+02 683-5100
Callback
  • Main
  • Blog
  • How Must Businesses Adapt to the Stricter New PDPL?

How Must Businesses Adapt to the Stricter New PDPL?

In a digital age where cybersecurity threats are rapidly increasing, personal data has become a valuable asset that demands protection. To address this situation, the Vietnamese government has embarked on a significant reform of its data and cybersecurity laws. A crucial step in this process is the passing of the new Personal Data Protection Law (PDPL) by the National Assembly on June 26.

This PDPL is set to come into force on January 1, 2026, and will directly impact all businesses operating in Vietnam, including foreign enterprises that handle and process personal data. Today, let's summarize the key points you need to know to prepare.

Why Does Vietnam Need This Law?

The cybersecurity landscape in Vietnam is quite concerning. In 2024 alone, over 10 terabytes of data were encrypted due to attacks, more than 14 million accounts were leaked, and DDoS attacks surged by 34% (totaling 924,000 attacks). Furthermore, over 1,200 fake websites and instances of unauthorized brand usage were detected, with 71% of all recorded attacks targeting the finance and banking sectors. These figures clearly indicate Vietnam's urgent need for a robust legal framework to protect data.

Additional Insights: Beyond the PDPL, the Law on Data will become effective on July 1, 2025, regulating data processing and setting a framework for cross-border data transfers. Additionally, a draft Cybersecurity Law 2025 is expected to combine two older laws and be submitted to the National Assembly in October 2025.

Key Provisions of the PDPL Businesses Must Know

The new PDPL introduces several important concepts and requirements:

  • Data Classification: Personal data will be divided into "basic personal data" and "sensitive personal data" (e.g., health information, ethnicity). Sensitive data will be subject to stricter protection measures.
  • Prohibition of Personal Data Trading: To protect human rights, privacy, and the identity of data subjects, this law strictly limits the processing of personal data, explicitly prohibiting the commercial buying and selling of personal data.
  • Strengthened Data Subject Rights: The law is founded on the principle of empowering data subjects to control and manage their own personal data.
  • Strict Penalties: Administrative sanctions for violations have been significantly updated:
    • Unlawful Data Trading: Fines up to 10 times the revenue gained from the illegal activity.
    • Illegal Cross-Border Data Transfers: Fines up to 5% of the previous year's revenue.
    • Other Violations: Fines up to 3 billion VND (approximately $118,000 USD).

Individuals: Will face half the fine applicable to organizations for PDPL violations.

    So, How Must Businesses Adapt?

    The PDPL imposes new obligations on companies operating in Vietnam, particularly those involved in data processing:

    • Impact Assessments (DPIA / TPIA): Companies must conduct a Data Processing Impact Assessment (DPIA) and a Transfer Impact Assessment (TPIA). These are new and crucial requirements.
    • Exemptions and Grace Periods:
      • Microenterprises and household businesses are exempt from the PDPL's scope.
      • Startups and small firms may opt for a five-year grace period for conducting DPIAs and appointing a Data Protection Officer (DPO).
    • Sector-Specific Regulations: Authorities will provide specific regulations for various industries, including healthcare, insurance, banking, financial services, online media, advertising, big data, AI, and cloud computing.
    • Updating Existing Documents: Data processing consents and impact assessments obtained under previous decrees (like PDPD) remain valid but must be updated to align with the new PDPL requirements.

    What Happens If You Neglect Compliance?

    Failure to comply with the PDPL can lead to severe legal consequences, including substantial monetary fines and other legal repercussions such as temporary suspension of business licenses.

    Conclusion: Stepping into the Era of "Data Compliance"

    Vietnam's new Personal Data Protection Law is a clear signal that this region is seriously entering an era of "Data Compliance." Organizations that start adapting and complying early will not only avoid legal risks and penalties but also build a competitive advantage through increased trust from customers and partners.

    The ever-changing landscape of laws, regulations, and industry-specific requirements can make compliance challenging, especially for small and medium-sized businesses. To help address these complexities, SearchInform has developed its Managed Security Service (MSS). This service combines advanced security solutions with access to skilled and experienced security professionals, offering 360-degree protection against data breaches and internal threats.

    If your organization operates or has partners in Vietnam, don't delay! 

    Contact us today for a free regulatory compliance check! Contact us directly here: https://activemedia.co.th/contacts/

    ______________________________________________________________________________________________________________________________________________________________________

    Source: https://searchinform.com/blog/2025/7/2/vietnam-passes-personal-data-protection-law/

    By using our website, you agree that we use files cookies
    Agree