On December 31, 2025, the National Cybersecurity Association hosted a high-level forum titled “Personal Data Protection – Rights and Responsibilities.” The event was held ahead of the official implementation of the Personal Data Protection Law, which comes into effect on January 1, 2026.

Organized under the direction of the Department of Cybersecurity and High-Tech Crime Prevention (A05), the forum brought together government regulators, legal and tech experts, research institutes, business leaders, and representatives from 35 media outlets.

In recent years, personal data has emerged as a vital asset in both the digital economy and digital governance. Yet, incidents of data being illegally gathered, traded, or used have soared. The first half of 2025 alone saw 56 such cases uncovered, involving over 110 million illegally obtained records, according to A05.

The root of the problem lies in the growing demand for personal data in business operations, which some individuals and organizations have exploited for personal gain.

Approved by the National Assembly on June 26, 2025, and set to take effect from January 1, 2026, the Personal Data Protection Law establishes clear rights for citizens. These include the right to be informed, to give consent, to access, correct, and request deletion of their data. It also outlines the legal responsibilities of public agencies, organizations, and businesses throughout the full data lifecycle - from collection to storage and sharing.

Colonel Nguyen Hong Quan, Deputy Director of the A05 Department under the Ministry of Public Security, affirmed that the right to personal data protection - once seen as a subset of the right to privacy - is now recognized as an independent right, enshrined and protected by law.

Colonel Quan emphasized that Vietnam is now part of a global movement: nearly 80% of the world’s population lives under jurisdictions with some form of personal data protection law. The issuance of Decree 13 and the enactment of the Personal Data Protection Law represent Vietnam’s strong commitment to a secure digital environment that respects human rights.

Lieutenant Colonel Nguyen Dinh Do Thi, Deputy Head of A05’s Planning Division, further warned of the serious threats posed by cyberattacks aimed at stealing information. In 2024 alone, Vietnam faced over 659,000 such attacks, including more than 10,000 targeting state agencies and businesses.

According to Lieutenant Colonel Thi, the new law serves as a foundational, principle-based statute, aligning with constitutional provisions on personal and digital rights and helping unify Vietnam’s legal framework.

Violations will be penalized harshly. Entities found trading personal data illegally could be fined up to 10 times the illicit earnings from the offense. Administrative penalties could reach USD 124,000 (approximately 3 billion VND).

“This law introduces new tools to hold parties accountable for ensuring the protection of personal data,” Thi explained.

He added that the drafting body hopes to send a strong message to both individuals and enterprises: everyone shares responsibility in protecting data.

For citizens, Thi emphasized four key responsibilities. First, raise awareness and take responsibility for safeguarding one’s own data. Second, apply protective measures like strong passwords and two-factor authentication. Third, carefully review service providers' terms of use before accepting them. And finally, understand the functionalities of online platforms to avoid hidden data exploitation.

For businesses, especially those handling large volumes of data, Lieutenant Colonel Thi urged thorough study of the law and full compliance. Enterprises must implement technical safeguards and ensure their data processors are trustworthy. When breaches occur, they must promptly report incidents and collaborate with authorities in investigations.

Ngo Tuan Anh, Deputy Head of Data Security and Personal Data Protection at the National Cybersecurity Association, highlighted three key priorities for implementation.

First, raise awareness and build human capacity. Data protection systems cannot function without personnel who understand the law, the risks, and their responsibilities. Training should extend beyond IT staff to include executives, legal teams, and HR departments.

Second, standardize internal data practices. Organizations must review the entire data lifecycle - from collection and storage to sharing and destruction - and establish a long-term, continuously updated data protection program suited to their size and sector.

Third, foster a local data protection technology ecosystem. Anh stressed that no single solution is sufficient. Vietnam needs a layered technological approach that includes monitoring, prevention, access control, risk management, and lifecycle oversight. Building such an ecosystem is key to reducing compliance costs for businesses.

Thai Khang