The Law on Personal Data Protection took effect from January 1, 2026. How do you think it will affect businesses operating in Vietnam?
With the Law taking effect, businesses will have to treat personal data as a form of capital or asset regulated by the State. They must clearly understand what data they collect, for what purpose, and with whom it is shared, and be able to prove that every process complies with the Law.
From January 1, Vietnam have a more complete legal framework for data. At its core is the new Law, which provides comprehensive rules on rights and obligations related to personal data.
Meanwhile, the Law on Digital Data, effective from July 1, 2025, regulates digital data more broadly, including non-personal data, data platforms, and cross-border data flows. One notable point is that, for personal data, the Law on Personal Data Protection allows businesses to conduct privacy impact assessments and risk assessments, replacing the assessments required by the Law on Digital Data, such as impact assessments, consent rules, and sensitive data processing, which are now codified into law. The upcoming decree will provide further details, such as the list of sensitive data, procedures, templates, and notification mechanisms.
In practice, the impact will be most visible where businesses interact directly with data, including websites, apps, customer management systems, marketing tools, and cloud services. The “collect first, ask later” model will no longer be acceptable. Businesses will need to obtain consent before tracking and maintain transparent control of data flows, especially when data is shared with systems in multiple countries.
The Law on Personal Data Protection also introduces high penalties for serious violations involving cross-border data transfers, with a maximum fine of 5 per cent of the previous year’s revenue.
From a professional standpoint, the earliest impact will be in website data collection and technical compliance. For internal processes or data not generated on web platforms, businesses should work with domestic law firms specializing in data protection to ensure full compliance and proper data governance.
What sectors in Vietnam will undergo the most significant changes when the Law takes effect?
Several sectors are expected to see substantial change, including healthcare and insurance, banking and finance, advertising, social networks, and online services, as well as technology fields such as big data, AI, blockchain, virtual reality, and cloud computing.
Banks, credit institutions, insurance companies, telecom operators, digital platforms, e-commerce businesses, adtech (advertising technology) firms, and enterprises using large-scale AI or cloud computing all handle vast amounts of sensitive personal data and will therefore be more heavily affected.
Under the Law on Digital Data, organizations must classify data into core, important, and other types. Transferring core or important data abroad will be subject to strict controls once detailed guidance is issued. Though this Law does not specify sectors, financial services and critical infrastructure are almost certain to hold large volumes of core or important data.
The draft guiding decree also states that data related to user behavior and the use of telecommunications, social media, or online media services is considered sensitive. This means that most behavioral tracking and profiling on websites, apps, or e-commerce platforms will require explicit, demonstrable consent and strict governance to ensure compliance.
Are Vietnamese businesses underestimating the risks associated with the Law on Personal Data Protection?
Yes, both in terms of legal risk and commercial impact. When the Law officially takes effect and its guiding decree is applied, businesses will have to meet clear requirements regarding consent records, their ability to fulfil data subject requests, cross-border data transfer documentation, and data governance responsibilities.
In addition, businesses may face commercial and partnership risks. Today, global customers and partners often ask questions like: “Where is our data stored?”, “What trackers does the website use?”, and “Does the business comply with its national laws?”
Companies unable to answer these questions risk losing contracts, especially in finance, BPO (Business Process Outsourcing), cloud, and SaaS (Software as a Service). I often tell businesses that data compliance will become as fundamental as taxation or accounting.
What should Vietnamese businesses prepare before the Law comes into force?
First, scan websites and systems using tools like the free AesirX Privacy Scanner to detect all trackers, cookies, SDKs (Software Development Kits), and endpoints, along with the countries through which data flows.
Second, map and classify all data flows. Identify where personal data is collected, through which channels, and where it is stored and processed (inside or outside of Vietnam). This includes cloud services, CDPs (Customer Data Platforms), CRM (Customer Relationship Management) software, marketing platforms, and support tools.
Third, implement consent-before-tracking. Data collection should only occur after consent is obtained. A user’s consent management system must truly block all tracking tools, such as Google Tag Manager, behavioral analytics, customer data platforms, and other trackers, until explicit consent is given. This blocking must work at the server and edge levels, not only in the browser.
Fourth, replace third-party tracking tools with solutions managed directly by the business in Vietnam whenever possible. Fonts, images, and videos should also be hosted domestically rather than using international content delivery networks.
Fifth, complete all documentation and data governance processes. Prepare records for every cross-border data transfer, including transmission points and protective measures. Maintain logs of user consent and logs related to handling data-subject requests. Develop an incident response plan and clearly assign responsibilities across departments, similar to the role of a data protection officer.
My guiding principle is: “Collect less, respect more.” Collecting less data reduces risk, builds trust, and makes compliance with the Law easier to demonstrate.
And note that compliance applies not only to data from websites, apps, or e-commerce systems, but also to internal data and all other processes. Therefore, I recommend working with domestic lawyers who specialize in data protection to ensure that internal data governance is fully compliant as well.
When the Law on Personal Data Protection takes effect and joins the Law on Digital Data, what opportunities will open up for Vietnam?
Alongside the risks that businesses must manage, the Law on Personal Data Protection and the Law on Digital Data also unlock significant opportunities if Vietnam implements them effectively.
First, stronger user and customer trust. When businesses can confidently say, “Your data is stored in Vietnam and protected under Vietnamese law,” and when consent systems, analytics tools, and tagging technologies all run on domestic servers, this becomes a powerful competitive edge. It matters most in finance, healthcare, government, and international B2B sectors.
Second, a boost for domestic digital infrastructure. Both laws create clear demand for locally-hosted cloud services, data centers, analytics platforms, and self-managed solutions. Vietnamese providers offering strong performance and built-in compliance will be well positioned to grow.
Third, the chance to export a “sovereign digital infrastructure” model. If Vietnam proves that growth in the digital economy and robust data protection can coexist, this framework could be adopted by other ASEAN markets. It is not just a software export, it is exporting a workable model of data governance.
Implemented well, the Law on Personal Data Protection and the Law on Digital Data are more than regulatory guardrails; they can become catalysts for Vietnam’s digital industry.
Can Vietnam become one of the pioneering countries in Asia in developing a sovereign data model?
Absolutely. Vietnam is already ahead in several areas, with Decree No. 13 on personal data protection and the forthcoming Law on Personal Data Protection and existing Law on Digital Data forming a fairly comprehensive legal framework. The government has also placed strong emphasis on data sovereignty, national data centers, and cloud infrastructure. Vietnam’s tech ecosystem benefits from a large, young, and capable developer community.
If Vietnam prioritizes first-party data - information provided directly by users - and strictly enforces the principle of “tracking only with consent,” rather than following the surveillance-driven adtech model seen elsewhere, the country could become a regional exemplar of how to build a modern, privacy-respecting, and sustainable digital economy.
Google translate