Personal data protection to be reinforced by law

Customer data is rapidly becoming a strategic asset for businesses seeking to sharpen their competitive edge as digital transformation accelerates, but growing concerns over the misuse and illegal trading of personal data are threatening to erode consumer trust.

At the Customer Data Summit 2025, with the theme “From Insights to Empathy”, experts in technology and cybersecurity urged companies to prioritize data protection as a foundation for building lasting relationships with customers. They also emphasized the importance of aligning with both domestic and international data governance standards, particularly as Vietnam prepares to roll out its Data Law and activate the National Data Center.

According to Mr. Huynh Le Tan Tai, Co-President of CIO Vietnam, data is the “gold mine” of the digital economy. He stressed the urgent need for stringent safeguards, however, especially as data usage becomes more expansive and sophisticated. The upcoming national data platforms and new legal framework, he added, represent a critical turning point in protecting privacy and regulating Vietnam’s emerging data economy.

Transparency and trust

Speaking on the sidelines of the Summit, Mr. Ha Hoang, Founder and CEO of Data Protectify - a company that supports enterprises in data compliance implementation - emphasized that transparency in data collection and processing is not just a legal formality but a vital responsibility to both the market and consumers.

The compliance journey consists of two distinct phases, he went on. During the data collection stage, companies must clearly inform users about how their data will be used, the intended purposes, and whether it may be shared with third parties. Consent must be obtained transparently, in accordance with Decree No. 13/2023/ND-CP on personal data protection, which came into force on July 1, 2023.

In the data processing phase, especially when using technologies like AI, businesses are obliged to notify users and offer them the right to opt out. Processing data without explicit consent could be deemed a legal violation.

Before the Decree took effect, data protection was often treated as a low priority among businesses, Mr. Hoang acknowledged. But since July 2023, there has been a marked shift, with many companies now adopting clearer and more publicly available data privacy policies.

Decree No. 13 outlines eleven key rights that individuals have over their personal data, including the right to know, consent, access, amend, object to, delete, or withdraw consent, file complaints, and seek compensation. Raising public awareness about these rights, Mr. Hoang said, is essential to building a culture of data protection. He cited a common scenario: if a consumer receives a telemarketing call about real estate from an unclear data source, they have the right to report the incident or file a complaint.

In an era where AI is rapidly transforming market dynamics, digital trust is emerging as a non-negotiable foundation for customer loyalty. That trust, Mr. Hoang noted, must be grounded in two principles: embedding legal compliance from the earliest product development stages, and staying constantly updated with regulatory changes.

Vietnam is now preparing for the introduction of a comprehensive Law on Personal Data Protection, following Decree No. 13. For businesses, that means continuously revisiting how data is collected and used, both to stay within legal bounds and to keep pace with rising consumer expectations.

Preparing for stricter laws

As Vietnam drafts a comprehensive personal data protection law expected to be issued in the near future, businesses are being urged to establish a solid foundation for data governance, not only through technological systems but also by fostering a data-conscious internal culture.

According to Mr. Hoang, training and raising awareness within organizations is a critical component in minimizing risk. Training programs are typically divided into three tiers: leadership, functional departments, and general staff. Businesses are encouraged to customize data governance frameworks based on each department’s needs to ensure proper segmentation, secure handling, and lawful use of data.

One notable requirement in Decree No. 13 is that businesses must appoint a dedicated department or individual responsible for personal data protection. While this role may be handled concurrently with other responsibilities in the early stages, Mr. Hoang recommended consulting experienced local and international data compliance experts to build a legally sound, industry-aligned operational roadmap.

Looking ahead, data protection violations are expected to face stricter enforcement, especially with the upcoming data protection law and the launch of the National Data Center.

According to a proposal submitted to the National Assembly, administrative fines for personal data breaches could range from 1 to 5 per cent of the previous year’s revenue for organizations in violation. “Such penalties, if enforced, would significantly influence corporate behavior and reshape the way businesses approach compliance and operations,” Mr. Hoang said.

In the banking and finance sector, Mr. Luong Tuan Thanh, Chief Technology Officer at the Orient Commercial Joint Stock Bank (OCB), noted that Circular No. 13/2022/TT-NHNN, issued on October 28, 2022 by the State Bank of Vietnam, sets out internal control system requirements for commercial banks and foreign bank branches, including clear mandates for data governance.

Today, all customer-related information - especially personal data - must be carefully categorized and may only be accessed with valid consent from both the customer and regulatory authorities. Most banks now integrate with the national population database (VNeID) and the National Data Center to verify key details such as personal identification numbers.

“Sensitive data like financial transaction records must be verified with regulatory bodies,” Mr. Thanh emphasized. “The use of personal account identifiers is already tightly regulated, and upcoming laws on personal data protection and national data governance will reinforce this framework.”

He also pointed out that once the National Data Center becomes fully operational, banks will be required to adjust their data-sharing protocols, clearly delineating which data may be disclosed to third parties and which must remain strictly confidential. “The National Data Center is a strategic initiative that could serve as a one-stop information portal, eliminating existing barriers in data sharing between government agencies and between the public and private sectors,” Mr. Thanh said.

Looking ahead, future data exchange platforms will likely cover not just personal data but also include corporate customer tax records, asset ownership, and credit activities. While this presents significant opportunities for the banking sector, the benefits of a shared data ecosystem will only be realized if banks and businesses have the capacity to determine which data may be used and which must be restricted. Therefore, the government is expected to urgently develop a clear regulatory framework defining data sharing and usage rights in today’s rapidly evolving digital transformation landscape.