review of confirmed adjustments and provisions in the area of data protection in Vietnam.

1. Personal data will be split between basic personal data and sensitive personal data.
2. Prohibition of data trading.

Officials stated that strong data subject rights are the foundation of the PDPL. Commercial operations, such as buying and selling personal data, can affect data subjects and their human rights, privacy, and identity. Thus, the Vietnamese government strictly limited the processing of personal data.

3. Updated administrative sanctions for violations.

• Up to 10 times the revenue gained from unlawful personal data buying or selling.
• Up to 5% of the previous year’s revenue for violations related to cross-border data transfers.
• Up to 3 billion VND (about $118 000) for other violations.

The particular size of the fine will depend on nature of the violations, their severity, and their consequences. Individuals will face half the fine applicable to organizations for violations of the PDPL’s rules.

4. Companies must conduct data processing impact assessment and transfer impact assessment.
5. Exemptions are made for certain entities.

• Microenterprises and household business are exempt from PDPL’s scope of application.
• Startups and small firm could opt for grace period for five years. Grace period includes conducting a data processing impact assessment and appointing a DPO.

6. Authorities will provide sector-specific regulations for following industries: healthcare, insurance, banking, financial services, online media, advertising, big data, AI, cloud computing, and several other sectors.
7. Data processing consents obtained under the PDPD remain valid under the PDPL. Data processing impact assessment and transfer impact assessment are also valid under the PDPL. However, they need be updated to be in line with the new requirements of the PDPL.

It's too early to summarize the new Personal Data Protection Law, as the full text has not yet been officially published. However, the main points of the law provide enough information to understand the intentions of the authorities. The Personal Data Protection Law aims to protect individuals by giving them the tools to enforce their rights over their personal data. The Vietnamese government has created a strict legal framework that encourages businesses to comply with the law. Compliance with the PDPL will ensure the confidentiality of personal data and minimize the risks associated with data processing.

Legal compliance is an essential part of information security. Violations can lead to regulatory claims, monetary fines, and other legal consequences, such as temporary suspension of business licenses.

Due to constant changes in laws, regulations, and industry-specific requirements, it can be challenging to fulfill these demands. In some regions, there may be difficulty filling required positions on a security team with the necessary expertise and skills, especially for small and medium-sized businesses.

To address these challenges, SearchInform has developed the Managed Security Service (MSS). This service combines a range of advanced security solutions with access to skilled and experienced security professionals. The MSS offers 360-degree protection against data breaches and internal threats, safeguarding corporate assets and sensitive documents.

Contact us today to request a free regulatory compliance check!