Domestic and foreign firms need to store users' data in cyberspace within Vietnamese territories following a government decree which will take effect from October 1, 2022. 

Under the decree, which details the implementation of the Cybersecurity Law effective in 2019, local and foreign enterprises providing services on telecommunications networks, the Internet, and additional services in cyberspace in Vietnam must keep data in centers that are physically located in the country, including:

- Data on personal information of service users in Vietnam;

- Data generated by service users in Vietnam: account names, credit card information, email and IP addresses, service use time, most recent logins, registered phone numbers;

- Data on the relationship of service users in Vietnam includes friends and groups the user interacts with online.

The form of storage will be decided by the business and the data retention period starts and ends in line with the data storage request. 

The data must be stored for at least 24 months, and system logs for criminal investigation purposes must be stored for at least 12 months.

Firms will have 12 months to set up local data storage and local offices after being notified by the Ministry of Public Security.

In early September, the Vietnamese government issued a national cybersecurity strategy in response to cyberspace challenges through 2025 with a vision toward 2030, which aims to maintain Vietnam's ranking in the Global Cybersecurity Index (GCI) from 25 to 30 by 2025.

According to a report released by the International Telecommunication Union (ITU) in June 2021, Vietnam jumped 25 places after two years to rank 25th out of 194 countries and territories worldwide in the GCI in 2020. The country took the seventh position in the Asia-Pacific region and fourth among ASEAN countries in the field.

Source: Hanoitimes