DPO Radio

The Vietnam Data Law is the parent framework for broad data governance in Vietnam. It reaches beyond personal data to address digital data assets, their classification, use, sharing, and movement. Organizations need a reliable view of what data they hold, how it is governed, and which records support each decision.
The framework now has two distinct operational layers. Decree 165/2025/NĐ-CP is active and supplies the implementing procedures, timelines, risk guidance, and official forms used for current compliance work. The Draft Decree on Data Exchange Operations is a separate child instrument that is still under development and must not be treated as final law.
This distinction matters in practice. Current obligations need controlled execution and evidence today, while draft requirements need monitored preparation that can change as the text progresses. Blending the two creates unreliable compliance plans and misleading evidence.
ComplianceOne keeps the parent law, active implementing decree, and draft data-exchange instrument connected without flattening their legal status. Teams can manage current work while maintaining a separate, reviewable readiness track for the draft.
Law 60/2024/QH15, covering enterprise data governance, classification, sharing, and transfer controls.
Decree 165/2025/NĐ-CP, the implementing decree in force since 1 July 2025.
Draft Decree on Data Exchange Operations, covering data-exchange operators, participants, listings, transactions, and controlled testing.
Data registers, classification decisions, approvals, risk reviews, transaction records, supporting documents, and audit history.
Eleven Decree 165 Mẫu số forms for the active implementing layer; draft Mẫu ĐK01 for the data-exchange proposal.
Active obligations are managed separately from draft readiness and regulatory-change monitoring.
Decree 165 adds the operational layer beneath the Data Law. ComplianceOne supports the decree’s procedures, timelines, risk areas, guidance, and eleven official Mẫu số forms without duplicating the parent law’s role.
The draft addresses the National Data Exchange relationship, other data exchanges, security and interoperability, controlled testing environments, electronic contracts, listing review, and transaction evidence. Its requirements remain subject to change.

ComplianceOne connects data discovery, mapping, and classification records so teams can maintain a governed inventory rather than a collection of disconnected spreadsheets. Review and approval records show how classifications and handling decisions were made.
For Decree 165, the platform brings current forms, procedures, deadlines, guidance, and risk records into the same controlled workspace. Teams can assign owners, prepare supporting evidence, review form content, and preserve a complete history of changes and approvals.
For the data-exchange draft, ComplianceOne maintains a separate readiness track. Organizations can assess security, interoperability, listing review, controlled testing, contracting, and transaction-evidence needs without representing draft provisions as enacted requirements.
Evidence packs and audit history provide a reviewable record of completed work. Where Data Law activity overlaps personal data protection or cybersecurity, the same underlying evidence can be linked to the relevant obligation without losing its original context.
Maintains data inventories, system relationships, and data-flow records.
Explore Data MappingRecords classification decisions, review status, and linked handling expectations.
Explore Data ClassificationAssigns ownership, reviews, recurring work, and regulatory-change actions.
Explore Program GovernanceSupports official forms and controlled supporting documentation.
Explore Compliance Forms

ComplianceOne supports the active Decree 165 layer with its official forms and operational records while preserving the Data Law as the parent framework.
Draft data-exchange preparation remains clearly labeled and configurable, helping teams prepare for change without presenting anticipated provisions as final law.
Shared evidence and audit history help organizations manage overlaps with personal data protection, cybersecurity, and other Vietnam obligations.
Ready to see how ComplianceOne manages data governance obligations operationally? Request a demo tailored to your organization's needs.

The Data Law is the parent framework. Decree 165 is its active implementing decree, adding procedures, timelines, guidance, risk records, and eleven official Mẫu số forms.
Organizations processing personal data in Vietnam are typically subject to both. ComplianceOne manages both frameworks from a single platform.
No. It remains a draft and its provisions may change. ComplianceOne presents it as a readiness and regulatory-change track, not as an active source of final legal obligations.
The annual attestation is managed as a recurring workflow in the Program Governance module. The platform tracks due dates on a 365-day cycle, routes attestation sections to responsible department owners, tracks completion progress, consolidates multi-department inputs, and produces the attestation report. All contributions are captured with timestamps and contributor lineage.
The Data Discovery module automates identification of data assets across connected systems. Discovered assets are routed to the Data Classification module where they are classified by sensitivity and importance. Classification assignments are reviewed by data owners, and each classification level is linked to operational handling rules (access control, retention, deletion).
The platform connects official form preparation to assigned work, supporting evidence, review, approval, and audit history. This helps teams prepare complete records without separating the form from the operational proof behind it.
ComplianceOne includes all 11 Mau so form templates defined by Decree 165/2025/ND-CP (01a through 07b), covering data inventory registers, classification records, governance documentation, and attestation reports. Templates are structured to match MIC-prescribed formats and are available in both Vietnamese and English.
Yes. The Data Law requires governance across all data-owning departments. ComplianceOne routes governance tasks to responsible department owners, tracks each department's contributions, and consolidates inputs into unified documentation. Contributor lineage is preserved in the audit trail, showing who contributed what and when.
Yes. Data inventories, classification records, transfer documentation, and approvals can be linked to related personal data protection or cybersecurity work while retaining their source and review history.
No. ComplianceOne structures compliance work, evidence, ownership, and review. Organizations remain responsible for legal interpretation and approval of their submissions.

Test data governance workflows with your team – inventory, classification, attestation, and evidence generation for MIC compliance.

Talk to our team about data governance operations, multi-framework coverage, and deployment options for your organization.