The world has entered a new era of digital vulnerability one where data leaks often begin long before anyone realizes an attack is underway. According to the Fortinet Global Threat Landscape Report 2025, the number of stolen login credentials traded on the dark web has jumped by 42% in just one year. This trend shows how cybercriminals have evolved: instead of trying to smash through strong firewalls, they exploit weak configurations and human mistakes the digital equivalent of finding an unlocked door.
As cyberattacks become more adaptive and harder to detect, global regulators are responding with stricter requirements. Among them, the General Data Protection Regulation (GDPR), created by the European Union, continues to set the gold standard for privacy and accountability. It has reshaped how organizations everywhere collect, store, and safeguard personal data.
Now, Vietnam is taking a major step in the same direction with its Personal Data Protection Law (PDPL), which came into effect in January 1st 2026 This marks a turning point for every business operating in or handling data from Vietnam. For businesses, compliance is no longer just about avoiding fines – it’s about proving credibility. It requires constant vigilance, fast incident response, and the ability to demonstrate control over every piece of personal data.
Understanding GDPR and Why It Matters
Before exploring how OSINT strengthens compliance, it’s important to understand why GDPR is still the toughest privacy law in the world and what it expects from every organization that handles personal data.
The General Data Protection Regulation (GDPR) came into effect in 2018 and applies to all organizations that process personal data of individuals within the European Union — regardless of where the organization itself is located.
Its main goals are to:
-
- Protect individuals’ right to privacy.
- Give users control over how their personal data is collected, used, and shared.
- Hold organizations accountable for the security and transparency of their data practices.
Core Principles of GDPR
-
- Lawfulness: All data processing activities must have a clear legal basis such as user consent, contract fulfillment, legal obligations, or legitimate interests.
- Fairness: Data must be handled in a way that is fair and does not mislead or harm the data subject.
- Transparency: Individuals must be clearly informed about how and why their data is being used. This includes details about the data controller, the purpose of processing, how long data will be stored, and their rights.
Personal data must be collected for specific, clear, and lawful purposes. It cannot be used in ways that are incompatible with those original purposes. Only collect data that is necessary and relevant for the stated purpose. Avoid gathering or storing more data than needed.
Data should only be stored for as long as necessary to fulfill its intended purpose. Longer storage is allowed only for public interest, scientific or historical research, or statistical purposes with proper safeguards.
Personal data must be accurate and kept up to date. Reasonable steps must be taken to correct or delete inaccurate data without delay.
Data must be processed securely to prevent unauthorized access, loss, or damage. This includes using appropriate technical and organizational measures known as “security by design and by default.”
-
- The data controller is responsible for complying with all six principles above and must be able to demonstrate that compliance. This includes:
- Documenting data processing activities
- Implementing data protection policies
- Training staff on data privacy
- Risk Assessments: Regularly assessing risks to personal data and implementing measures to mitigate them.
What Security Controls Should You Consider Under GDPR?
Organizations must adopt various security controls to comply with GDPR. Some critical controls include:
-
- Encryption: Encrypting personal data to protect it from unauthorized access.
- Access Controls: Restricting access to data based on user roles and responsibilities.
- Data Masking: Obscuring specific parts of the data to protect sensitive information.
- Regular Audits: Conducting routine audits to ensure compliance with GDPR security measures.
- Breach Notification: Implementing protocols to promptly notify authorities and individuals in the event of a data breach. Must notify authority within 72 hours
The Real-World Consequences
From tech giants to small businesses, GDPR enforcement has led to record-breaking fines and public scrutiny. The message is clear: data negligence doesn’t just hurt finances – it damages trust, reputation, and long-term credibility.
Legal Framework for Personal Data Protection Law in Vietnam
Starting January 1, 2026, Vietnam will officially enforce the Law on Personal Data Protection (Law No. 91/2025/QH15), replacing Decree No. 13/2023/NĐ-CP. This marks the country’s first comprehensive legal document dedicated to personal data protection.
What’s particularly notable is that, unlike the technology-neutral approach of the GDPR and other international frameworks, the PDPL introduces sector-specific provisions – likely aimed at facilitating compliance in data-intensive industries. This approach makes sense in the context of Vietnam, where data privacy remains a relatively new concept and many industries have expressed concerns about the challenges of applying Decree 13 to their specific operational practices.
The new law represents a major step forward in safeguarding individual privacy rights and aligns closely with international standards, it introduces clearer definitions, stronger enforcement mechanisms, and broader applicability, including to foreign entities that process data of Vietnamese citizens.
A key development is the introduction of exemptions for SMEs, reflecting a more pragmatic shift from Decree 13’s broad, uniform application. The data breach notification requirement has also been narrowed to cases involving serious harm. Importantly, the law exempts entities already subject to the Personal Data Processing Impact Assessment and Cross-Border Data Transfer Impact Assessment under the PDPL from duplicative obligations under the Law on Data – another regulation overseen by the Ministry of Public Security. This exemption demonstrates the government’s responsiveness to business feedback and its effort to reduce administrative burdens.
Despite these flexibilities, the PDPL adopts a stricter overall posture.
Key Highlights:
-
- Consent remains the primary lawful basis for processing and is emphasized across sector-specific and high-risk activities.
- Processing under other lawful bases must be subject to monitoring mechanisms.
- Processing based on ‘legitimate interest’ is not permitted under the current framework.
- The sale of personal data is still strictly prohibited, with penalties of up to 10 times the revenue derived from such activity.
- Sector-specific rules: Covers areas like employment, artificial intelligence (AI), and biometric data.
- SME exemptions: Small and medium enterprises may receive up to 5 years of grace for requirements like impact assessments and appointing Data Protection Officers (DPOs).
- Notify MPS within 72 hours when the breach causes actual harm or high risk to the rights of individuals or national security
- Security-focused enforcement: The law is enforced by the Ministry of Public Security (MPS), with a strong emphasis on national security over pure privacy.
- Extraterritorial scope: Applies to foreign entities processing data of Vietnamese citizens or individuals of Vietnamese origin, regardless of where the processing occurs.
- Mandatory impact assessments: Required for all processing activities and cross-border data transfers, and must be submitted to MPS within 60 days.
- Penalties: Fines can reach 5% of the previous year’s revenue for cross-border violations, or VND 3 billion (~USD 120,000) for general non-compliance.
- GDPR emphasizes accountability and transparency under a structured regulatory network across the EU.
- PDPL focuses more on national data sovereignty and security, with tougher enforcement power from the Ministry of Public Security.
Core Cybersecurity Strategy for Compliance
-
- Identify the types of personal data that the business is collecting, storing, and processing.
- Classify the data based on its sensitivity level and determine the purpose of its use.
-
- Establish and implement clear, transparent privacy policies to ensure user privacy.
- Ensure employees understand and comply with these policies.
- Conduct training on GDPR to enhance awareness and understanding of personal data processing.
-
- Provide full and clear information to users before collecting data.
- Ensure explicit consent is obtained and store proof of consent.
- Implement a Data Loss Prevention (DLP) system to automatically monitor and block risky actions involving sensitive data, including:
- Block copying: Prevent copying customer information, HR records, and financial data to USB drives, personal emails, or uploading to unauthorized platforms (only allow approved work tools).
- Block sharing: Prohibit sending files containing biometric data, ID numbers, or bank account details via Zalo, Messenger, or unencrypted emails.
- Prevent external leaks: Detect and stop data uploads to unknown websites, public cloud services (Dropbox, WeTransfer), or malware-driven theft.
Data Encryption
- Encrypt data at rest: Entire hard drives, databases, and stored files (e.g., customer phone numbers, ID numbers, banking details should be unreadable without a decryption key).
- Encrypt data in transit: Secure websites, emails, and APIs. Use VPN for remote employee access.
Access Control
- Role-Based Access Control (RBAC):
- HR department → view employee records only.
- Finance department → view payment data only.
- No one should have full system access.
- Multi-Factor Authentication (MFA): Require password + OTP or fingerprint for systems with sensitive data.
- Least Privilege Principle: Grant only necessary permissions for the job and automatically revoke when no longer needed.
Constantly monitors laptops and devices for suspicious activity, isolating compromised systems before damage spreads.
Develop an Incident Response Plan with specific regulations on:
-
- Roles and Responsibilities: Who detects the incident? Who makes decisions? Who informs MPS (Ministry of Public Security) or customers?
- Response Timeframes: Detection → isolation within 1 hour; internal reporting within 4 hours; report to MPS within 72 hours (if serious damage occurs).
- Transparent Information Flow: Who gets notified? Which channels are used (internal email, ticketing system, emergency meetings)?
Ensure prevention of widespread violations and compliance with legal requirements.
Implement an access logging and monitoring system:
-
- Detailed Logging: Record who (account name), what data was accessed (customer files, HR records…), when (exact time), and how (from internal device, VPN, cloud?).
- Automatic Anomaly Detection: For example: An administrative employee downloads 10,000 customer records at 2 a.m. → immediate alert.
- Prevent Leakage Before It Happens: Automatically lock the account, isolate the device, or block downloads.
→ Goal: Comply with the principle of “security” (PDPL Article 21, GDPR Article 32) and detect internal/external threats early.
In the past, compliance was mainly about avoiding penalties. But today, it’s about proving credibility and control. Customers, partners, and regulators expect companies to show that they can protect data, respond to incidents, and maintain transparency.
Both GDPR and PDPL share the same foundation:
-
- Transparency – individuals must know how their data is collected and used.
- Consent – personal data cannot be processed without clear permission.
- Responsibility – businesses must protect, manage, and delete data responsibly.
- Accountability – organizations must prove they have the systems and governance in place to secure data.
In short, compliance is no longer a one-time project — it’s an ongoing commitment that must be built into every layer of your cybersecurity strategy. Businesses that demonstrate strong data governance gain a competitive edge, attract more customers, and strengthen resilience against growing cyber risks.
Let Us Help Your Data – Help You Stay Compliant and Secure
At ITM, we empower organizations to build trust through strong data protection and cybersecurity practices. Our Cybersecurity Compliance & Data Protection Programs transform complex regulations like GDPR and Vietnam’s PDPL into clear, actionable strategies tailored to your business.
We help you:
-
- Identify risks early real-time monitoring.
- Detect and contain data leaks before they escalate into regulatory violations.
- Strengthen data governance with audit-ready, transparent processes.
- Equip your teams to manage sensitive information safely and confidently.
- Build long-term resilience through continuous awareness and proactive security measures.
Protecting personal data isn’t just about following rules it’s about protecting trust.
Partner with ITM to make your organization safer, smarter, and be ready for the digital future.
