Practical Tips For FDI Enterprises To Comply With The Personal Data Protection Law

The Director of Asia Legal has outlined seven key steps to help foreign-invested enterprises (FDI) protect personal data and ensure compliance with the newly effective Personal Data Protection Law…

On April 10, FSI, in collaboration with DDS (Japan), FSI DDS, and the Vietnam Office Machinery Association (VOMA), organized a forum titled “Personal Data Protection Law: Challenges and Compliance Solutions for FDI Enterprises.”

At the forum, experts noted that although the Personal Data Protection Law includes detailed and stringent regulations, there remains a significant gap between legal requirements and practical implementation.

Mr. Son highlighted that FDI enterprises face the greatest challenges due to three main factors:

First, they must simultaneously comply with global governance standards imposed by their parent companies, which often include strict legal requirements across multiple jurisdictions.

Second, they must adapt to and fully comply with Vietnam’s evolving legal framework.

Third, increasing pressure from customers and partners, particularly regarding data security and personal data processing requirements.

Assessing FDI enterprises in Vietnam, Mr. Luu Xuan Vinh, Managing Director and Lawyer at Asia Legal, emphasized that most of these companies originate from countries with well-developed legal systems such as Singapore, Japan, and South Korea. Therefore, they already possess a strong “compliance mindset” when entering the market.

However, difficulties in complying with Vietnam’s regulations are inevitable. At the seminar, Mr. Vinh introduced seven steps for foreign enterprises to ensure compliance:

First, enterprises should not rush into implementation but instead conduct a comprehensive review and assessment of their current status. They should consider establishing a dedicated team or engaging external consultants.

He emphasized that personnel responsible for personal data protection must meet specific standards, including relevant educational background, at least two years of experience in related fields (such as cybersecurity, compliance, legal, or governance), and specialized training in data protection.

When outsourcing, companies must carefully assess the consulting firm’s capabilities, including practical experience, area of expertise (technology or legal), and prior experience in implementing projects, especially since Decree 13.

Second, after securing resources, enterprises need to assess and classify data. This involves addressing key questions: what constitutes basic personal data versus sensitive data, the purpose of processing, data storage locations, and security mechanisms.

Third, determine the legal basis for data processing. Mr. Vinh noted that data subject consent is only one of several legal bases and is not always the most important, so companies must consider all applicable grounds.

Fourth, enterprises must develop internal policies and procedures on personal data protection, including access control, data processing management, and related internal regulations. They must also clearly define the roles of parties involved in the data processing chain—data controllers, processors, and third parties—to complete impact assessment documentation.

Fifth, (reiterated) enterprises should continue strengthening internal policies and clearly define responsibilities across all stakeholders involved in data handling processes to ensure compliance documentation is complete.

Sixth, at the implementation level, protection measures must be synchronized across both governance and technical aspects. Governance includes policies, procedures, and contracts, while technical measures may involve encryption, anonymization, access control, and other security solutions. “All these measures must be documented; otherwise, the impact assessment cannot be considered complete,” Mr. Vinh stressed.

Seventh, internal training is essential. Without building organization-wide awareness of personal data protection, compliance in practice will face significant challenges.

Mr. Nguyen Tuan Minh, Chairman of VPS Group, also pointed out that the digital working environment is no longer optional but has become essential for business operations.

As office equipment increasingly becomes part of the IoT ecosystem, each printer, photocopier, or scanner can become a potential risk point. “If not properly secured, these can become serious vulnerabilities leading to data breaches,” he warned.

In Vietnam, over the past three years, authorities have identified and handled more than 30 cases related to illegal trading and appropriation of data, with over 160 million personal data records exposed across various sectors. From a business perspective, more than 60% of domestic companies have experienced cyberattacks involving data.

“These figures demonstrate that completing the legal framework for personal data protection is not only urgent but also a critical pillar in ensuring cybersecurity,” said Mr. Nguyen Hung Son, Vice Chairman of FSI.