January 1, 2026, marks a turning point for data privacy in Vietnam. After years of evolving regulatory frameworks, the Law on Personal Data Protection (LPDP), formally adopted by the National Assembly in June 2025, will come into force, establishing the country’s first comprehensive legal regime for personal data protection.
For organizations operating in or engaging with the Vietnamese market, this is more than just a legal milestone: it’s a compliance imperative. The LPDP introduces new obligations, expands the scope of regulations, and imposes steeper accountability and enforcement mechanisms than prior decree-based rules.
Evolution of Vietnam’s Data Protection Regime
Vietnam’s data privacy landscape has historically consisted of scattered laws and decrees, including the Civil Code, the Law on Cyber Information Security, and the Decree No.13/2023/ND-CP on Personal Data Protection (Decree 13). These provided an initial structure but lacked the force of a full law, leading to regulatory uncertainty.
With the passage of Law No.91/2025/QH15 on Personal Data Protection (LPDP) in June 2025 and its enforcement on January 1, 2026, Vietnam has shifted to a law-based framework that aligns more closely with global norms while reflecting domestic priorities. Having outlined this evolution, the next step is to understand what the LPDP regulations actually cover.
What LPDP Covers
At its core, the LPDP governs the collection, processing, storage, sharing, transfer, and deletion of personal data related to Vietnamese individuals. Personal data is broadly defined to include identifiers like names, dates of birth, contact details, financial information, health data, and other information that can identify an individual. Sensitive personal data, such as biometric information or location data, receives stricter protection.
The law applies not only to Vietnamese entities but also to foreign organizations that collect or process personal data of individuals in Vietnam, regardless of physical presence. Accordingly, this extraterritorial scope means global companies must take note.
Key Compliance Requirements
- Lawful Processing and Consent
Under the LPDP, personal data must be processed lawfully, fairly, and transparently. Consent remains a primary legal basis for processing, especially for sensitive personal data.
- Data Subject Rights
Individuals gain enhanced rights under the LPDP, including the rights to access, correct, or delete their personal data. Organizations must establish mechanisms to respond to these rights within prescribed timelines.
- Impact Assessments
Entities must be prepared to conduct impact assessments, particularly for high-risk processing activities. Mandatory assessments are Data Protection Impact Assessments (DPIAs) and Outbound Transfer Impact Assessments (OTIAs). These assessments identify privacy risks and specify mitigation measures.
- Cross-Border Data Transfers
Cross-border transfers of personal data are subject to strict rules and often require formal assessments and compliance checks before execution.
- Accountability and Documentation
Organizations must maintain robust internal documentation to demonstrate compliance. This includes data inventories, processing records, policies, and evidence of privacy controls.
Enforcement and Penalties
The LPDP introduces significant consequences for non-compliance. These include administrative fines, potential criminal liability, and requirements to compensate affected individuals. Some penalties and enforcement mechanisms are more stringent than under Decree 13, especially concerning unlawful cross-border transfers or mishandling sensitive personal data.
Administrative penalties on personal data violations include:
- Cross-border transfer violations: Fines up to 5% of previous year’s revenue or VND 3 billion
- Illegal personal data trading: Fines up to 10 times illegal gains or VND 3 billion.
This signals Vietnam’s intent to actively enforce data protection rights and place accountability at the forefront of business operations.
Why Many Organizations Will Struggle
Meeting LPDP requirements is challenging for organizations that lack visibility into where personal data resides or how it flows across systems. Traditional security approaches, centered around perimeter defenses, are often insufficient for proving compliance under a data-centric legal framework.
Challenges include:
- Identifying personal and sensitive data across hybrid environments
- Tracking access and usage after download or external sharing
- Maintaining audit-ready evidence of compliance activities
- Managing cross-border data flows under strict governance controls
Taking Actions: How Organizations Can Comply with Fasoo
Even though the LPDP is already effective as of January 1, 2026, compliance should be continuous rather than a one-time project:
-
Conduct Data Discovery & Classification
LPDP Requirement:
Organizations must know what personal data they collect, where it resides, and whether it includes sensitive personal data. Without visibility, lawful processing, consent management, and risk assessment are impossible.
Enterprise challenge:
Personal data is often scattered across file servers, endpoints, collaboration platforms, and cloud storage – unmanaged and unlabeled.
How Fasoo Data Radar (FDR) and Fasoo DSPM help:
- Discover personal and sensitive data across multiple and hybrid environments
- Automatically classify data based on pre-defined policies aligned with LPDP definitions
- Set and apply detailed security policies based on requirements and access controls
- Enables organizations to identify high-risk data sets
This establishes a baseline visibility layer, which is essential for LPDP readiness.
-
Implement Persistent Data Controls
LPDP Requirement:
Personal data must be protected throughout its lifecycle, including after it is downloaded, shared, or even moved outside controlled systems.
Enterprise challenge:
Traditional security controls stop once data leaves the company system, exposing personal data to unauthorized access, leakage, or sharing.
How Fasoo Enterprise DRM (FED) helps:
- Applies encryption automatically to files containing personal or sensitive data
- Ensures persistent protection regardless of file location
- Ensures the principle of least privilege by controlling access permissions
- Reduces exposure risk when data is shared with vendors, partners, or remote workers
This data-centric security aligns with LPDP’s accountability model.
-
Enforce Usage Policies
LPDP Requirement:
Organizations must prevent unauthorized access, misuse, or excessive processing of personal data, even by internal users.
Enterprise challenge:
With many solutions, security policies are difficult to modify once deployed. As regulations, business needs, or data sensitivity evolve, security teams struggle to adjust usage controls quickly and consistently.
How FDR, FED, and Fasoo eXception Management (FXM) help:
- FDR identifies and classifies personal data that requires tighter controls
- FED enforces granular usage permissions based on data sensitivity
- View-only for sensitive personal data
- Restrictions on printing, copying, or sharing
- FXM grants provisional permission, allowing exceptional workflows for flexibility
This allows organizations to adapt controls as requirements change, a critical capability under LPDP’s evolving compliance expectations.
-
Prepare for Audit and Accountability
LPDP Requirement:
Organizations must demonstrate compliance through documentation, logs, and evidence, and be able to respond quickly to investigations or incidents.
Enterprise challenge:
Many organizations struggle to prove who accessed personal data, when it was used, and whether policies were enforced.
How FDR and FED help:
- FDR provides a discovery report on data locations, classifications, and risks
- FED logs all data access and usage activities, even unsuccessful attempts
- Enables traceability of personal data usage during audits or breach investigations
- Supports post-incident analysis and regulatory reporting requirements.
With Vietnam’s LPDP now in effect, compliance is no longer theoretical. Regulators expect organizations to prove control over personal data, not just declare policies. Build a practical and scalable LPDP compliance framework with Fasoo solutions.