Personal Data, Translation

Preparation of Personal Data Processing Impact Assessment (PDA)

Identify risks – Demonstrate accountability – Proactively comply

CDLAF accompanies businesses in fulfilling all legal obligations in personal data processing through the preparation of a Personal Data Processing Impact Assessment (PDA) in accordance with regulations. This is a mandatory requirement for all organizations and businesses that process personal data for commercial purposes, especially in sensitive scenarios including:

  • Processing of sensitive data (e.g., fingerprints, health information, location data, etc.)
  • Sharing or transferring data overseas
  • Applying automated technologies (e.g., AI, behavioral tracking, etc.)
  • Large-scale projects or multi-channel data processing

CDLAF’s PDA service is designed to help businesses:

  • Accurately and systematically meet legal requirements
  • Identify and control risks from the system design phase
  • Demonstrate accountability to customers, partners, and regulators
  • Be prepared to present documentation during inspections or international cooperation

Scope of services provided

CDLAF supports businesses in developing a complete PDA file, including all components required by law, including:

  • The purposes of personal data processing (for each specific data group)
  • Analysis of the entire data processing workflow: from collection – storage – usage – sharing – deletion/destruction
  • Identification of risks to personal privacy and freedoms
  • Assessment of existing legal, technical, and organizational measures to mitigate risks
  • Recommendations for additional technical, legal, or organizational solutions if gaps are found
  • Preparation of the full PDA documentation in standardized format (Vietnamese/English)
  • Guidance for internal issuance and submission to the competent authority

How we do it

Process Detailed description
Step 1: On-site survey of personal data processing activities We begin by working directly with relevant departments within the organization (legal, IT, HR, marketing, operations, etc.) to collect comprehensive information on personal data processing activities, including:

 

  • Sources of data collection: websites, apps, forms, contracts, recording devices
  • Types of personal and sensitive data being collected
  • Purposes of processing, retention periods, and usage methods
  • System infrastructure: software, cloud services, CRM, ERP, internal storage systems
  • Data sharing with third parties (if applicable)

Based on the collected information, we conduct a preliminary compliance assessment and identify areas of risk. These findings form the foundation for the development of an accurate, complete, and operationally relevant PDA file.
Step 2: Data flow mapping and processing chain analysis Following the survey, we proceed to develop a personal data flow map, providing a visual representation of how data moves within and outside the organization. This includes:

 

  • Identifying the parties responsible for collecting, processing, storing, and sharing data
  • Determining the systems or platforms involved (in-house, SaaS, third-party)
  • Marking data transfer points and sharing channels (email, API, Excel, USB, etc.)
  • Identifying potential vulnerabilities such as: unencrypted data, lack of access controls, absence of processing logs

The data flow map is clearly diagrammed and included as an annex in the PDA file, allowing for easy monitoring, justification, and future updates by the business.
Step 3: Risk and impact assessment on individual rights In this phase, we perform a comprehensive evaluation of potential risks arising from data processing activities, with a focus on:

 

  • The level of impact on the rights and legitimate interests of data subjects (e.g., risk of surveillance, discrimination, data leakage)
  • Technical risks: unauthorized access, data loss, malware, data inaccuracies
  • Operational risks: human error, lack of procedures, untrained personnel
  • Legal risks: absence of legal basis, failure to notify, lack of proper consent

We apply a probability–impact assessment methodology to categorize and score each risk. Based on the results, we recommend appropriate mitigation measures tailored to the specific risk types involved.
Step 4: Recommendation and documentation of control measures Based on the risk assessment results, we recommend and document the existing and additional technical, legal, and organizational measures required to ensure the security of personal data, including:

 

  • Technical measures: data encryption, access controls, multi-factor authentication, regular backups
  • Organizational measures: staff training, assignment of responsibilities, internal SOPs
  • Legal measures: updated privacy policies, data processing agreements with third parties

All measures are clearly described in the PDA file in the form of categorized listings, with specific illustrations based on the nature of activities and types of data involved.
Step 5: Drafting and finalizing the PDA file Once all relevant information has been gathered and risks analyzed, we proceed to draft the Personal Data Processing Impact Assessment File in accordance with the legally prescribed structure, which includes:

 

  • An overview of data processing activities
  • Data types, data subjects, and processing purposes
  • Data flow and processing workflow
  • Risk analysis and control measures
  • Appendices: data flow diagrams, templates for handling data subject requests

The documentation is presented professionally and can be provided in Vietnamese or bilingual (Vietnamese–English) format upon request. It is fully compliant for submission to regulatory authorities or international partners when required.
Step 6: Guidance on internal issuance and submission (if applicable) Our support does not end with the drafting of the PDA file. We also assist businesses in formally issuing and operationalizing the document in accordance with proper procedures, including:

 

  • Preparing the issuance decision to be signed by an authorized representative
  • Providing guidance on internal disclosure and archiving of the file in compliance with regulations
  • Advising on the procedures for submitting the PDA file to the Ministry of Public Security (Department of Cybersecurity and High-Tech Crime Prevention) in cases involving cross-border data transfers or large-scale processing of sensitive personal data
  • Supplying templates for periodic updates to the PDA file to prevent obsolescence or non-compliance due to outdated documentation

Additionally, we are available to provide short training sessions for the designated data protection officer or data governance team to ensure the PDA file is implemented and maintained effectively and in line with its intended purpose.

Why choose us?

A team of highly specialized and experienced Lawyers

We are a team of professionally trained Lawyers and Legal Consultants with practical experience in implementing personal data protection compliance under local regulations as well as international standards such as GDPR, APPI, and CCPA. Our team has successfully supported numerous FDI enterprises, tech startups, banks, and financial institutions.

In-Depth analysis – Tailored advice – Practical solutions

We do more than just identify problems — we provide solutions that are realistic, cost-effective, and aligned with your company’s size, budget, and operational model, ensuring both feasibility and impact.

Commitment to confidentiality and long-term support

All company information is kept strictly confidential in accordance with legal professional standards. We also offer ongoing support in remediation, staff training, contract review, internal policy development, and more.

Customized industry-specific design

No generic templates — your policies are built specifically for your organization’s structure, profession, and technology model..

High-quality documentation

Our deliverables are clearly structured, professionally formatted, and available in bilingual (Vietnamese–English) formats if needed — ready for submission to banks, investors, partners, or regulatory authorities.

End-to-end service, not just paperwork delivery

Implementation guidance, training, operational support, and post-issuance monitoring

30-Point Personal Data Compliance Self-Assessment Checklist

Receive a specialized document package containing 30 key criteria, enabling your organization to quickly self-assess its compliance status under Decree No. 13/2023/NĐ-CP — entirely free of charge.

Download file

Other Services View all

Preparation of the Data Transfer Impact Assessment Dossier for Cross-Border Transfers of Personal Data

Cross-Border Data Protection – Ensuring Legal Compliance – Enhancing International Transparency CDLAF assists enterprises in preparing the Personal Data Cross-Border...

 Personal Data, Translation | 8 August, 2025

Training and Capacity Building for Personal Data Compliance

Build Knowledge – Standardize Behavior – Strengthen Data Risk Management Amidst an increasingly tightening legal framework —from Decree 13/2023/NĐ-CP on...

 Personal Data, Translation | 22 July, 2025

Building a Personal Data Protection Policy and Governance Framework

Identify Risks – Standardize Systems – Ensure Legal Compliance CDLAF supports businesses in building a comprehensive personal data protection policy...

 Personal Data, Translation | 22 July, 2025

Personal data compliance assessment service

Risk identification – System review – Legal compliance readiness Decree No. 13/2023/NĐ-CP on personal data protection has come into effect....

 Personal Data, Translation | 12 September, 2023