Discover, Classify, Encrypt, and Track Your Sensitive Data and Comply with LPDP
The Vietnam Law on Personal Data Protection (LPDP), formally adopted by the National Assembly in June 2025, is the country’s first full-fledged personal data protection law.
It elevates Vietnam’s personal data rules from a government decree to a national law, establishing legally binding obligations for organizations that process personal data.
The LPDP builds on earlier regulations, including Decree 13/2023, but significantly strengthens enforcement authority, accountability requirements, and organizational responsibilities.
From this date, organizations must comply with the LPDP and its implementing decrees. Previous regulations, including Decree 13/2023, are phased out as the LPDP takes full effect.
The LPDP applies broadly and is not limited to Vietnam-based companies.
You may be subject to the law if your organization:
This includes foreign companies operating outside Vietnam if their data processing activities relate to individuals in Vietnam.
Vietnam’s LPDP distinguishes between personal data and sensitive personal data.
Personal Data | Sensitive Personal Data |
|---|---|
Information that identifies or can be used to identify an individual | Data that requires stricter protection due to higher risk |
Name, date of birth, gender | Financial information |
Contact details and address | Health and biometric data |
Identification information | Location and behavioral data |
Personal images or profiles | Other data categories defined by implementing regulations |
Processing sensitive personal data typically requires explicit consent, enhanced safeguards, and stricter accountability.
Many organizations struggle because:
Without data-level control and traceability, compliance becomes difficult to sustain.
Organizations subject to the LPDP are expected to implement controls across the entire data lifecycle, including:
The law emphasizes continuous responsibility, not one-time compliance.
Fasoo supports organizations with a data-centric security approach that aligns with the core principles of the Vietnam LPDP.
Use this quick checklist to assess your current readiness:
Data Visibility & Classification | |
|---|---|
Do you know where personal and sensitive data is stored across on-premises, cloud, and shared environments? | |
Can you identify sensitive personal data without relying on manual tagging? | |
Have you eliminated unknown, duplicated, or unmanaged personal data? | |
Lawful Processing & Control | |
Can you enforce access control based on data types and sensitivity, not just system permissions? | |
Are usage policies (e.g., view, edit, print, copy) consistently enforced across all locations? | |
Does protection remain in place after files are downloaded or shared externally? | |
Sensitive Data Protection | |
Do you apply stronger controls to sensitive personal data than to general data? | |
Can you restrict high-risk actions (e.g., printing, screen capture) for sensitive data? | |
Are users clearly accountable for how sensitive data is accessed and used? | |
Auditability & Accountability | |
Can you see who accessed which data, when, and how? | |
Are detailed activity logs centrally managed and audit-ready? | |
Can you demonstrate compliance with evidence, not just policies? | |
Cross-Border Data Governance | |
Do you maintain control over personal data transferred outside Vietnam? | |
Are security policies consistently enforced across regions and partners? | |
Can you respond quickly to regulatory or internal compliance inquiries? |
Solution
Global regulations continue to push for stronger protections on personal and sensitive data. Is your organization ready?
Product
Encrypt sensitive documents at rest, in transit, and in use, and apply granular access controls to prevent unauthorized access.
Product
Discover, classify, and monitor sensitive data across all storage locations. Gain full visibility over unstructured data and reduce security risks.
A demonstration is worth a thousand words.
Schedule a 30-minute demo with one of our data security experts!
The Vietnam Law on Personal Data Protection (LPDP) is a national law that regulates how personal data related to individuals in Vietnam is collected, processed, stored, shared, and transferred. It became effective on January 1, 2026, establishing legally binding data protection obligations for organizations.
Yes. The LPDP applies to both domestic and foreign organizations if their data processing activities involve personal data of individuals in Vietnam. Physical presence in Vietnam is not required for the law to apply.
While the LPDP shares concepts with GDPR, such as data subject rights, consent, and accountability, it is a separate legal framework with its own requirements, enforcement authority, and local interpretation. Organizations should not assume GDPR compliance automatically equals LPDP compliance.
Sensitive personal data includes information that could significantly impact an individual’s rights if misused, such as financial data, health data, biometric information, and behavioral or location data. Sensitive personal data is subject to stricter protection and control requirements.
Common challenges include:
These gaps often arise when security is focused on systems rather than data.
Organizations that cannot demonstrate compliance may face regulatory scrutiny, operational disruption, or enforcement actions under Vietnam’s data protection framework. Early preparation reduces risk and avoids last-minute remediation.
No. The LPDP requires ongoing data governance, continuous monitoring, and consistent policy enforcement throughout the data lifecycle.
Fasoo supports LPDP readiness by enabling:
This data-centric approach aligns with the LPDP’s emphasis on accountability and protection beyond system boundaries.
Now.
Although the LPDP is already in effect, organizations at any stage of compliance can benefit from assessing data visibility, control gaps, and audit readiness. Contact us to talk to a data protection specialist to build sustainable compliance.
