Data Strategy Briefing — April 17, 2023

Executive briefing: The Government of Vietnam promulgated Decree 13/2023/ND-CP on personal data protection on 17 April 2023. The decree, effective 1 July 2023, creates comprehensive consent rules, breach notification duties, and requirements for storing sensitive personal data within Vietnam unless exemptions are granted.

Key localisation checkpoints

• Data classification. Catalogue ordinary versus sensitive personal data to determine localisation and impact assessment triggers under Articles 9 and 24.
• Cross-border controls. Document transfers leaving Vietnam, evaluate adequacy of recipient safeguards, and submit dossiers to the Ministry of Public Security where exemptions are required.
• Representative appointment. Designate local data protection officers or authorised representatives for foreign controllers processing Vietnamese residents’ data.

Operational priorities

• Consent lifecycle. Update notices, opt-in flows, and withdrawal channels to satisfy express consent requirements and parental approvals for minors.
• Incident response. Integrate 72-hour breach reporting obligations to the Ministry of Public Security and impacted data subjects.
• Impact assessments. Prepare data protection impact assessment dossiers covering processing purposes, retention, transfer partners, and security controls, refreshing them annually.

Enablement moves

• Develop bilingual training and policy updates for Vietnamese subsidiaries covering new penalties and enforcement powers.
• Align third-party contracts with Decree 13 data processor duties, audit cooperation clauses, and localisation expectations.

Sources

• Ministry of Information and Communications notice on Decree 13/2023/ND-CP
• Official text of Decree 13/2023/ND-CP on personal data protection

Zeph Tech equips Vietnam programme teams with consent operations, localisation roadmaps, and cross-border dossier preparation aligned to Decree 13.