DPO Radio
Draft Enforcement Decree 2026 (PDPL)
Draft Enforcement Decree 2026 (PDPL)
Anticipated enforcement decree for Vietnam's PDPL – penalty framework, inspection powers, and administrative procedure refinements
Prepare for the anticipated PDPL enforcement decree with gap readiness assessments, evidence completeness checks, and compliance program documentation that supports defensibility under a formal enforcement regime.
Draft Enforcement Decree 2026: Scope and Current Status
The Draft Enforcement Decree 2026 is the anticipated administrative enforcement instrument for Vietnam's Personal Data Protection Law (Law 91/2025/QH15). It is not yet enacted. As of the current date, draft provisions are under development and circulating within the regulatory process, with expectations that the decree will be issued in 2026 to establish the formal enforcement framework for the PDPL – including administrative penalty structures, MPS inspection powers, enforcement procedures, and the consequences of specific compliance failures under the PDPL and Decree 356/2025/ND-CP.
The need for a formal enforcement decree reflects the structure of Vietnamese administrative law. Law 91 establishes the compliance obligations. Decree 356 specifies the administrative procedures. A separate enforcement instrument is required to define the penalty framework – which violations carry which penalties, which organizational roles are liable, what mitigating and aggravating factors apply, and how MPS conducts inspections and enforcement proceedings. Until this instrument is enacted, enforcement of the PDPL relies on the general administrative penalty framework rather than PDPL-specific penalty provisions, which creates uncertainty about how penalty amounts and enforcement priorities will be applied to specific violations.
Organizations that defer PDPL compliance preparation until after the enforcement decree is enacted take a significant risk. The enforcement decree's role is to specify consequences for obligations that are already in force under Law 91 and Decree 356. Non-compliance with those obligations exists regardless of whether an enforcement decree has been issued. The practical effect of the enforcement decree's enactment is that it removes ambiguity about penalties – making enforcement actions more predictable and more likely. Organizations with strong compliance programs in place before the enforcement decree takes effect are in the most defensible position.
How the Draft Enforcement Decree Relates to the Vietnam PDPL
The Vietnam Personal Data Protection Law (Law 91/2025/QH15) is the parent statutory framework establishing the compliance obligations. Decree 356/2025/ND-CP specifies the administrative procedures and form requirements. For current obligations under both instruments, see the Vietnam PDPL (Law 91/2025/QH15) compliance page and the Decree 356 PDPL Implementation page.
The Draft Enforcement Decree 2026, when enacted, will complete the PDPL regulatory instrument hierarchy by adding the enforcement layer. Organizations that have already built compliant operations under Law 91 and Decree 356 will have the strongest defensive position under the enforcement regime. Organizations that are still building toward compliance when the enforcement decree takes effect will face a shorter window between enactment and enforcement action.
For the Enterprise DPO (P-VN-01), the Breach Response Lead (P-VN-09), and the Internal Audit Lead (P-VN-10), the enforcement decree is relevant both as a compliance risk (what are the specific consequences of non-compliance) and as a compliance program driver (what evidence will be required to demonstrate compliance in an enforcement proceeding). Enforcement decrees typically establish record-keeping requirements that are more specific than the underlying compliance decree, because they need to define what evidence satisfies a compliance defense.
Technical Provisions and Anticipated Obligations
| Area | Anticipated Provision | Basis for Anticipation |
|---|---|---|
| Administrative penalty tiers | Graded penalty amounts corresponding to violation severity (minor procedural violations at lower tiers, material data breaches or systematic non-compliance at higher tiers) | Standard Vietnamese administrative penalty decree structure |
| Organizational liability | Penalties may apply to the organization, responsible individuals (DPO, legal representative), or both depending on violation type | Pattern from comparable Vietnamese administrative decrees |
| Inspection powers | MPS authority to conduct scheduled and unannounced inspections, request documentation, and examine compliance systems | PDPL Article provisions on MPS authority |
| Penalty mitigation factors | Good-faith compliance efforts, voluntary disclosure, cooperation with MPS, evidence of remediation actions | Standard mitigating factors in Vietnamese administrative penalty framework |
| Aggravating factors | Recidivism, concealment of violations, failure to cooperate with MPS, large-scale impact on data subjects | Standard aggravating factors |
| Enforcement priority areas | Breach notification compliance (Mau so 08 and 72-hour window), DPIA filing completion for high-risk processing, cross-border transfer compliance | Areas where Law 91 and Decree 356 are most prescriptive |
| Record-keeping requirements for defense | Documentation requirements to demonstrate compliance defense, including evidence packs, contributor lineage, and submission records | Pattern from comparable enforcement instruments |
| Milestone | Estimated Timing | Status |
|---|---|---|
| Draft circulation for stakeholder comment | Early 2026 | Anticipated |
| Finalization and Government approval | Mid 2026 | Anticipated |
| Effective date | Following Government approval, typically within 30-60 days of issuance | Anticipated |
How ComplianceOne Supports Enforcement Readiness Preparation
ComplianceOne's enforcement readiness support operates across two timeframes: pre-enactment preparation and post-enactment compliance operations.
For pre-enactment preparation, the Program Governance module supports enforcement readiness assessment workflows that evaluate the organization's current compliance posture against the anticipated enforcement priorities under the draft decree. This assessment examines DPIA filing completeness, breach notification workflow compliance, consent record quality, cross-border transfer documentation, and evidence pack generation capability – the areas where enforcement scrutiny is most anticipated. The output is a prioritized remediation register that enables the organization to close the most significant compliance gaps before the enforcement decree takes effect.
Evidence completeness is the most critical pre-enforcement preparation task. ComplianceOne's evidence pack generation capability allows organizations to conduct dry-run enforcement readiness exercises: generating evidence packs for their DPIA filings, breach notifications, and cross-border transfer assessments to verify that the evidence is complete, correctly structured, and accessible. Gaps identified during these exercises – missing contributor lineage, incomplete form sections, audit trail gaps – can be remediated before an actual MPS inspection creates enforcement exposure.
When the enforcement decree is enacted, ComplianceOne's configuration model allows rapid adaptation to any new record-keeping requirements or procedural obligations the decree introduces. Framework compliance rules can be updated in the Program Governance module to reflect the enacted penalty tiers and enforcement priorities, enabling the organization to align its ongoing compliance program with the specific risk profile the enforcement decree creates. The platform's monitoring capability can be configured to alert the compliance team when compliance activities approach the enforcement decree's deadline thresholds, providing proactive warning rather than reactive discovery.
Related Modules
Program Governance
Provides enforcement readiness assessment workflows, penalty risk scoring, and compliance posture documentation.
Audit Trail
Maintains tamper-evident, hash-chained records that form the evidentiary foundation for compliance defense under enforcement proceedings.
Explore Audit TrailDPIA and Assessments
Ensures DPIA filing completeness across all triggered processing activities – the highest enforcement priority area.
Explore IncidentsIncident Response
Maintains complete breach notification records with 72-hour compliance evidence – a second primary enforcement focus area.
Explore Data MappingCompliance Forms
Provides correctly labeled Decree 356 form templates for all MPS submissions, supporting defensibility in enforcement proceedings.
Explore Compliance FormsEnforcement Readiness Preparation Checklist
Organizations preparing for the anticipated enforcement decree should confirm:
See Enforcement Readiness in Action
Ready to see how ComplianceOne structures enforcement readiness assessments, evidence completeness checks, and compliance documentation for the anticipated PDPL enforcement regime? Request a demo.
Tu Pham - Country Manager, AesirX
Head of Risk with 15+ years in fintech and banking across ERM, compliance, fraud, audit, and regulatory frameworks.
Frequently Asked Questions
The obligations being enforced under the draft decree – DPIA filing, breach notification, consent management, cross-border transfer documentation – are already in force under Law 91/2025/QH15 and Decree 356/2025/ND-CP. The enforcement decree will not create new obligations; it will specify penalties for non-compliance with existing obligations. An organization that is not yet compliant today is accumulating enforcement risk that the decree's enactment will convert into quantified penalty exposure. Preparation is more effective before the decree takes effect, when there is still time to remediate gaps without enforcement scrutiny.
Based on the structure of Law 91 and Decree 356, and the pattern of enforcement priorities in comparable Vietnamese administrative frameworks, the most likely primary enforcement areas are: DPIA filing completeness for high-risk processing activities; breach notification compliance (72-hour window and Mau so 08 form requirements); cross-border transfer documentation; and consent record quality. These are the areas where Law 91 and Decree 356 are most prescriptive and where evidence requirements are most clearly defined. ComplianceOne's enforcement readiness assessment focuses on these areas.
Yes. The enforcement decree's specific requirements – penalty tiers, record-keeping requirements, procedural obligations – will be reflected in updated compliance rules in the Program Governance module when the decree is enacted. This may include updates to compliance scoring, new evidence categories, and updated alert thresholds. ComplianceOne's compliance rules are configurable without platform updates, allowing rapid alignment to enacted instrument requirements.
Yes. Draft provisions are inherently subject to change. The preparation approach recommended here focuses on actions that strengthen compliance under Law 91 and Decree 356 regardless of how the enforcement decree's specific provisions are finalized – completing DPIA filings, ensuring breach notification workflows are functional, verifying evidence pack quality. These actions reduce compliance risk and improve enforcement defensibility under any likely version of the enforcement decree.
Next Steps
Start a Compliance Pilot
Test enforcement readiness workflows with your team – evidence pack generation, DPIA filing completeness assessment, and compliance documentation review.
Discuss Your Compliance Needs
Talk to our team about enforcement readiness preparation, compliance posture assessment, and how to structure your PDPL compliance program for defensibility under the anticipated enforcement regime.
The evolution of Aesir is Aesir + 
(the Norse symbol for Necessity)"Needed in order to achieve a particular result"
♥Join the AesirX Privacy Newsletter. Stay Informed. Stay Compliant.
