On 17 January 2025, the Ministry of Public Security initiated a consultation, scheduled to conclude on 17 March 2025, concerning a draft Decree to implement the Data Law (No. 2025/QH15). The Data Law, which was adopted on 30 November 2024, established a legal framework for data governance, encompassing data classification, protection, processing, and cross-border transfers. The implementing Decree would define individuals' rights over personal data, granting them the right to access, correct, delete, and object to certain processing activities while requiring their explicit consent for data sharing, except where mandated by Law. The Decree would mandate a hierarchical classification of data, requiring protection measures for core and important data. Controllers and processors would be obliged to implement encryption, access controls, and risk management strategies to ensure data quality, integrity, and traceability. Furthermore, the Decree would introduce obligations for organisations handling critical data, requiring them to establish data deletion and destruction policies, multi-layered security frameworks, and compliance monitoring. In addition, state agencies would be required to enforce data protection policies through audits and risk assessments.
Original source