Digital transformation, economic modernization, and the rise of a digital society are reshaping Vietnam’s future. At the heart of this evolution lies personal data—an essential resource powering technologies like big data analytics, artificial intelligence, cloud computing, blockchain, and the metaverse.
However, the rapid adoption of these technologies has exposed serious vulnerabilities. According to Viettel Cyber Security, Vietnam has recently witnessed ten major data breaches. These include:
- A tech company’s 300GB of source code and customer data being offered for sale
- Two incidents involving leaked databases from major universities, totaling 500MB
- Source code leaks from media and retail firms, comprising 3.5 million records
- A breach in the energy sector exposing system code and customer data
- Four additional cases involving 15GB of source code and nearly 4 million personal records
Authorities have responded swiftly, patching security gaps and issuing public warnings. Citizens and organizations are urged to avoid sharing sensitive information such as phone numbers and bank details during online transactions.
The leaked data often includes highly detailed personal profiles: full names, birthdates, national ID numbers, addresses, phone numbers, bank accounts (including balances), family relations, job titles, and workplace information. These incidents underscore an urgent need for robust personal data protection policies and practices in Vietnam’s digital era.
The Law on Personal Data Protection has been passed by the National Assembly and will take effect from January 1, 2026. The law's implementation date is not far away, posing many urgent requirements to protect personal data. Therefore, to ensure strictness when organizations and units are allowed to exploit personal data, it is necessary to clearly stipulate the purpose of data use; list data sources to ensure authenticity and accuracy; and allowable time to store data. If the party whose data is exploited violates the rules, there must be a mechanism, a way to withdraw consent and a policy to delete and destroy personal data according to regulations.
When the law comes into life, there are universal regulations, but for personal data, especially private data, there must be specific regulations, the clearer the easier it is to implement. This is to protect the rights and legitimate interests of agencies, organizations and individuals when personal information is leaked or disclosed in relation to law and community issues.
