Data protection is an increasingly critical concern for businesses operating in today’s digital landscape. As technology evolves, so do the risks and challenges associated with safeguarding sensitive information. In the context of Vietnamese law, it becomes imperative for organizations to implement effective strategies for managing compliance risks related to data protection. This article explores cost-effective approaches that businesses can adopt to ensure adherence to Vietnamese data protection regulations while minimizing financial burdens. By implementing these strategies, organizations can protect their data, maintain regulatory compliance, and enhance trust with stakeholders.

In brief

Data is an invaluable asset for companies, and recognizing its significance, the Vietnamese government, along with many others, has introduced a Decree outlining stringent regulations for data management and processing. However, implementing these regulations in a commercially viable manner can pose challenges.

In the near future, businesses, especially those with an international presence, will confront stringent regulations aimed at safeguarding the data of Vietnamese individuals. Additionally, companies must stay updated on any changes made to the regulations. Failure to comply could result in severe consequences. Consequently, businesses should take proactive measures to ensure they are in full compliance with the evolving regulations. Moreover, companies should consider seeking legal advice and guidance to navigate the intricacies of the regulations effectively. Foreign companies should take note that these regulations were issued by the Ministry of Public Security (MPS), which underscores the importance of developing innovative compliance programs.

Consent of collecting personal data

The new regulations highlight the consent of the data subject as a significant requirement. Companies possessing data now have a legal obligation to inform the data subject about the type of data being processed, the purpose of processing, the identity of the entity performing the processing, and the rights and obligations involved. Companies will face the challenge of establishing efficient procedures to comply with these consent requirements, or they may consider outsourcing this service. Under the new regulations, companies must actively seek express consent from the data subject. 

Consent form of data subject

This consent could be obtained through written agreements, verbal confirmation, check boxes, text messages, or other suitable means. Silence or the absence of an explicit action is not considered consent.

This raises the question: Can companies use a universal privacy notice that covers all data processing purposes and obtain consent through a single checkbox, or is separate consent required for each purpose? As per the Decree, companies can obtain consent for multiple purposes simultaneously, but each specific purpose must be disclosed, and the data subject must have the opportunity to provide separate consent for each stated purpose. The regulations do not allow for a blanket “all or nothing” checkbox.

Implementation and competent authorities

Moreover, entities responsible for controlling and processing personal data must prepare and maintain a “dossier for the assessment of the impact of personal data processing.” This dossier will be inspected and evaluated by the Ministry of Public Security. In addition, it must be submitted to the Department of Cyber Security and Hi-Tech Crime Prevention within 60 days of commencing personal data processing. Moreover, any updates or changes to the processing impact assessment dossier must also be reported. Furthermore, companies dealing with significant amounts of data may need to create dedicated positions to ensure compliance with these regulations.

Lastly, there are additional requirements for cross-border transfers of personal data. Once again, the consent of the data subject is necessary, and a transfer impact assessment dossier must be created. To simplify compliance, international companies may consider storing and processing their data within Vietnam, necessitating the sending of a written notice to the Department of Cyber Security and Hi-Tech Crime Prevention.

Exception cases

Compliance with notification and consent procedures must be strictly observed at all stages of data processing (collection, recording, storage, publication, access, etc.), unless otherwise provided by the law. There are limited exceptions to this rule, including: 

(i) protection of life and health in emergency cases, 

(ii) disclosure of information as required by law, 

(iii) performance of contractual obligations, and 

(iv) support from relevant state authorities according to sector-specific regulations. 

Furthermore, violations of personal data protection provisions may result in data subjects seeking compensation for damages, although the Decree does not specify the extent of potential legal liability. Despite the increasing complexity of data transfers under the new regulations, multinational companies may still consider transferring data to their home country. Consequently, businesses will be required to establish protocols for bringing back data in accordance with the regulations.

Attention when gaining consent from data subject for foreign business in Vietnam

Foreign companies operating in Vietnam should pay attention to data protection and implement cost-effective strategies to manage compliance risks in accordance with Vietnamese law. Here are some key areas to focus on:

+ Consent and Notification:

Ensure that proper consent is obtained from data subjects for data processing activities. Implement notification procedures that inform data subjects about the purpose, type of data being processed, the entity processing the data, and their rights and obligations.

+ Data Processing Purpose:

Comply with the requirement to obtain separate consent for each specific data processing purpose. Avoid using blanket consent mechanisms and consider implementing individual consent options for different purposes.

+ Cross-Border Transfers:

Take into account the strict requirements for cross-border transfers of personal data. Obtain explicit consent from data subjects, create transfer impact assessment dossiers, and notify the relevant authorities in the Department of Cyber Security and Hi-Tech Crime Prevention.

+ Assessment of Data Processing Impact:

Prepare and maintain a dossier for the assessment of personal data processing impact. Ensure that this dossier is updated as required and promptly report any changes to the authorities.

+ Compliance Monitoring and Reporting:

In addition, prioritize the implementation of comprehensive training programs to educate employees on data protection protocols. Furthermore, foster a culture of accountability and responsibility by regularly communicating the importance of data privacy to all staff members. Additionally, consider conducting periodic audits to evaluate the effectiveness of current data protection measures. Moreover, actively engage with regulatory authorities and industry experts to stay abreast of emerging trends and best practices in data protection. Last but not least, invest in state-of-the-art technology and security systems to safeguard sensitive information from potential breaches.

+ Privacy by Design:

Integrate privacy considerations into the design, development, and implementation of data processing systems and practices. Implement measures to safeguard personal data and protect the rights and interests of data subjects.

+ Data Breach Response Plan:

Furthermore, it should outline the roles and responsibilities of key personnel involved in the response process. Additionally, the plan should clearly define escalation procedures and establish a designated incident response team. Moreover, regular training and simulation exercises should be conducted to ensure preparedness and improve response capabilities. Additionally, ongoing monitoring and assessment of security systems should be implemented to proactively identify and mitigate any vulnerabilities. Finally, continuous improvement and refinement of the response plan should be prioritized to adapt to the ever-evolving threat landscape.

+ Employee Awareness and Training:

Provide regular training and awareness programs to employees regarding data protection regulations, their responsibilities, and best practices for data handling and processing.


In conclusion, ensuring data protection and managing compliance risks in accordance with Vietnamese law is crucial for foreign companie. By implementing cost-effective strategies, such as obtaining proper consent, conducting cross-border transfers in compliance with regulations. Also maintaining data processing impact assessments, monitoring compliance, implementing privacy by design, and having a robust data breach response plan. The companies can effectively protect personal data while minimizing financial burdens. By prioritizing data protection and compliance, foreign companies can build trust with customers, mitigate legal risks, and enhance their reputation in the Vietnamese market.

HMLF is always available to offer assistance in understanding the procedures with authorities.

HMLF legal services

Harley Miller Law Firm “HMLF”
Head office: 14th floor, HM Town building, 412 Nguyen Thi Minh Khai, Ward 05, District 3, Ho Chi Minh City.
Phone number: +84 937215585
Website: Email:

Leave a reply