DPO Radio
Decree 13 PDPL Operational Baseline
Decree 13 PDPL Operational Baseline
The operational compliance foundation established under Decree 13/2023
Understand the compliance program architecture that organizations built under Decree 13, assess what carries forward into the PDPL era, and manage the evidence continuity obligations that span the transition.
Decree 13 Operational Baseline: Scope and Current Status
The "Decree 13 Operational Baseline" refers to the set of compliance processes, governance structures, records management practices, and control implementations that organizations developed during the Decree 13/2023/ND-CP era – Vietnam's first dedicated personal data protection regulatory period, running from mid-2023 through the transition to Law 91/2025/QH15 and Decree 356/2025/ND-CP. It is not a separate instrument: it is the operational state that organizations arrived at through implementing Decree 13's requirements, and it is the starting point from which organizations must assess their readiness for the PDPL.
Understanding the Decree 13 operational baseline matters for two practical reasons. First, organizations that invested in building compliance programs under Decree 13 need to know what is reusable. Not everything built for Decree 13 is obsolete: consent management infrastructure, data mapping processes, breach notification procedures, and vendor assessment workflows all carry forward – though they may need to be upgraded, expanded, or reoriented to meet the PDPL's more prescriptive requirements. A baseline assessment enables organizations to distinguish between what is genuinely reusable (with configuration updates) and what needs to be rebuilt from scratch.
Second, the operational baseline is the baseline against which PDPL gap analysis is measured. An organization cannot identify gaps without knowing its current state. The Decree 13 operational baseline documents what processes existed, what records were produced, what controls were implemented, and what governance structures were in place. This documentation is the starting point for a structured transition assessment – and it is also the evidence package an organization needs if a regulator examines its compliance posture during the transition period.
How the Decree 13 Operational Baseline Relates to the Vietnam PDPL
The Vietnam Personal Data Protection Law (Law 91/2025/QH15) and its implementing decree, Decree 356/2025/ND-CP, define the current compliance obligations for personal data protection in Vietnam. For current obligations, see the Vietnam PDPL (Law 91/2025/QH15) compliance page and the Decree 356 PDPL Implementation page. For a detailed comparison of what changed between Decree 13 and the PDPL, see the Vietnam PDPL Decree 13 Era (Legacy) page.
The Decree 13 operational baseline is the inherited state from which organizations begin their PDPL compliance journey. Organizations that implemented Decree 13 diligently have a materially better starting position for PDPL compliance than organizations that did not. Their data mapping is partially done. Their consent infrastructure exists. Their incident response procedures are established. Their vendor governance processes are in place. The transition work is about assessing what must change, what must be upgraded, and what must be added – not building from zero.
For the Enterprise DPO (P-VN-01) and Department Data Owner (P-VN-02) personas who led Decree 13 implementation, the baseline assessment is also a way to demonstrate organizational competence: to show regulators, auditors, and board stakeholders that the organization managed the transition deliberately and methodically, rather than simply adopting the new framework without acknowledging the predecessor. This documented transition continuity is an element of demonstrating good-faith compliance during an enforcement review.
Technical Provisions and Operational Baseline Components
| Baseline Component | Decree 13 Implementation | PDPL Upgrade Requirement |
|---|---|---|
| Processing activity register | Basic register of processing activities maintained for MPS registration | Must be upgraded to Phu luc I structure with all required data fields |
| Consent management | Consent notices with prescribed information, opt-in records | Must be upgraded to Phu luc V documentation structure; sensitive data requires explicit consent |
| Cross-border transfer records | Transfer notifications filed with MPS pre-transfer | Must be converted to Transfer Impact Assessment (Mau so 01a/01b + Mau so 09) with impact assessment methodology |
| Breach notification process | MPS notification within prescribed window using Decree 13 notification format | Must be upgraded to 72-hour window with Mau so 08 form; supplement loop management required |
| Data processing agreements | Agreements with processors in place with Decree 13 provisions | Must be assessed against Phu luc VII structure; agreements may need renegotiation |
| Data subject rights process | Basic access and correction rights fulfillment | Must be expanded to full rights regime (deletion, portability, objection, restriction); Phu luc VI documentation required |
| Third-party processor registration | Processors registered with MPS | Must be transitioned to service processing certificate (Mau so 04-07) where applicable |
| Annual compliance review | Periodic review of processing activities | Must be upgraded to structured Phu luc VIII annual compliance report |
| Incident response procedure | Basic breach detection and notification procedure | Must be integrated with Incident Operations module for full case management with evidence chain of custody |
A complete Decree 13 operational baseline assessment covers seven dimensions:
| Dimension | What to Assess | Output |
|---|---|---|
| Governance structure | DPO or equivalent role, accountability model, escalation paths | Documentation of governance model with role assignments |
| Process inventory | All active compliance processes with procedure descriptions | Documented process catalog |
| Records inventory | All compliance records produced under Decree 13 | Records catalog with retention status |
| Control implementation | Technical and organizational controls in place | Controls register |
| Gap identification | Comparison of baseline against PDPL/Decree 356 requirements | Gap register with remediation priorities |
| Transition plan | Ordered remediation actions to close gaps | Transition roadmap |
| Evidence continuity | Plan for maintaining Decree 13-era evidence through the transition | Retention schedule and evidence access plan |
How ComplianceOne Supports Decree 13 Baseline Management and Transition
ComplianceOne supports the Decree 13 operational baseline through structured baseline assessment workflows in the Program Governance module. Organizations can document their Decree 13-era compliance program components – governance structure, process inventory, records inventory, controls register – within a dedicated baseline assessment project. The assessment output is a structured gap register that compares each Decree 13 baseline component against its PDPL/Decree 356 counterpart and identifies the specific upgrade actions required. This gap register is then linked to a PDPL transition project with task assignments, deadlines, and accountability for each remediation action.
For records inventory and evidence continuity, the Data Mapping module supports legacy data mapping import – organizations can import their Decree 13-era processing activity records and map them to the Phu luc I structure required under the PDPL, tagging each mapped activity with its upgrade status (fully compliant, partially compliant, requires reassessment). This gives the Enterprise DPO a real-time view of how much of the Decree 13 processing register has been successfully transitioned and how much remains to be addressed.
The Audit Trail module's historical evidence retrieval capability supports baseline evidence export: organizations can generate an evidence pack scoped to the Decree 13 compliance period, including all compliance actions recorded in the system during that period, for use in inspection readiness or internal audit. This evidence pack carries the same cryptographic integrity verification as current compliance evidence, ensuring that historical records meet the same evidentiary standard as current records.
Related Modules
Program Governance
Provides structured baseline assessment workflows, gap register management, and transition project tracking.
Explore Program GovernanceAudit Trail
Maintains tamper-evident historical records covering the Decree 13 compliance period for inspection readiness
Explore Audit TrailData Mapping
Supports legacy processing register import and mapping to Phu luc I structure with transition status tracking
Explore Data MappingConsent Governance
Enables legacy consent record assessment and gap-tagging against PDPL Phu luc V requirements
Explore ConsentDPIA and Assessments
Supports gap assessment for processing activities that require DPIA filing under the PDPL but were only registered under Decree 13
Expore AssessmentsCompliance Forms
Provides PDPL form templates for transitioning Decree 13 notifications and registrations to Decree 356 form standards
Explore Compliance FormsLegacy Compliance Readiness Checklist
Organizations assessing and managing their Decree 13 operational baseline should confirm:
See Baseline Assessment and Transition Management in Action
Ready to see how ComplianceOne structures the Decree 13 baseline assessment, gap analysis, and PDPL transition workflow? Request a demo tailored to your organization's transition needs.
Tu Pham - Country Manager, AesirX
Head of Risk with 15+ years in fintech and banking across ERM, compliance, fraud, audit, and regulatory frameworks.
Frequently Asked Questions
The Decree 13 instrument analysis (see the Decree 13 Legacy page) covers what Decree 13 required as a regulatory instrument – the specific obligations, forms, and procedures it prescribed. The Decree 13 operational baseline covers what your organization built in response to those requirements – the processes, records, governance structures, and controls it implemented. Both are needed for a complete transition picture: the instrument analysis tells you what was legally required; the baseline assessment tells you what your organization actually did in response.
The appropriate level of granularity depends on the organization's size, the complexity of its processing activities, and its risk profile. At minimum, the baseline assessment should cover all seven dimensions listed in the Technical Provisions section above. For large organizations with complex multi-departmental processing, the process inventory and records inventory components may require department-level breakdowns. ComplianceOne's Program Governance module supports configurable baseline assessment templates that can be scoped to the appropriate level of depth.
Yes. The Decree 13 baseline assessment directly feeds use case UC-VN-16 (Current-State Assessment, Criteria Set, and Gap Findings). In ComplianceOne, the Decree 13 baseline documentation serves as the current-state input for the PDPL gap analysis. The gap register produced by the baseline assessment becomes the criteria and findings document for the PDPL transition, driving the remediation roadmap and governance model updates (UC-VN-17).
The baseline documentation continues to serve as historical evidence of the organization's compliance posture during the Decree 13 period. It should be retained as part of the organization's compliance records archive, accessible for inspection readiness covering historical compliance periods. It also provides the documented starting point for any future regulatory change assessment – demonstrating that the organization has a systematic practice of assessing its compliance baseline before transitioning to new requirements.
Next Steps
Start a Compliance Pilot
Test PDPL compliance workflows with your team – DPIA filing, rights requests, breach notification, and evidence generation.
Discuss Your Compliance Needs
Talk to our team about PDPL compliance operations, multi-framework coverage, and deployment options for your organization.
The evolution of Aesir is Aesir + 
(the Norse symbol for Necessity)"Needed in order to achieve a particular result"
♥Join the AesirX Privacy Newsletter. Stay Informed. Stay Compliant.
