In response to the increasing risks of data breaches and the rapid development of the digital economy, Vietnamese law has gradually established a comprehensive legal framework governing the protection of personal data, including data stored in physical and electronic forms. Data-at-rest security policies are now recognized as a mandatory compliance component for enterprises, serving as a key instrument to ensure lawful data processing, risk management, and accountability.
1. Current Legal Regulations on the Development of Data-at-Rest Security Policies
Stored data, in the context of personal data protection, is understood as information reflecting a specific individual or enabling the identification of a specific individual, which is recorded and retained on storage media (Clause 1, Article 2 of the Law on Personal Data Protection 2025). Accordingly, personal data protection refers to the use of human resources, technical means, and measures by agencies, organizations, and individuals to prevent and combat acts infringing upon personal data.
At present, the Vietnamese legal framework on data protection clearly stipulates the responsibilities of organizations in establishing and implementing data-at-rest security policies. Specifically, under Section 2 governing certain data processing activities and Article 37 of the Law on Personal Data Protection 2025, enterprises (data controllers and data processors) are required to adopt appropriate managerial and technical measures to protect personal data in accordance with the law. This obligation may include the issuance of internal regulations on data protection, clearly defining the scope and purpose of data storage, as well as corresponding technical and organizational measures to ensure information security.
2. Core Contents of a Data-at-Rest Security Policy
A properly structured data-at-rest security policy must be developed based on a robust risk governance framework, incorporating sections on data classification and data labeling according to levels of criticality. The core contents should clearly stipulate access control procedures, encryption technical standards applicable to each type of storage medium, and periodic backup and disaster recovery plans.
In addition, the policy must specify the maximum data retention period for each data category and establish secure data destruction procedures to ensure that information cannot be recovered once it has exceeded its legitimate usage purpose.
It can be observed that a comprehensive data-at-rest security policy must encompass governance, technical, and procedural elements in order to effectively control risks and ensure the highest level of information security.
3. Fundamental Principles Governing Data-at-Rest Security Policies
To ensure information security and legal compliance, an organization’s data-at-rest security policy must be formulated in accordance with the core principles of personal data protection as set out in Article 3 of the Law on Personal Data Protection 2025 (effective from 1 January 2026), including:
- Compliance with the Constitution, the Law on Personal Data Protection 2025, and other relevant laws and regulations;
- Collection and processing of personal data strictly within defined, specific, and lawful purposes and scopes, in compliance with legal requirements;
- Ensuring the accuracy of personal data and enabling its correction, updating, and supplementation where necessary; retaining data only for a period consistent with the data processing purpose, unless otherwise prescribed by law;
- Implementing synchronized and effective institutional, technical, and human-resource measures appropriate to personal data protection;
- Proactively preventing, detecting, stopping, combating, and promptly and strictly handling all violations of personal data protection laws;
- Ensuring that personal data protection is aligned with the protection of national and public interests, serving socio-economic development, national defense, security, and foreign affairs, while maintaining a balance between personal data protection and the lawful rights and interests of agencies, organizations, and individuals.
Strict adherence to these principles is not only a mandatory legal obligation but also a fundamental foundation for organizations to build customer trust, optimally protect privacy rights, and ensure safe and sustainable operations in the digital environment.
4. Entities Responsible for Establishing and Maintaining Data-at-Rest Security Policies within Enterprises
The highest level of legal responsibility rests with the enterprise’s legal representative, who is responsible for ensuring adequate resources for the implementation of data security measures. For entities processing large-scale data or sensitive data, the personal data protection department designated pursuant to Clause 2, Article 28 of Decree No. 13/2023/NĐ-CP plays a direct role in establishing, supervising, and periodically reporting on compliance status.
Accordingly, the responsibility for establishing and maintaining data-at-rest security policies lies with the enterprise itself, led by the legal representative, with the direct involvement of the personal data protection function to ensure both legal compliance and effective implementation.
In conclusion, Vietnamese law has clearly defined the legal obligations of enterprises in relation to the establishment and maintenance of data-at-rest security policies. These policies are not merely internal governance instruments but are legally mandated mechanisms for protecting personal data, managing risks, and ensuring accountability. By aligning policy design with statutory principles, clearly defining responsibilities, and implementing appropriate technical and organizational measures, enterprises can achieve lawful compliance, enhance information security, and sustain long-term trust in an increasingly regulated digital landscape.
📞 CONTACT LEGAL CONSULTANT:
TLA Law is a leading law firm with a team of highly experienced lawyers specializing in criminal, civil, corporate, marriage and family law, and more. We are committed to providing comprehensive legal support and answering all your legal questions. If you have any further questions, please do not hesitate to contact us.
1. Lawyer Vu Thi Phuong Thanh, Chairman of the Members’ Council, Ha Noi Bar Association
Email: vtpthanh@tlalaw.vn
2. Lawyer Tran My Le, Manager of TLA Law LLC, Ha Noi Bar Association
Email: tmle@tlalaw.vn.
Dinh Phuong Thao