Vietnam has one of the fastest-growing digital economies in Asia, with rapid expansion in e-commerce, fintech, and social media platforms. With this growth comes greater risks around personal data misuse, fraud, and cybersecurity breaches. On 26 June 2025, Vietnam’s National Assembly passed the Personal Data Protection Law (PDPL, Law No. 91/2025/QH15). The new law will come into effect on 1 January 2026, replacing Decree 13/2023/ND-CP (PDPD). With the PDPL striving to build trust through clear standards on data collection, processing, transfers, and protection, businesses can demonstrate accountability with the help of a data protection officer to mitigate potential risks in managing data protection and privacy.  

Key changes under the PDPL 

The PDPL introduces stronger rights for individuals, clearer responsibilities for businesses, and stricter enforcement measures. It also aligns Vietnam more closely with international frameworks such as the EU’s GDPR, while still reflecting national priorities. 

Compared with the existing PDPD, the PDPL introduces several notable updates: 

  • Penalties and fines: For the first time, violations can result in fines of up to 5% of revenue for serious breaches, especially in cross-border data transfers. 

  • Data protection officers (DPOs): Entities must designate a DPO or data protection department, though outsourcing is permitted if requirements (to be defined by the Government) are met. 
    Small business exemptions: Start-ups and small enterprises can defer appointing a DPO or conducting impact assessments until 2031, provided they are not processing sensitive or large volumes of data. 
    Industry-specific rules: Stricter requirements apply to sectors like employment, advertising, social media, cloud services, AI, and biometrics, reflecting areas with heavy data use. 
    Recognition of past compliance: Consent already collected and assessments already filed under the PDPD remain valid, reducing duplication for organisations that have already started compliance efforts. 

Similarities and differences with the GDPR 

While inspired by the GDPR, Vietnam’s PDPL introduces its own caveats: 

  • Both laws have extraterritorial reach, meaning they apply to foreign companies processing local citizens’ data. 
    Like GDPR, the PDPL requires DPOs and impact assessments, but its exemptions for small businesses are narrower. 
    PDPL’s principles consolidate GDPR’s framework but add two new ones: violation prevention and balancing national interests with individual rights. 

  • Consent remains central, but the PDPL’s exceptions (e.g., for fraud prevention or legal claims) are narrower than GDPR’s legitimate interest ground. 
    Cross-border transfers face stricter controls, including mandatory transfer impact assessments in many cases. 

What organisations should do now 

With the PDPL taking effect in just six months, businesses should act quickly. Practical steps include: 

  • Map data flows: identify what personal data you collect in Vietnam, where it’s stored, and with whom it’s shared. 

  • Gap analysis: compare existing policies and practices against PDPL requirements. 

  • Update policies- revise privacy notices, consent mechanisms, contracts, and security standards to meet PDPL obligations. 

  • Prepare assessments: draft or update data protection impact assessments (DPIAs) and transfer impact assessments (TIAs) where relevant. 

  • Appoint a DPO: assign internal staff or partner with an external DPO provider to oversee compliance. 

  • Train teams: ensure employees handling personal data understand the new rules. 

With the law coming into force on 1 January 2026, organisations should act now to avoid last-minute compliance pressures and potential fines. HewardMills team of global data protection and privacy experts can support your team to embedprivacy and security into your operations now, enabling you to stay ahead of the incoming regulatory change and protect your reputation in one of Asia’s most dynamic markets.