Market Focus - Regulatory Compliance Vietnam

This article is a practical walkthrough of the Vietnamese legal stack and is written for DPOs, legal/compliance teams, CISOs, and digital leaders operating in Vietnam - especially in banking, telecom, payments, e-commerce, and large enterprises with cross-border services. If you’re responsible for producing dossiers, running incident and authority-request workflows, or keeping vendor and data-flow governance audit-ready, this is written for you.

Why a Vietnam-first regulatory map matters

If you’ve run compliance programs in the EU, US or Singapore, it’s tempting to assume Vietnam is the same story with different wording. It isn’t.

Vietnam’s direction is clear: governance + state-grade procedures + operational accountability. That means:

• Formalized procedures and standardized templates where authorities expect structured submissions.
• Clearer requirements around cross-border transfer, localization, and data governance controls.
• Sector overlays (especially telecom and cybersecurity) that change what “normal privacy compliance” looks like in practice.

“Vietnam compliance is no longer ‘do you have a policy?’ - it’s ‘can you produce the dossier, prove the controls, and show the audit trail on demand?”

A modern Vietnam GRC (Governance, Risk, and Compliance) program therefore needs two layers:

1. The legal frameworks layer: laws, decrees, decisions, guidance.
2. The execution layer: registers, assessments, submission dossiers, incident workflows, vendor controls, evidence management.

This article walks through both.

The Vietnamese Regulatory stack 

1. Personal data protection: PDPL 2025 and Decree 356

Vietnam’s Personal Data Protection Law (PDPL 2025) is the anchor for personal data governance: principles, roles, rights, breach handling expectations, and the system of impact assessments and cross-border assessments. Decree 356 is the implementation layer that turns “what the law says” into “how you do it.”

What a Vietnam-ready GRC program needs here is not only a DPIA-style report, but a structured program covering:

• Role mapping (controller / processor / joint roles) per processing activity.
• Personal data inventory (including sensitive categories).
• Consent and notice management (what was shown, when, to whom, and proof).
• Data subject rights workflows and evidence logs.
• Breach workflow, triage, and reporting package generation.
• Vendor/processor governance: due diligence, contracts, sub-processors, change controls.
• Cross-border transfer register + transfer impact assessment structure.

“The fastest way to fail PDPL is to treat it like a ‘privacy policy project’ instead of a ‘governance and evidence system.”

2. Administrative procedures: Decision 778 and the formal dossier process (A05 / MPS)

Decision 778 is where Vietnam’s PDPL enforcement becomes operational. It doesn’t just say “prepare a dossier.” It standardizes the lifecycle of a dossier: how it is received, validated, supplemented, refused, extended, and finalized. That matters because it moves compliance from static documentation to controlled execution.

In practice, this means enterprises need a dossier capability that can:

• produce submission-ready outputs consistently, with the correct attachment structure.
• track status changes and version history when dossiers are updated or supplemented.
• maintain an audit trail that shows what changed, who approved it, and when.

That’s a positive shift for serious compliance teams: more predictability, clearer expectations, and less ambiguity under pressure.

“When the state standardizes the process, your compliance system must become process-native-not document-native.”

3. Data governance: Vietnam Data Law

Vietnam’s Data Law pushes beyond personal data and into broader data governance: data classification, risk management in processing, governance responsibilities, and the concept that “data compliance” is not only a privacy topic.

For organizations, this means you need governance artifacts that look familiar to GRC teams:

• Enterprise data inventory (datasets, owners, systems, locations, retention).
• Data classification and handling rules.
• Retention and deletion schedules (with exceptions documented).
• Data sharing and disclosure logs.
• A governance audit plan and evidence collection workflow.
• Risk assessments that cover privacy risk, cybersecurity risk, access risk, and operational risk.

In mature organizations, PDPL and Data Law must be mapped together: the same dataset often triggers both.

4. Telecom overlay: Telecommunications Law and implementing rules

If you’re a telco, ISP, data center operator, or a regulated digital infrastructure provider, telecom rules add a second “compliance gravity field” around confidentiality, disclosure, logging expectations, and operational controls.

Even for non-telcos, telecom infrastructure is often upstream of your services. That matters because compliance risk can travel through vendors and critical suppliers.

A Vietnam-ready GRC approach here requires:

• Confidentiality and access control rules for telecom-related data.
• Disclosure governance: approvals, scope minimization, and disclosure logs.
• Authority request intake/verification/response package records.
• Retention schedules aligned to sector obligations.
• Incident reporting and post-incident corrective action records.

“Sector law is where generic privacy programs go to die-because sector obligations are operational, not theoretical.”

5. Cybersecurity and localization: the LOSC 2025 direction and what it changes

Cybersecurity regulation is where Vietnam’s approach becomes most “infrastructure-driven.” The compliance question becomes: where is the data stored, what is the service, who are the users, and how quickly can you respond to lawful requests?

What matters for most large digital services:

• Localization triggers (when they apply, what data categories are in scope).
• Architecture decisions (onshore storage, segmentation, access control, monitoring).
• Authority request handling readiness (intake, verification, response, chain-of-custody).
• Incident readiness and evidence preservation.

A draft implementing decree/guidance under the Law on Cybersecurity 2025 signals tighter rules on data localization and IP address identification. This is exactly where teams should be careful: drafts can reshape definitions, thresholds, timelines, and even who is in scope.

The right stance is:

• Track drafts as a watchlist framework.
• Build readiness templates as “preparation controls”.
• Promote to “active compliance requirements” only when finalized.

Drafts and consultations: how to stay compliant without chasing noise

Draft guidance is signal, not law. It’s useful because it shows where enforcement is heading - but it can also change materially before it becomes final. The mistake is to rewrite your compliance program every time a consultation paper drops.

A more resilient approach is to run a two-speed compliance posture:

• Enforceable instruments (laws, decrees, decisions): these drive your mandatory registers, dossiers, workflows, and audit evidence.
• Draft instruments (consultations): these go into a monitored “watchlist” so your DPO and security/compliance teams can assess likely impact without treating it as a binding obligation yet.
• Readiness documentation: lightweight preparation notes - data flow mapping, architecture options, gap lists - so you can move quickly if the draft becomes final.

When the instrument is finalized, you don’t start from scratch. You convert your readiness work into updated dossiers, templates, and controls with clear versioning and an audit trail.

“Treat drafts like weather forecasts: you prepare for them, but you don’t rebuild your house every time the wind changes.”

What “Regulatory Compliance Vietnam” should look like in practice

For Vietnamese enterprises, banks, and telcos, compliance can’t live in scattered Word files and ad-hoc spreadsheets. The real requirement is operational: when something changes - an incident, a vendor update, a cross-border flow, or an authority request - you need to produce the right dossier, with the right attachments, on the right timeline.

That’s why a Vietnam-focused compliance program typically needs four building blocks working together:

A. Core registers that stay current

• A Vietnam-adapted processing inventory (ROPA-style).
• Personal data inventory including sensitive data classification.
• Vendor/processor register including sub-processors and change history.
• Cross-border transfer register (flows, recipients, safeguards, locations).
• Disclosure and authority request logs.
• Retention and deletion schedule (with documented exceptions).

“If your registers aren’t alive, your compliance is a snapshot - not a system.”

B. Assessments and dossier outputs you can generate consistently

• Processing impact assessment dossier (PDPL).
• Cross-border transfer impact assessment dossier (PDPL).
• Data governance risk assessments where Data Law applies.
• Localization and architecture readiness assessments where cybersecurity/localization rules apply.

C. Workflows for the moments when risk becomes real

• Data subject rights intake → verification → response → closure evidence.
• Incident response: triage → record → decision → reporting package → corrective actions.
• Authority request handling: intake → verification → response package → chain-of-custody.
• Vendor change impact assessment when onboarding or altering third parties.

D. Evidence and audit trail that survives scrutiny

• Policy approvals and attestation records.
• Evidence pack generation (what exists, where it is, who approved it, when it changed).
• Submission tracking and status history for procedures that are standardized, including supplement cycles and versioning.

The common failure mode isn’t “we didn’t try.” It’s that compliance is distributed across teams, formats, and folders - so when time pressure hits, nobody can assemble a complete, defensible dossier fast enough.

Why I’m writing this now

Over the past months, I’ve been deep inside Vietnam’s compliance reality while building a Vietnam-native GRC platform for enterprise teams who need their documentation, workflows, and evidence to hold up under scrutiny.

The pattern I keep seeing is simple:

• Most organizations can write a policy.
• Fewer can run the workflows.
• Very few can produce the correct dossier formats quickly, consistently, and with audit-grade evidence.

That gap is where compliance becomes expensive, slow, and risky - especially when an incident happens, a vendor changes, cross-border flows evolve, or authorities request documentation.

Vietnam enterprises, banks, telcos - what we’re building and what we need from you

We’re currently building a dedicated Vietnam GRC Suite tailored to Vietnam’s legal frameworks and the way compliance is enforced in practice: dossiers, registers, workflows, evidence, and submission readiness.

If you’re operating in Vietnam and you are:

• A bank or financial institution.
• A telco, ISP, or data center operator.
• A large enterprise running cross-border services or regulated data flows.
• A group company managing multiple subsidiaries and vendors.

…we’re open to early enterprise input and pilot participation.

“Compliance becomes manageable the moment it becomes a system”

What we’re looking for isn’t abstract “feature requests,” but real operational reality:

• Which dossiers and registers your teams struggle to produce.
• Which workflows break under time pressure (incidents, authority requests, vendor changes).
• Which data flows are hardest to govern (cross-border, shared platforms, third parties).
• What “audit-ready” means inside your organization (and what evidence actually gets challenged).

If you want to shape a Vietnam-native GRC Suite built for your environment, send me an email or reach out here. We’ll start with a short call, give you access to a demo environment, map your compliance pain points, and translate them into concrete roadmap priorities.

Ronni K. Gothard Christiansen
Technical Privacy Engineer & CEO @ AesirX.io

Laws referenced in this article: Decision 778/QĐ-BCA-A05 (administrative procedures PD protection), PDPL 2025 (Law No. 91/2025/QH15), Decree 356/2025/NĐ-CP, Vietnam Data Law (Law No. 60/2024/QH15), Telecommunications Law (Law No. 24/2023/QH15) and Decree 163/2024/NĐ-CP.

Disclaimer: This article highlights only a subset of Vietnam’s regulatory frameworks relevant to the specific topic and space constraints of the LinkedIn format. Other frameworks also require serious attention in practice, including the Vietnam AI Law (effective 1 March 2026), the E-Commerce Law (Law No. 122/2025/QH15), and the Cybersecurity Law (Law on Cybersecurity 2025, effective 1 July 2026).