Is it Mandatory for Enterprises to Appoint Personal Data Protection Personnel?

The emergence of the Law on Personal Data Protection, Decree No. 356/2025/ND-CP, and most recently, the Draft Decree on sanctioning violations in the field of personal data, which is currently under consultation for approval by competent authorities, has created significant compliance concerns for enterprises. Do these regulations impose financial burdens on enterprises? Especially in the context where the law requires each enterprise, depending on its scale and capacity, to establish a personal data management department or designate personnel in charge of the enterprise’s personal data protection or outsource such functions to a third party. However, to ensure that the establishment of the department or the designation of personnel in charge of personal data complies with the standards prescribed by law, as well as to determine the scope of rights and the limits of responsibility of the designated personnel, enterprises need to note a number of issues below.

1. Forms of designation

The designation of personal data protection personnel or a personal data protection department must be executed through a formal written document of the enterprise. This document must clearly reflect the assignment, functions, duties, authorities, and other requirements concerning personal data protection work. It should be noted that enterprises may appoint personnel to hold concurrent positions; however, these individuals will be responsible for holding and ensuring the safety of the data subjects’ personal data, for which the enterprise itself is the committed party. Therefore, whether in the form of an independent professional role or a concurrent position, the internal regulations regarding the scope of work, authorities, and obligations must be as clear and detailed as possible.

2. Competency requirements for designated personnel

According to the regulations, the Personal Data Protection Personnel designated within an enterprise must fully satisfy the following three conditions:

• Possess an associate degree or higher.
• Have at least 03 years of work experience (starting from the time of graduation) related to one of the following fields: legal affairs, information technology, cybersecurity, data security, risk management, compliance control, human resource management, or personnel organization.
• Have undergone training and acquired legal knowledge and professional skills in personal data protection.

In particular, the current regulations on training remain general and lack specific guidance; however, at the present time, under the aforementioned provisions, the training and cultivation of legal knowledge and skills in the field of personal data may be conducted through a third party operating in the field of personal data law.

Duties of Personal Data Protection Personnel: To perform duties similar to those of a department but in an advisory and supporting role (including: advising on policy formulation; participating in the implementation of data subject rights; participating in compliance assessments; preparing impact assessment dossiers; attending training courses; and participating in the implementation of technical measures).

In the event that an enterprise establishes a personal data protection department, the personnel within that department must meet the conditions stated above.

3. Matters enterprises need to note when establishing personal data protection departments or personnel

Enterprises designate personnel without clarity and independence; according to the regulations, an enterprise must designate personnel or a personal data protection department, and this department or personnel shall bear primary responsibility for controlling and ensuring the safety of data flows, ensuring compliance regarding personal data with data subjects. However, due to the fact that these are new regulations, in some cases—to avoid financial burdens—enterprises opt for the form of concurrent personnel or departments. Due to the concurrent nature of these roles and professional focus on certain specific fields, concurrent personnel often lack independence during the performance of their duties. This is because, to a greater or lesser extent, the personal data protection personnel will not grasp or understand all types of personal data, data flows, or risks that may arise. For example, if the designated personnel is from the IT department, they tend to focus primarily on technical aspects and may find it difficult to grasp legal issues, or data within the accounting and HR departments.

Current personnel standards remain unclear; at present, personal data protection personnel in an enterprise must have an associate degree or higher, at least 3 years of experience, and have undergone training, which in essence merely establishes formal conditions and does not yet accurately reflect the substantive capacity needed to control personal data. This regulation does not clarify the core criteria: to what extent an individual needs to understand data flows, information technology systems, and legal risks to be able to perform a controlling role, or whether a certification from a qualified training organization is required.

In practice, a staff member with 3 years of experience in administration – human resources may still formally qualify according to regulations, but lacks the ability to identify data leak points, cannot evaluate technical measures or legal compliance obligations. This leads to a paradox: the designation may be legally valid, but does not ensure effective control in practice. From CDLAF’s perspective, we believe that there may be new documents issued in the near future for the purpose of determining a competency framework and specific standards for personal data protection personnel, while at the present time, it may only partially meet the needs for practical implementation. Whether to build a department with quality personnel or not will depend on each enterprise if that enterprise sees the need to have a qualified team to ensure compliance and data security.

Is the Scope of Work of the Personal Data Management Department Too Broad? Currently, in our view, the scope of duties for the personal data management department under current regulations is designed with a very wide coverage: from formulating internal policies, implementing data subject rights, assessing compliance, preparing data protection impact assessments (DPIA), to technical control, training, and incident response. In essence, this is a combination of many different professional fields, including legal, information technology, operations, and risk management. However, in enterprise practice, expecting a single individual—or even a single department—to be able to fully undertake these functions is unfeasible. Without an appropriate assignment mechanism (for example: legal – IT – operations coordinating under an inter-departmental model or outsourcing experts), then this very broad scope itself will become the greatest barrier preventing enterprises from implementing effectively.

Efficiency evaluation standards do not yet exist; current regulations mainly stop at requiring enterprises to “have” a department, “have” personnel, and “have” functions related to data control, but do not establish any quantitative criteria to evaluate operational efficiency. Without measurement standards, without inspection benchmarks, and without independent evaluation mechanisms, it leads to a common reality: an enterprise may fully establish a structure on paper, but still violate personal data protection obligations. The core cause does not lie in a lack of organization, but in the absence of standards to determine “whether enough has been done” and “to what extent it has been done correctly.” From CDLAF’s perspective, this is a critical weakness of the current legal framework when there is no measurement mechanism, compliance easily becomes a formality, and legal risks are only identified after an incident has occurred, instead of being controlled in advance.Top of Form

Overall, the current regulatory framework regarding personal data protection personnel and departments has initially established a foundational framework for personal data protection compliance activities, but there remains a significant gap between legal requirements and the actual implementation capacity of enterprises. From CDLAF’s perspective, what enterprises need to concern themselves with is not whether they “have designated the right person or not,” but whether they have built a data control mechanism that operates truly effectively. This requires an approach that goes beyond the scope of formal compliance, moving towards designing a model suitable for the scale, risk level, and internal capacity of each enterprise; while simultaneously flexibly combining internal resources and external experts.

Time of writing: 30/03/2026

The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer  at  info@cdlaf.vn

You can refer for more information:

• How Does the Draft Decree on Administrative Sanctions for Personal Data Violations Regulate Acts and Penalties? (Part 2)
• How Does the Draft Decree on Administrative Sanctions for Personal Data Violations Regulate Acts and Penalties? (Part 1)
• Capital Contribution Errors: Losing The Right To Become A Member Or Shareholder Due To Misunderstanding The Nature Of The Transaction
• Transactions With Related Parties And Conditions For Validity