HCMC – In the digital age, customer data has become a new source of “gold,” empowering businesses to market products more effectively. Yet, it also exposes them to risks as the line between creative marketing and potential legal violations grows increasingly thin. The urgency has only intensified with Vietnam’s Personal Data Protection Law set to take effect from January 1, 2026.
On October 16, the Saigon Times Group, in collaboration with the HCMC Department of Industry and Trade, held a training workshop titled “Protecting Customers’ Personal Data in Corporate Brand Development”. The event was part of a support program for businesses participating in the annual HCMC Brand Awards which is held under the direction of the HCMC People’s Committee.
Presenters at the workshop shared insights on the evolving landscape of personal data protection and its growing role in shaping corporate branding strategies.
Data distrust: The silent threat in corporate digitalisation
Marketing activities have long relied on data as a vital asset, allowing companies to build customer profiles, segment audiences, and forecast consumer behavior. But the way businesses collect and use that data is changing fast.
Nguyen Thanh Long, managing partner at Xanh Marketing, noted that users are becoming far more cautious about how they share personal information online. “If people once freely posted photos and details of their daily lives on Facebook, now many choose to hide their information, lock accounts, or share only within small friend groups,” he said.
Gen Z, in particular, has mastered the art of “staying invisible.” According to Long, this shift reflects growing awareness of privacy and a desire for control over personal data — echoing Facebook CEO Mark Zuckerberg’s assertion that “the future of social media is privacy.”
For companies, the message is clear: marketing strategies must evolve toward personalization that respects privacy and transparency.
Long explained that personal data typically falls into four categories: basic (such as name, date of birth, and photos), sensitive (financial or health information), behavioral (shopping habits, ad interactions), and emotional or attitudinal (customer feedback and satisfaction).
“Used responsibly, data helps businesses optimize marketing costs and retain customers rather than constantly chasing new ones,” he said.
Long pointed to three key shifts shaping the future of data-driven marketing. The first is moving from big data to smart data by collecting only relevant information and always with prior consent from clients. The second is interactive marketing, where users voluntarily share data by engaging in online games or promotions. The third is building digital trust so that customers feel safe providing data.
“Eighty-seven percent of internet users say they would not transact with a company that has violated data security,” Long noted.
Data protection: From choice to obligation
For many years, marketing compliance was governed by a familiar set of rules: the Advertising Law, the Consumer Protection Law, and the Competition Law. But as Nguyen Van Phuc, managing partner at HM&P Law Firm, explained, that framework is no longer enough.
Since the introduction in April 2023 of Government Decree 13 on personal data protection (and with the Personal Data Protection Law coming into force) Vietnam’s legal landscape has been fundamentally reshaped. Every phone number, photo, check-in, survey form, or QR scan now qualifies as personal data, and companies are fully accountable for how they collect, store and use it.
“Personal data used to be seen as a free resource,” said Phuc. “Now, it’s a protected asset. The mindset that ‘data is gold’ must shift to ‘data is responsibility.’”
That responsibility begins with prior customer consent. Businesses must explain why they are collecting data, be transparent about how it will be used, and prove consent if required. Importantly, consent cannot be bundled: agreeing to receive a voucher, for instance, does not mean agreeing to receive advertising. Companies must also keep verifiable proof whether in the form of electronic logs, forms, or audio records.
The law further requires firms to define how long they retain data and to delete it once that period expires. For example, six months for promotional programs or the duration of a contract for customer accounts.
Companies must also submit personal data impact assessments to the Ministry of Public Security, establish internal compliance policies, and appoint a data protection officer (DPO) to oversee data handling and dispute resolution.
Lawyer Nguyen Ngoc Tra My of HM&P stressed that when signing data-processing contracts with third parties, businesses must clearly define the scope, security obligations, and data deletion procedures upon contract termination. She also advised firms to strengthen internal security, develop safe information-sharing protocols, conduct regular staff training, and assign dedicated DPOs to minimize legal risks.
Adding a broader legal perspective, Senior Lawyer Nguyen Nhat Duong analyzed the concept of “data de-identification.” Under the law, data is only considered non-personal if it cannot be re-identified by any means, is subject to regular assessment, and has both technical and organizational safeguards against re-identification.
“If these conditions are not met,” Duong cautioned, “the data remains personal and the full weight of the law still applies.”
To help businesses better understand and comply with personal data protection regulations, HM&P Law Firm has released a handbook titled “Compliance with Vietnam’s Personal Data Protection Law for Businesses.” Readers can download it via this QR code.
