Vietnam: Law on Personal Data Protection including cybersecurity regulation enters into force

On 1 January 2026, the Law on Personal Data Protection enters into force. The Law requires organisations to implement suitable technical and organisational measures to safeguard personal data against unauthorised access, disclosure or misuse (Articles 3, 14, 16, 18, 27). This encompasses the establishment of a dedicated data protection officer or department to provide oversight (Article 33), although small and medium-sized enterprises and startups may be temporarily exempt. In the event of a personal data breach, the relevant authorities must be informed (Article 23), and data subjects must be informed if biometric data processing causes data to the subject (Article 31). It is required that organisations conduct regular risk assessments and audits to ensure ongoing compliance with data protection Law (Articles 19, 21, 22, 37).