Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.

Amid the seemingly incessant atmospheric swirl of digital regulations across the globe, Vietnam has charted a new trajectory for itself in privacy and data governance. Vietnam experienced a historical blast-off 1 Jan., with implementing rules to its Personal Data Protection Law entering into force. This, along with other developments cast under a telescope, brings Vietnam's regulatory galaxy into closer alignment with the rest of the world, while at the same time maintaining a laser focus on national priorities.

The PDPL and implementing rules: A new North star for compliance

Passed by the National Assembly in mid-2025, Vietnam's PDPL represents a quantum leap from the interim Decree No. 13/2023/ND-CP. The PDPL sky-rocketed Vietnam from its earlier gravitational pull that was Decree 13 and secured a moon landing for the flag of comprehensive data protection to be planted.

In practical terms, the law sets out a diversified constellation of data subject rights — to be informed, to access, to correct and to delete their personal data — tightens consent requirements, and introduces meaningful procedural obligations for organizations processing personal data. 

ADVERTISEMENT

Radarfirst- Looking for clarity and confidence in every decision? You found it.

On 31 Dec. 2025, the Vietnamese government issued Decree 356/2025/ND-CP, implementing rules that bring the PDPL's provisions into effect beginning 1 Jan. These rules also replace Decree 13 and establish detailed mechanisms for compliance with the baseline data protection obligations in the PDPL. 

Key elements of the implementing rules include:

  • Classification of personal data into basic and sensitive categories, and requiring stronger protections for the latter, given the deep impact on individuals if compromised. Sensitive data encompasses a broad spectrum such as an individual's location determined through location services, account log-in details and behavior monitoring on any online service. 
  • Detailed procedures for responding to data subject requests, including the right to delete personal data and conducting data protection impact assessments.  
  • Prescriptive requirements on transfers, including binding contractual protections, and risk assessments that need to pass through a worm hole of filings with the local authority.  
  • Breach notification timelines, and requirements to satellite-signal incidents to authorities within 72 hours of their detection.  
  • Sectoral standards applicable to finance, big data, artificial intelligence, the metaverse, cloud, and blockchain. 
  • New administrative and enforcement tools, including enhanced reporting forms, audit roles and clear responsibilities for data controllers and processors.  

Interplanetary cross-over 

Vietnam's privacy planet does not exist in isolation. Alongside the PDPL and its implementing decree, the broader digital regulatory system has been reshaped through several significant laws:

  • The Law on Data effective 1 July 2025, introduces data classifications such as core, important, nonpersonal and sensitive data, and imposes varying requirements in respect of each category.
  • The Law on Digital Technology Industry, effective 1 Jan. 2026, governs semiconductors, AI, blockchain and related technologies, signaling Vietnam's ambitions in the high-tech milky way of global competition. 
  • A revamped Cybersecurity Law strengthens government oversight of online identity, data, and content, reflecting the necessity of secure digital oceans in an interconnected world.  
  • Last but definitely not least, the AI Law, adopted in December 2025, is set to take effect in March 2026, with AI governance in orbit and human-centric accountability as its axis.  

Together, these instruments align to form a multilayered space shuttle comprising privacy, AI safety, accountability and national security, without collapsing into a black hole of regulatory uncertainty.

Enforcement

The PDPL imposes a force field of penalties for violations. Trading personal data without authorization can trigger fines up to 10 times the illicit gains, while unauthorized intergalactic transfers may lead to fines tied to annual revenue — a strong compliance pull as unavoidable as gravity itself. 

A new frontier

Vietnam's PDPL and its implementing decree mark the start of a sustained journey toward robust data protection and digital trust, in the intricate vortex of global privacy regimes. As the digital universe continues to expand towards infinity, practitioners and organizations alike must stay attuned to Vietnam's evolving compliance environment, ready to navigate its complexities as carefully as guiding a spacecraft through the cratered terrain of a foreign moon.

Charmian Aw, AIGP, CIPP/A, CIPP/E, CIPP/US, CIPM, FIP, is a partner at Hogan Lovells. 

This article originally appeared in the Asia-Pacific Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here