FDI Firms Advised to Comply with the Personal Data Protection Law

On April 10, the forum “Personal Data Protection Law: Challenges and Compliance Solutions for Foreign Direct Investment Enterprises” was organized by FSI in cooperation with DDS (Japan), FSI DDS, and the Vietnam Association of Office Equipment Manufacturers (VOMA).

In Vietnam, authorities have detected and handled more than 30 cases related to illegal data purchase or data theft over the past three years, with more than 160 million personal data records exposed across various sectors. On the corporate side, more than 60% of domestic entities have experienced cyberattacks involving data.

“These figures show that finalizing the legal framework on personal data protection is not only urgent but also a cornerstone to ensure cybersecurity in cyberspace,” said Nguyen Hung Son, Vice Chairman of the FSI Board.

Regulatory gaps and compliance pressure for foreign investors

Nguyen Hung Son said that while the Personal Data Protection Law includes stringent and detailed provisions, the gap between regulation and actual enforcement remains wide. He noted that foreign-invested enterprises face the most difficulties for three reasons.

• They must comply with global governance standards from their parent companies, which already include many stringent legal requirements across different countries.
• They must adapt to and fully comply with Vietnam’s legal framework in a new context.
• Customer and partner pressure is increasing, particularly regarding data security and the processing of personal data.

Compliance approach: “built-in” mindset, then Vietnam-specific implementation

Luu Xuan Vinh, Partner and Managing Lawyer at Asia Legal, said that most foreign investors entering Vietnam come from jurisdictions with mature legal systems such as Singapore, Japan, or Korea. As a result, investors often bring a built-in “compliance mindset” when entering the market.

However, meeting Vietnam’s regulations remains necessary. At the workshop, Mr. Vinh outlined seven steps for foreign enterprises to comply with the law.

Seven steps for foreign enterprises

1. Conduct a comprehensive status review before implementation. Enterprises may establish a dedicated team or hire external consultants. The data protection officer should meet certain standards, including appropriate training background, at least two years of experience in related fields (cybersecurity, compliance, legal, governance, etc.), and specialized training on data protection. When using external services, enterprises should assess the consultant’s capabilities, including practical experience, field of operation (technology or legal), and whether they have implemented projects, especially since Decree 13.

2. After securing resources, perform data inventory and classification. The process requires determining which data is basic personal data, which is sensitive, the purpose of processing, where the data is stored, and what security mechanisms are in place.

3. Determine the legal bases for processing data. Mr. Vinh cautioned that data subject consent is only one of several legal bases, not the sole or most important factor in every case, so enterprises should consider all bases.

4. Establish internal policies and procedures for personal data protection, including access control and data processing controls, and define roles across the data processing chain—controller, processor, and third parties—to complete the impact assessment record as required by regulations.

5. Build internal systems for personal data protection at the organizational level, including access control, data processing controls, and internal regulations. This also involves clearly defining roles of the parties in the data processing chain to complete the impact assessment.

6. Design coherent protective measures across governance and technical controls. Governance includes policies, procedures, and contracts. Technically, measures such as encryption, de-identification, access control, and other security solutions may be used. “All of these measures must be reflected in the dossier; otherwise they cannot be considered a completed impact assessment,” Mr. Vinh noted.

7. Provide internal training. Mr. Vinh said internal training is indispensable because without shared awareness of personal data protection, practical compliance will face obstacles.

IoT-linked office devices raise additional risks

Mr. Nguyen Tuan Minh, Chairman of VPS Group, said the cyber environment in the digital space is no longer optional but essential for business development. He warned that as office devices increasingly form part of the IoT ecosystem, every printer, copier, or scanner can become a potential risk.

“If not adequately protected, these could be serious vulnerabilities, leading to data leakage,” Minh said.