The Personal Data Protection Law (PDPL) does not operate alone — it is accompanied by an implementing decree that provides the practical detail organisations need for compliance. This article presents only verified facts about Decree 356.
What Decree 356 Is
Decree No. 356/2025/ND-CP details and guides the implementation of Vietnam's Personal Data Protection Law (Law No. 91/2025/QH15). It was issued on 31 December 2025. The decree elaborates on certain articles and implementation measures of the PDPL, and it formally announced the replacement of the earlier Decree No. 13/2023/ND-CP (the PDPD) dated 17 April 2023.
How the Decree Clarifies the Law
The PDPL provides general definitions, and the implementing decree provides further detail. For example, where the PDPL describes categories of personal data in general terms, the draft and final implementing rules work to clarify the boundaries between basic personal data and sensitive personal data.
The decree also addresses procedures, conditions, and enforcement mechanisms — the operational detail that organisations need to translate the law's principles into compliance actions.
Data Protection Personnel Requirements
A significant practical requirement clarified under the new framework is the obligation around data protection personnel. Organisations may appoint internal personnel — such as a Data Protection Officer — or engage external service providers, whether individuals or organisations, that satisfy the applicable legal requirements for providing personal data protection services.
Critically, the framework now imposes qualification requirements: appointed personnel or engaged service providers must possess demonstrable expertise in data protection law and practice. This is a meaningful change from Decree 13, which lacked such qualification requirements.
Transitional Considerations
For organisations that were already compliant with Decree 13, the new framework does not necessarily trigger significant immediate new obligations, but it does raise the bar. Impact assessments already submitted under Decree 13 generally remain valid; however, any updates made to those assessments after the PDPL takes effect must comply with the new law. Organisations should treat this as a short runway to upgrade their compliance frameworks.
Recommended Preparation Steps
Based on the guidance issued by legal advisors, organisations should: conduct data mapping to identify all personal data types and classify them as basic or sensitive; perform a gap analysis comparing current practices with the new requirements; and undertake personnel and technical preparation, including appointing a Data Protection Officer and allocating budget and technical support.
How Simuna Infosec Helps
The technical preparation that the new framework requires includes ensuring that the systems processing personal data are genuinely secure. Our security assessments provide the technical assurance component of a compliance program — identifying vulnerabilities in data-processing systems and verifying that remediation holds. We complement the legal and governance work with the hands-on security testing that turns a compliance framework into genuine data protection.
*This article reflects publicly available information as of mid-2026. Consult qualified Vietnamese legal counsel for compliance decisions.*