Guidelines for enterprises on data protection impact assessments and reporting duties

As previously communicated at Summary Of New Regulations Officially Taking Effect From January 2026 In Vietnam, one of the mandatory compliance obligations effective from January 1, 2026, is the implementation of a Personal Data Processing Impact Assessment, as stipulated under the Personal Data Protection Law 2025.

To support businesses in preparing effectively, ALTAS would like to provide detailed information regarding the requirements, deadlines, and applicable entities to help clients assess and implement accordingly:

• Requirement: Organizations and enterprises that process personal data in specific cases, such as processing sensitive data, large-scale data processing, applying emerging technologies, transferring data abroad, or engaging in monitoring/profiling activities, are required to conduct a data protection impact assessment.

• Deadline: The impact assessment dossier must be submitted to the Ministry of Public Security within 60 days from the commencement of data processing. Subsequent reports must be submitted every six months. The final deadline for submitting the initial report is March 1, 2026.

• Applicable entities: This requirement applies to all organizations and enterprises engaged in personal data processing that fall under the mandatory categories. In particular, for cross-border data transfers, a separate impact assessment must be conducted, and the organization must maintain the same biannual reporting obligations.

The detailed information is as follows:

Starting from January 1, 2026, the Personal Data Protection Law 2025 officially takes effect, requiring all organizations and enterprises involved in personal data processing to comply with new legal obligations. Mandatory Data Protection Impact Assessments (DPIAs) must be conducted in the following cases: processing of sensitive personal data (such as health, financial, biometric, or geolocation data), large-scale data processing, application of emerging technologies (such as AI, facial recognition, behavioral tracking), cross-border data transfers, or activities involving surveillance and profiling of individuals.

Organizations and enterprises falling under these categories must prepare a DPIA dossier and submit a report to the Ministry of Public Security (Department of Cybersecurity and High-Tech Crime Prevention) within 60 days from the commencement of data processing. The dossier must describe the processing procedures, types of data, intended purposes, potential risks, and protective measures. Thereafter, organizations are required to update and submit reports every six months on the status of data protection, emerging risks, and mitigation measures. Accordingly, the final deadline for submitting the initial DPIA report is March 1, 2026.

For cross-border personal data transfers—such as (1) using cloud storage services located overseas or (2) collaborating with foreign partners who have access to personal data—organizations must conduct a separate DPIA and submit a report to the Ministry of Public Security within 60 days from the first transfer of data. In addition, they must maintain a biannual reporting obligation on the status of data protection, associated risks, and control measures related to cross-border data transfers. These requirements aim to ensure transparency, security, and legal compliance throughout the international data processing lifecycle.

The law also provides transitional provisions for small and startup enterprises. Specifically, these entities may choose whether or not to comply with Article 21 (DPIA for domestic processing), Article 22 (DPIA for cross-border transfers), and Clause 2 of Article 33 (biannual reporting) for a period of five years from the effective date of the law, i.e., until the end of 2030. However, exceptions apply to small or startup enterprises that (i) operate in the business of personal data processing services, (ii) directly process sensitive personal data, or (iii) handle data of a large number of data subjects—these cases must fully comply with the law from the outset.

Small enterprises are defined under the Law on Support for Small and Medium Enterprises 2017, based on three key criteria: number of employees, annual revenue, and capital scale. Specifically:

 Micro enterprises:
o Commerce and services: fewer than 10 employees, annual revenue ≤ VND 10 billion or capital ≤ VND 3 billion
o Agriculture, industry, construction: fewer than 10 employees, annual revenue ≤ VND 3 billion or capital ≤ VND 3 billion
 Small enterprises:
o Commerce and services: 10–50 employees, annual revenue from VND 10–100 billion or capital from VND 3–50 billion
o Agriculture, industry, construction: 10–100 employees, annual revenue from VND 3–50 billion or capital from VND 3–20 billion
 Startup enterprises: typically defined as businesses operating for less than five years with innovative business models, as recognized under national startup support programs.

Although certain obligations are waived during the five-year transitional period (from January 1, 2026 to December 31, 2030), small and startup enterprises must still adhere to core principles of personal data protection. These include obtaining explicit consent from data subjects, ensuring data confidentiality, prohibiting unauthorized sharing, and deleting data once the processing purpose is fulfilled.

In summary, while the law offers flexibility for small and startup enterprises during the transitional phase, all organizations must proactively review their data processing activities to determine applicable legal responsibilities. Proper compliance not only mitigates legal risks but also fosters trust with customers and partners in an increasingly privacy-conscious digital environment.