From January 1st, 2026, Decree No. 356/2025/ND-CP officially comes into effect, marking a major turning point in the legal framework for information security in Vietnam. For businesses, especially in the Finance - Banking and Technology sectors, understanding the new points of Decree 356/2025/ND-CP is mandatory to ensure compliance and avoid serious legal risks.
Let's take a look at the latest limitations and regulations that businesses need to be aware of and adapt to, as compiled by MAN – Master Accountant Network.
Strict limitations in data processing
One of the most notable new features of Decree 356/2025/ND-CP is the establishment of strict technical and legal "barriers" to maximally protect the rights of data subjects:
- Controlling sensitive data: No longer just a recommendation, granting access rights and establishing security procedures for sensitive data is now a mandatory requirement. Organizations must have separate risk management and security systems for this type of data in accordance with the new provisions of Decree 356/2025/ND-CP.
- Consent must be genuine: Ending the practice of "default checkboxes" or using deceptive language to mislead users. This is a new point in Decree 356/2025/ND-CP, aiming to ensure that consent is a proactive and clear action from the data subject.
- The "Right Purpose - Right Scope" principle: Businesses are only permitted to process and transfer data that is truly necessary for the stated purpose and is consistent with their registered business activities.
- Prohibition of the formation of "illegal data repositories": Exploiting data transfer activities to secretly collect, store, and form data repositories for purposes other than the initial agreement is a violation of the law according to the new provisions of Decree 356/2025/ND-CP.
- Restrictions on Blockchain Storage: This regulation targets technology companies directly: Personal data cannot be stored directly on the blockchain unless it has been de-identified or stored only as a hash value.
- The right of specialized agencies to intervene: In cases affecting national defense and security, cross-border data transfers may be ordered to stop immediately, a new point in Decree 356/2025/ND-CP that requires special attention.
In parallel with the stringent limitations mentioned above, businesses need to proactively transform their internal operating processes to meet the new technical standards. To avoid being caught off guard by these changes, here are the specific implementation steps that organizations need to take immediately.
Essential business regulations you must know.
To operate legally and adhere to the new provisions of Decree 356/2025/ND-CP from 2026, businesses need to proactively implement the following:
Response process and deadlines
Data control units must develop professional forms and procedures to meet the rights of citizens. All requests must be processed within strictly stipulated timeframes. This is a crucial part of the new points in Decree 356/2025/ND-CP.
Verifiable nature of consent
Every method of obtaining consent must be traceable: Who consented? When was consent given? What was the content of the consent? Verification is a core requirement in the new provisions of Decree 356/2025/ND-CP.
Transfer and Confidentiality Agreement
All data transfer activities must be formalized in writing through an agreement. In particular, if sensitive data is being transferred, encryption and data anonymization measures must be implemented.
Specific regulations for the Finance and Banking sector.
This is the group most strongly affected by the new provisions of Decree 356/2025/ND-CP:
- Applying national technical standards for data deidentification and anonymization.
- Compliance checks: Conduct periodic assessments once a year.
- Incident reporting: In the event of a leak or loss of sensitive data, the relevant authority and the data subject must be notified within 72 hours.
Human Resources and International Cooperation
Businesses need to appoint data protection personnel who meet the required standards. The internationalization of data security practices is also a noteworthy new point in Decree 356/2025/ND-CP.
In summary, the aforementioned regulations and limitations form a comprehensive legal framework, requiring businesses to shift from a "maximum data collection" mindset to a "minimum processing and maximum security" mindset. Understanding these mandatory regulations is a crucial stepping stone to practical actions aimed at optimizing operational processes.
See more: Will the new VAT refund policy apply to VAT incurred before July 1, 2025?
Conclude
Proactively updating the new provisions of Decree 356/2025/ND-CP is not only a matter of legal compliance but also key to protecting the reputation and building lasting trust with customers in the digital economy era. These changes require thorough preparation in both operational processes and technological platforms starting today.
Are your businesses concerned about data compliance processes? Don't let legal risks disrupt your growth. Contact MAN – Master Accountant Network's team of financial and legal experts today for advice on the optimal transformation roadmap and implementation of the new provisions of Decree 356/2025/ND-CP for your business!
Contact information MAN – Master Accountant Network
- Address: No. 19A, Street 43, Tan Thuan Ward, Ho Chi Minh City
- Mobile/Zalo: 0903 963 163 – 0903 428 622
- E-mail: man@man.net.vn
Content production by: Mr. Le Hoang Tuyen – Founder & CEO MAN – Master Accountant Network, Vietnamese CPA Auditor with over 30 years of experience in Accounting, Auditing and Financial Consulting.
Source: Decree No. 356/2025/ND-CP – New regulations on the protection and transfer of personal data.
Editorial Board of MAN – Master Accountant Network
