Get Ready to Comply with Vietnam's New Data Laws, Says FPF

The other landmark legislation is the Law on Data, which took effect in July, wrote FPF's Sakshi Shivhare, policy associate for Asia-Pacific; Josh Lee Kok Thong, managing director for APAC; and Dominic Paulger, deputy director for Asia-Pacific and China.

The Data Law is Vietnam's first comprehensive framework for personal and non-personal data governance, the paper said. It applies to all Vietnamese agencies, organizations and individuals, foreign agencies, organizations and individuals either in Vietnam or directly participating in or related to digital data activities in the country.

The two measures "mark a significant shift in how Vietnam approaches data regulation" and they address overlapping domains of data protection and governance and emerging technologies, the paper said.

The PDP Law boosts data protection by preserving most of the existing regime but introducing key refinements such as a different, unique approach toward definitions of "basic" and "sensitive" data, found FPF's analysis: The data regime is still consent-focused, and it gives clearer conditions for what constitutes valid consent.

The PDP Law also sets out enhanced sector-specific obligations for high-risk processing activities such as healthcare and social networks, FPF said.

The intersection of the two laws has compliance implications for organizations navigating cross-border data transfers, the paper said. In addition, risk and impact assessments "are emerging as a central, albeit uncertain, aspect of the new regime."

FPF urged organizations to prepare to comply with both laws and monitor regulatory developments. Companies should now review and classify the data they process, paying particular attention to identifying datasets with "core" and "important" data, and determine compliance gaps in their existing processing activities, it added.