The Personal Data Protection Law, expected to take effect on January 1, 2026, marks a significant step in enhancing data rights enforcement and implementing stricter penalties for violations. However, many businesses in Vietnam remain unaware of the critical importance of personal data protection.

The primary weakness of businesses lies in their insufficient understanding of data protection. Instead of integrating personal data protection into their sustainable development strategies, many businesses view it as a compliance obligation. This mindset has led to severe governance gaps in processes, technology, and personnel.

Process inadequacies: Many businesses lack standardized procedures for handling and protecting personal data. Some merely meet the bare minimum legal requirements without ensuring comprehensive and effective measures.

Technological gaps: Outdated or insufficiently secure IT systems increase the risk of data breaches. For instance, in 2016, a cyberattack on a Vietnamese airline’s server leaked the personal data of over 410,000 customers.

Human error: Poor workforce management exacerbates risks. In May 2021, an employee at a Vietnamese bank shared a celebrity's account statement online, exposing deficiencies in fostering a culture of data protection and internal controls.
Such vulnerabilities make businesses more likely to violate the upcoming Personal Data Protection Law.

The new law introduces civil, administrative, and criminal penalties for non-compliance, mandating transparency in data handling, obtaining user consent, and responding to user requests for data correction or deletion. These requirements align with the EU General Data Protection Regulation (GDPR), which has set rigorous precedents for data protection violations.

Examples of global penalties under GDPR:

WhatsApp Ireland Ltd. (2021): Fined €225 million for inadequate transparency in data processing.

Meta Platforms Ireland Limited (2023): Fined €1.2 billion for illegally transferring personal data to the U.S.

CRITEO (France, 2023): Fined €40 million for failing to honor user requests for data deletion.

When Vietnam’s Personal Data Protection Law takes effect, non-compliant businesses may face similar penalties.

In addition to legal repercussions, businesses risk losing consumer trust. With heightened awareness about data privacy, users may abandon services they perceive as insecure.

Example: In January 2021, WhatsApp announced privacy policy changes that allowed data sharing with Facebook. The backlash was swift, with many users leaving the platform due to concerns over potential data misuse. Although WhatsApp postponed the policy changes, the reputational damage and user loss underscored the critical importance of robust data management.

The Personal Data Protection Law requires businesses to not only comply but also demonstrate compliance with data protection principles.

Key steps for businesses:

Transparency: Clearly state the purpose of data collection and ensure user consent.

Minimalism: Only collect data necessary for declared purposes.

Responsiveness: Efficiently handle user requests to withdraw consent or delete data.

By prioritizing transparent and user-focused data practices, businesses can balance operational needs with the legal and ethical rights of data subjects.

Tuan Huy