Risk identification – System review – Legal compliance readiness
Decree No. 13/2023/NĐ-CP on personal data protection has come into effect. Along with the wave of digital transformation and corporate electronic identification, organizations can no longer postpone compliance. Delays not only expose entities to legal risks but also undermine brand reputation and international cooperation capability.
Our “Personal data compliance assessment service” will assist you in:
- Gaining a clear understanding of the current personal data processing system
- Conducting a comprehensive review covering both internal policies and actual data processing practices
- Establishing a clear, legally compliant, and cost-effective action plan
How we do it
| Process |
Detailed description |
| Step 1: Identification of types of personal data being processed |
- Distribute survey forms and coordinate with relevant business units to collect information on the categories of personal data currently collected, used, stored, or shared.
- Classify personal data into specific groups: basic data, sensitive data, customer data, employee data, partner data, etc.
- Cross-check the data categories against the processing purposes and retention periods to conduct a preliminary assessment of legal compliance
|
| Step 2: Data Flow Mapping |
- The client is required to provide information on personnel (organizational structure and departmental breakdown), customer information (including both individual and corporate customers of the client), and partner information (including partner enterprises, agencies, or other organizations).
- Information will be collected from relevant departments to record actual personal data processing procedures, starting from the point of data collection and ending at data storage.
- A data flow diagram will be developed to describe the movement of personal data within the organization and with third parties (identifying who collects, who processes/transfers, who shares, and who stores the data). The data flow mapping illustrates where personal data originates, the entities or systems through which it is processed, and its destination, serving as the basis for assessing transparency and controllability in personal data handling activities.
|
| Step 3: Review of personal data storage methods, access control, software tools, and security systems |
- Survey the organization’s methods of storing personal data, including physical records, Excel files, management software, internal systems, and other relevant platforms.
- Assess access rights: identify who has access to the data, how the data is protected, and whether access control measures are in place.
- Identify legal risks associated with improper storage and access control of personal data, such as employee data breaches or unauthorized access incidents.
|
| Step 4: Review of policies, procedures, and contracts |
- Collect and assess internal documents such as the Personal Data Protection Policy (if any), procedures for obtaining consent and handling data subject requests, and confidentiality undertakings or agreements signed by personnel.
- Review relevant provisions in employment contracts, service agreements, outsourcing contracts, and similar legal instruments.
- Cross-check against applicable legal requirements to identify any missing or insufficient content that requires supplementation or amendment.
|
| Step 5: Identification of third parties involved in personal data processing |
- Coordinate with the client to compile a list of third parties that access or process personal data (e.g., CRM software providers, accounting service providers, cloud storage platforms, etc.).
- Review the current status of contracts or agreements with such third parties to assess whether they contain personal data protection clauses.
- Provide recommendations on necessary contractual provisions to ensure legal enforceability and compliance with applicable personal data protection requirements.
|
| Step 6: Assessment of awareness and responsibilities of departments and personnel involved in personal data processing |
- Distribute survey forms or conduct brief interviews with departments that frequently handle personal data (such as human resources, sales, customer service, marketing, etc.).
- Assess the level of understanding regarding privacy rights, data processing procedures, and behaviors that may pose potential risks.
- Identify whether a designated person or department is in charge of personal data protection (— DPO or equivalent position).
|
| Step 7: Recording of ompliance status and legal risk assessment |
- Consolidate all assessment results across each category of review.
- Identify areas of non-compliance or deficiencies in comparison with applicable legal requirements.
- Classify legal risks into three levels: severe, moderate, and minor, accompanied by corresponding remedial recommendations.
- Prepare a comprehensive Compliance Status and Gap Analysis Report, serving as a basis for subsequent compliance implementation phases.
|
Why choose us?
A team of specialized, experienced Lawyers
We are a team of professionally trained lawyers and legal consultants with practical experience in implementing personal data compliance in accordance with Decree No. 13, GDPR, APPI, and CCPA. We have successfully assisted numerous FDI enterprises, technology startups, banks, and financial institutions in establishing and maintaining legally compliant personal data protection frameworks.
In-Depth analysis – Specific legal advice – Practical solutions
We do not merely identify issues; we provide tailored recommendations and remedial measures aligned with the organization’s budget, scale, and operational model — ensuring both feasibility and legal effectiveness.
Clear reporting – Comprehensive analysis
The assessment results will be presented in a structured and visual report, with clearly categorized risk levels and specific recommendations. This enables the enterprise to efficiently proceed with subsequent steps such as policy development, conducting a DPIA, or engaging with regulatory authorities.
Confidentiality commitment and Long-Term support
All enterprise information is kept strictly confidential in accordance with professional legal practice standards. We remain available to provide ongoing support throughout the compliance process, including remediation measures, employee training, contract review, internal policy development, and related legal advisory services, etc.
30-Point Personal Data Compliance Self-Assessment Checklist
Receive a specialized document package containing 30 key criteria, enabling your organization to quickly self-assess its compliance status under Decree No. 13/2023/NĐ-CP — entirely free of charge.
Download file
