Less than 20% of cross-border personal data impact assessments meet standards

As cross-border digital transactions expand, Vietnam’s Personal Data Protection Law—effective early this year—requires agencies, organizations, and individuals transferring personal data across borders to prepare a cross-border personal data transfer impact assessment (PIA) dossier. Regulators, however, say the proportion of PDIA dossiers that meet required standards remains low.

Low pass rate for cross-border PDIA dossiers

A compliance expert from the Cyber Security and High-Tech Crime Prevention Department under the Public Security Ministry said foreign-invested enterprises in Vietnam generally comply well in submitting cross-border PDIA filings. The main issue, the expert noted, is the quality of the dossiers rather than the number submitted.

The expert reported that the rate of PDIA dossiers meeting required standards is below 20%, meaning roughly 80% of dossiers still need modifications. Regulators provide written feedback and requests for supplementary information, but many enterprises struggle to determine what specific changes are needed to satisfy the standards after receiving comments.

Regulators seek clearer guidance on common errors

The expert said the situation also creates a challenge for regulators, who need to summarize and analyze common errors in orders to provide clearer, more practical guidance. The goal is to help enterprises finalize their dossiers with a single supplement.

According to the analysis, the core problem is the approach taken by some entities: PDIA is treated as a compliance formality rather than as an impact assessment process to manage risk in personal data processing. The expert linked this to risk management thinking in cybersecurity, emphasizing that no system is risk-free and that personal data processing always involves risk. Whether risk is high or low should be determined based on the scale, nature, and scope of data processing for each enterprise—for example, the risk profile differs between a two-story building and a ten- or hundred-story building.

How PDIA should be structured

The expert said an enterprise’s impact assessment should start with a comprehensive review of its data processing activities and how they relate to relevant partners. The assessment should not be a one-time exercise; it should be conducted regularly in line with business operations.

When properly designed, the PDIA dossier can function not only as a compliance document but also as a governance tool. The required contents are intended to help enterprises identify compliance aspects of personal data protection.

Exemptions for small enterprises, with conditions

On whether small enterprises must establish a data protection framework, a lawyer and founder said the Personal Data Protection Law and Decree 356/2025 provide exemptions for small, micro, or startup businesses from PDIA filing and from appointing a data protection officer for the 2026–2030 period.

The exemption is not absolute. If these entities provide personal data processing services or process sensitive data, they must still meet all legal obligations, including preparing a PDIA. The lawyer noted that the list of sensitive personal data is defined in Decree 356 and related documents, so enterprises should confirm whether their activities fall within that scope.

The recommended first step is to review whether the business provides data processing services and whether it handles sensitive data. If either applies, the enterprise must still perform a PDIA regardless of size.