Vietnam's PDPL Is Here.
Fines Up to 5% Revenue.
Are You Ready?
Foreign-owned companies in Vietnam face the highest risk under the new Personal Data Protection Law. Every data transfer to your HQ is a potential violation. We handle compliance AND implementation -- in English.
Until PDPL enforcement begins
Good evening. Free Compliance Gap Assessment
30-min diagnostic. Find out exactly where your company is exposed.
🔒 Your data is encrypted and never shared. Privacy Policy
PDPL enforcement begins Jan 1, 2026 -- start now.
No sales pitch -- just a clear gap analysis of your compliance exposure.
OUR TEAM HAS WORKED FOR
Are You at Risk?
If you answer YES to any of these, your company needs PDPL compliance action before January 2026.
Every employee record, customer database sync, or CRM update sent to a parent company abroad is a cross-border data transfer. Under PDPL, each transfer requires a Cross-border Transfer Impact Assessment (CTIA) filed with the Ministry of Public Security.
If your cloud infrastructure runs on servers in Singapore, Tokyo, or Oregon, you are processing Vietnamese citizen data offshore. Decree 356 requires data localization or an approved CTIA for each cross-border processing activity.
Employee payroll, customer transactions, website analytics with IP tracking, email marketing lists -- if any data subject is a Vietnamese citizen, you must comply with PDPL. Even B2B companies with Vietnamese employees are in scope.
Salesforce, HubSpot, Slack, Google Workspace, Microsoft 365 -- every SaaS tool that stores Vietnamese user data creates a data export event under the PDPL. Each must be documented in your data flow register.
Financial data is classified as sensitive personal data under PDPL, triggering additional requirements including enhanced consent mechanisms, stricter storage rules, and mandatory DPIAs before processing can begin.
Decree 356 requires organizations processing large volumes of personal data to appoint a DPO based in Vietnam. No DPO = automatic non-compliance. Our DPO-as-a-Service solves this immediately.
Three Laws. One Deadline. Zero Excuses.
Vietnam's new data protection regime is not one law -- it is three overlapping regulations with cascading deadlines. Here is what you need to know.
EFFECTIVE: JANUARY 1, 2026
Vietnam's comprehensive data protection framework. Governs consent, purpose limitation, data subject rights, breach notification (72 hours), and cross-border transfers. Applies to ANY organization processing Vietnamese citizen data -- domestic or foreign. Fines: up to 5% of annual revenue in Vietnam.
EFFECTIVE: WITH PDPL
The operational backbone of the PDPL. Mandates Data Protection Impact Assessments (DPIAs), Cross-border Transfer Impact Assessments (CTIAs), data flow documentation, data retention schedules, and specific consent mechanisms. Foreign companies must file DPIAs with the Ministry of Public Security.
EFFECTIVE: JULY 1, 2026
Mandatory security controls, 24-hour incident reporting, data localization for critical sectors, regular security assessments, and infrastructure audit requirements. Overlaps significantly with PDPL -- creating dual compliance obligations. Companies must implement both simultaneously.
Most companies treat these as separate compliance projects. That is a mistake. The overlap between PDPL, Decree 356, and Cybersecurity Law 116 means you need a unified compliance strategy -- not three separate legal opinions.
Get a Unified Compliance Strategy →Sources: Vietnam PDPL 2025, Decree 356/2025, Cybersecurity Law No. 116/2025
Compliance + Implementation. One Team.
We do not hand you a PDF and wish you luck. We map the law, build the technical controls, file the documents, and monitor ongoing compliance.
Data Flow Mapping
Complete inventory of personal data flows across your organization: where data originates, where it travels, who processes it, and where it is stored. The foundation of every DPIA.
Cloud Architecture Review
Assess your AWS, Azure, or GCP infrastructure for PDPL compliance. Identify data residency violations, configure regional compliance boundaries, and implement data localization controls.
DPIA & CTIA Filing
Draft, review, and file Data Protection Impact Assessments and Cross-border Transfer Impact Assessments with the Ministry of Public Security. Complete documentation package.
DPO-as-a-Service
Outsourced Data Protection Officer based in Vietnam. Ongoing compliance monitoring, regulatory liaison, staff training, and data subject request handling -- without a full-time hire.
Security Controls Implementation
Deploy the technical security controls required by Cybersecurity Law 116/2025: encryption, access controls, logging, incident response systems, and security monitoring infrastructure.
Cross-Border Transfer Compliance
Assess every international data transfer against PDPL requirements. Implement Standard Contractual Clauses, Binding Corporate Rules, and data transfer mechanisms for HQ reporting.
Law Firms vs Big Four vs Seraphim
Law firms write opinions. Consulting firms write reports. We write the code, configure the cloud, file the DPIAs, and keep you compliant.
| Capability | Law Firms | Big Four | Seraphim |
|---|---|---|---|
| Legal compliance mapping | ✓ Yes | ✓ Yes | ✓ Yes |
| DPIA / CTIA drafting & filing | ✓ Drafting only | ● Template-based | ✓ Full draft + file |
| Technical implementation | ✗ No | ✗ No | ✓ Full stack |
| Cloud architecture changes | ✗ No | ✗ No | ✓ AWS/Azure/GCP |
| Security controls deployment | ✗ No | ● Recommendations only | ✓ Implemented |
| DPO-as-a-Service | ✗ No | ● Limited | ✓ Full-service |
| English-speaking team in VN | ● Sometimes | ✓ Yes | ✓ Native English |
| Cybersecurity Law 116 coverage | ✗ Legal only | ● Assessment only | ✓ Full compliance |
| Typical engagement cost | $50K-$200K+ (hourly) | $80K-$300K+ | $8K-$25K (fixed) |
| Billing model | $300-$800/hr | $400-$1,000/hr | Fixed-fee packages |
Why pay $300-800/hr for a legal opinion when you need actual implementation?
Get Fixed-Fee Compliance →Enterprise-Grade Compliance Partners
Part of the QNTM Venture portfolio -- international technology consulting with Vietnam-specific expertise.
What Our Clients Say
We were sending employee data to our Singapore HQ with zero documentation. Seraphim mapped every data flow, filed our CTIA, and restructured our AWS to comply -- all in 10 weeks.
Our law firm quoted $120K for a legal opinion. Seraphim delivered full compliance -- legal mapping, cloud architecture, DPIA filing, and ongoing DPO service -- for a fraction of that.
The fact that they speak native English and understand both Vietnamese law AND cloud architecture is unique. Nobody else in the market does what they do.
Our Guarantee
If our compliance gap assessment does not identify at least 3 critical compliance gaps, we will refund your entire engagement fee -- no questions asked.
Common Questions
The Vietnam Personal Data Protection Law (PDPL) is Vietnam's comprehensive data protection regulation, effective January 1, 2026. It governs how organizations collect, process, store, and transfer personal data of Vietnamese citizens. Decree 356/2025 provides the implementing guidelines, requiring Data Protection Impact Assessments (DPIAs), Cross-border Transfer Impact Assessments (CTIAs), and detailed data flow documentation.
Penalties include fines of up to 5% of annual revenue in Vietnam. Additional sanctions include suspension of data processing activities, mandatory public notification of violations, and potential criminal liability for serious breaches. Foreign companies face heightened scrutiny as cross-border data transfers are treated as high-risk processing activities.
Yes. Any organization that processes personal data of Vietnamese citizens must comply, regardless of where the company is incorporated. If you have employees, customers, or users in Vietnam, you are subject to the PDPL. Foreign-owned companies face additional requirements around cross-border data transfers, including mandatory CTIAs and data localization obligations.
Cybersecurity Law No. 116/2025, effective July 1, 2026, introduces mandatory security controls, incident reporting requirements, and data localization mandates for companies operating in Vietnam. It overlaps with the PDPL, creating dual compliance obligations. Companies must implement technical security measures, conduct regular security assessments, and report cybersecurity incidents within 24 hours.
Law firms provide legal opinions but cannot implement technical controls. Big Four firms charge premium rates for generalist assessments. Seraphim is the only English-speaking technology firm in Vietnam that provides both legal compliance mapping AND technical implementation -- from data flow mapping and DPIA filing to cloud architecture changes and security control deployment. We implement, not just advise.
A typical engagement runs 8-16 weeks depending on complexity. Phase 1 (Gap Assessment) takes 2-3 weeks, Phase 2 (Data Mapping and Documentation) takes 3-4 weeks, Phase 3 (Technical Implementation) takes 4-8 weeks, and Phase 4 (Filing and Ongoing Monitoring) is continuous. We recommend starting at least 6 months before enforcement deadlines.
The free 30-minute Compliance Gap Assessment is a diagnostic call where we review your current data processing activities, identify your highest-risk areas under PDPL and Cybersecurity Law 116/2025, assess your cross-border data transfer exposure, and provide a prioritized remediation roadmap. No sales pitch -- just a clear picture of where you stand.
Don't Wait for the Fine.
Get Compliant Now.
Book your free 30-minute Compliance Gap Assessment. Find out exactly where your company is exposed under Vietnam's PDPL, Decree 356, and Cybersecurity Law 116/2025.
Book Free Assessment ↑Or contact us directly: [email protected] | WhatsApp