Vietnam’s Personal Data Protection Law is moving from principle to day-to-day operational reality in 2026. In January 2026, the Vietnamese government enacted Decree No. 356/2025, establishing a regulatory framework for the PDPL. As a result, law firms in Vietnam have seen an increase in related work, signaling that regulators and businesses are treating the PDPL as a live compliance program, not a future project. For business leaders, the goal is to build a repeatable roadmap that can scale across teams, vendors, and product lines, without relying on last-minute remediation.
Start with governance. Assign clear ownership for personal data compliance, and set up internal communication that avoids conflicting guidance and duplicated work. One practical benchmark comes from a client perspective in the market: Kazuya Hirota, a general director at Daiwa Logistics Vietnam in Ho Chi Minh City, described KPMG’s internal coordination as “very seamless,” adding that they “rarely experience issues like conflicting information or lack of alignment within their team.” Use that as an operating standard inside your organization. Build a single source of truth for policies, decisions, and risk acceptance. Then map how personal data flows across systems, business units, and vendors.
Cross-Border Transfers and Cybersecurity: Put the Hard Parts on a Timeline
Next, plan for cross-border transfers as a discrete workstream. In the market, advisors are already supporting clients on international data movement, including preparing and filing a cross-border data transfer impact assessment with the relevant authority. That detail matters for execution: you need documented assessments, an approval workflow, and a way to evidence what was filed, when, and by whom. In parallel, align contracts and vendor governance so that processors and service providers follow your requirements and do not create backdoor transfers through sub-processing or offshore support. Treat transfer compliance as continuous, because business operations and vendor footprints change.
Do not treat privacy compliance as separate from cybersecurity readiness. A new Law on Cybersecurity No. 116/2025 is set to take effect on 1 July 2026. Advisors are already helping global technology companies with compliance, including engagement with the relevant authorities and work tied to data localisation requirements. For many businesses, this means building a joint plan across legal, IT, procurement, and security teams. Identify which datasets and systems could trigger localisation obligations. Confirm where data is stored and accessed. Then create a response playbook that shows how you will handle regulator questions, vendor gaps, and operational constraints.
Finally, document the roadmap and resource it like a business initiative. Vietnam’s privacy work is not limited to one sector, and the overall market shows active growth and investment. For example, Gelex Infrastructure JSC announced completion of a $200 million syndicated loan arranged by HSBC, with participation from leading international banks. In consumer finance, F88 targets pre-tax profit of VND1.13 trillion ($42.89 million) in 2026, up 25%. These figures reflect the reality that many companies are scaling fast, and data practices can sprawl just as quickly. A practical PDPL program should track milestones, owners, and evidence, and be ready to adapt as enforcement expectations mature under Vietnam’s personal data protection law framework.
What changed in 2026 for Vietnam’s personal data protection law framework?
What is a practical first step for PDPL compliance?
What should businesses prepare for cross-border personal data transfers?
What cybersecurity milestone should companies track alongside PDPL work?
Why should fast-growing businesses prioritize privacy and data governance now?
