Vietnam’s New Data Law Takes Effect in July: What Global and Local Businesses Need to Know

Vietnam is entering a new era of data governance. Starting July 1, 2025, the country will enforce Law No.60/2024/QH15 – the Law on Data, its first comprehensive legislation aimed at safeguarding personal information and national digital assets. The law reflects a growing global trend of nations asserting data sovereignty and imposing stricter requirements for data privacy, protection, and accountability.

For any organization operating in Vietnam or processing data related to Vietnamese individuals, this is not a distant concern. It’s an immediate compliance priority.

 

Why This Law Signals a New Era of Data Control

The Law on Data introduces a broad, ambitious regulatory framework. It applies to both domestic and foreign organizations that collect, process, store, or transfer data originating in Vietnam. With new mandates on data classification, cross-border data transfers, risk assessments, and data ownership rights, the law marks a significant shift in how organizations must manage and protect data. Traditional perimeter-based security is no longer enough. Data protection must be persistent, context-aware, enabling security policies at the data level as needed.

In this evolving regulatory environment, policy documents and manual controls alone won’t ensure compliance. Organizations now need technology-driven solutions that automatically classify sensitive data, enforce usage policies, and protect information even after it leaves secure environments. That’s where Fasoo’s data-centric security platform comes in – providing comprehensive visibility, control, and resilience to help companies meet Vietnam’s regulatory requirements and prepare for what’s next.

 

A Snapshot of Vietnam’s Law on Data

The Law on Data introduces a structured framework for managing all digital data activity in Vietnam, both public and private. Here are the key takeaways:

1. Broad Jurisdiction

The law asserts authority over any organization, regardless of nationality or physical location, that:

• Collects or processes data related to Vietnamese individuals
• Stores data on servers located in Vietnam
• Provides online services accessible in Vietnam

This includes global cloud providers, social media platforms, e-commerce companies, and AI vendors with operations or data flows involving Vietnam. Organizations that previously considered Vietnam a peripheral market must now prioritize regulatory alignment.

2. Mandatory Data Classification

Organizations must classify their data into one of the following categories:

• Core Data: Critical assets that have a direct impact on national defense, security, foreign affairs, macroeconomic management, social stability, public health, or safety.
• Important Data: Data that may affect the same domains (defense, security, foreign relations, macroeconomic, social stability, and public health or safety) in case of a data breach.
• Other Data: All remaining data that does not fall into the above two categories but still requires appropriate baseline protections under the law.

More detailed lists of what qualifies as Important or Core Data will be issued by the Prime Minister.

Organizations are responsible for identifying which data assets fall under each category and implementing appropriate security measures based on sensitivity.

3. Cross-Border Data Transfer Restrictions

Any transfer of data outside Vietnam now requires:

• A clear justification for the transfer (e.g., storage, analysis)
• Proof of adequate safeguards in the destination country
• Registration of the transfer and explicit consent for certain data types
• Access and usage logs for audits

Non-compliance may result in suspension of data transfer rights or administrative penalties.

4. New Data Ownership Rights

Unlike previous regulatory frameworks that focused solely on privacy, Vietnam’s law formally  recognizes data as a property asset:

• Data can be treated as a commercial asset, allowing monetization through licensing, transfers, or business partnerships.
• Owners have exclusive rights to control access to their data, hold third parties accountable for misuse, and claim damages in case of loss, theft, or unauthorized use.

This shift requires organizations to define data ownership, specify custodianship terms in contracts, and maintain detailed audit trails to support ownership claims and resolve disputes.

5. Governance, Audits, and Risk Assessments

Entities handling regulated data must adopt a proactive governance model:

• Conduct regular data impact assessments, identifying risks from access, sharing, and storage practices
• Assign data protection officers or compliance leads
• Submit annual reports detailing classification results, cross-border activities, and incidents
• Cooperate with Vietnamese regulators during regulatory audits or inspections

This signals Vietnam’s transition toward a risk-based, transparent, and enforceable data governance environment.

 

How Fasoo Helps Organizations Comply with Vietnam’s Law on Data

🔍Discover, Classify & Monitor Sensitive Data with Fasoo Data Radar + Fasoo DSPM

The first step in compliance is understanding what data you have – and where it resides.

• Fasoo Data Radar scans your environment and automatically discovers and classifies data at rest, in transit, or in use.
• Fasoo DSPM (Data Security Posture Management) continuously assesses security vulnerabilities and applies policy controls based on data sensitivity and context.
• Together, they help you meet the law’s mandatory classification requirements and provide clear visibility into “important” and “core” data assets.

🔐 Control Access with Fasoo Enterprise DRM

Vietnam’s law recognizes data ownership rights, making persistent file-level protection essential.

• Fasoo Enterprise DRM (Digital Rights Management) encrypts files and enforces access policies that travel with the data, inside or outside your network.
• Prevents unauthorized access or use even after a file is shared or stored on unmanaged devices, ensuring only approved users can view, edit, print, or share files.
• Logs all file usage, supporting risk assessment and audit reporting requirements.

🛡️Control Cross-Border Data Use

With Fasoo, organizations can enforce policy wherever data flows.

• Define who can access data, when, where, and how, based on classification or user role
• Prevent sensitive data from crossing borders without proper authorization
• Maintain audit trails to prove compliance with cross-border transfer rules

 

Compliance with Control

Vietnam’s Law on Data marks a significant shift in how digital data must be managed, shared, and protected. But compliance doesn’t have to be a burden. It’s a strategic opportunity to build resilient, secure, and intelligent data environments.

With Fasoo, organizations can gain more than regulatory alignment. They gain control, visibility, and trust in their data practices, moving beyond reactive compliance to proactive control and safeguarding sensitive information while enabling collaboration and innovation.

Is your data ready for the Law on Data? Let Fasoo help you lead with confidence.