In the current digital era and with the rapid pace of technological advancements, most enterprise data, including personal data, is being digitized and stored either on the enterprise’s own cyberspace systems or on third-party provider platforms. However, this storage is often implemented flexibly to suit the needs of each department within the organization, and few enterprises establish standardized procedures or diagrams for data storage. In reality, the larger and more multi-platform the enterprise, the greater the risk of personal data sprawl and difficulty in control. The issue is not just about “data leaks,” but rather the fact that enterprises do not know exactly where the personal data resides, who has access to it, and how it is processed. Therefore, developing a personal Data Map is considered the optimal solution for managing an enterprise’s personal data and ensuring compliance with personal data protection regulation.
1. Which enterprise systems usually contain personal data
Nowadays, personal data is no longer stored primarily in paper documents but resides within enterprise systems, software, or on third-party storage platforms. In most businesses, personal data is typically managed by the HR (Human Resources), Customer Relations (CRM), Accounting, and IT departments, among others, depending on the specific business operations and the operational structure of each enterprise. When establishing a personal data management system or preparing data assessment reports for clients, CDLAF usually starts by identifying the flow of personal data within each enterprise, which then serves as the basis for developing the data map. We have observed that personal data is predominantly held in the following systems:
Financial Systems
We refer to this generally as the Financial System, though each enterprise uses different software to manage and connect data for the purpose of corporate financial administration. Beyond accounting features like purchasing and inventory, these systems contain a vast array of personal data, such as bank account numbers, e-identification details, dependent information, and tax codes—for company personnel—or customer and supplier information (Citizen ID/Passport, tax code, contracts, digital signatures, communication history, etc.). The challenge is that this personal data is not static; it moves across departments, and transfers externally either through software systems or manual sharing.
Human Resource Management (HRM) Systems
Currently, most enterprises utilize software and technology systems for HR management, covering both internal employees and client personnel (for businesses involved in labor leasing, employment services, or labor export activities). These systems and departments hold personal data, especially sensitive personal data, Personnel files (Citizen ID/Passport, residency details, nationality, visa, qualifications), Personal status (Medical records, insurance, marital status, children), Biometric data, Salary/compensation details, disciplinary records, and employment contracts. A critical issue that all enterprises using HR systems must address is whether they have established a Data Processing Agreement and whether they know in which country the data is being stored.
Customer Relationship Management (CRM) Systems
CRM can be considered the place harboring the greatest sources of data risk because it contains a massive volume of customer data, including sensitive data. Furthermore, this data is often transferred across multiple departments and accessed by numerous individuals. Typical sales and service systems store extensive information, such as: Full name, phone number, email, and geographical location; Interaction history, complaints, and purchasing preferences; User behavior data from websites, applications, chatbots, and social media.
Email and Internal Chat Systems
Systems like Microsoft 365, Google Workspace, Slack, and Notion, etc., store a tremendous volume of personal data: contracts, CVs, salary information, passport photos, and client details. The majority of enterprises currently leave this data stored by default on international servers, unaware that this constitutes an act of cross-border data transfer
2. The personal data map in enterprises and how to build it
A “Data Map” is a diagram that illustrates the flow of personal data within an enterprise. This includes how the data is created, stored, processed, and managed, specifying which individuals or departments have access, what procedures and conditions are required for processing and transferring the data, and which systems house each type of data. All these elements are visualized in a diagram that clearly shows the relationships between various data fields.
Once the personal data map is established, the enterprise can determine the appropriate management method for each type of data. This provides a foundation for establishing a privacy policy, an information security policy, and a basis for identifying necessary procedures, such as conducting cross-border data impact assessments. Furthermore, the personal data map helps business managers understand which data is being collected, whether it includes sensitive data, what the potential risks are, and the appropriate incident response measures for specific scenarios. In cases where personal data needs to be processed based on a data subject’s request or an authorized agency’s requirement, the enterprise can rely on the data map to quickly and accurately access, delete, or modify the individual’s data.
Steps to Build a Personal Data Map
To construct a personal data map, enterprises can follow these steps:
- Identify Sources of Personal Data Collection within the Enterprise: These sources may include company applications, utilized software systems, company online platforms, specific company departments, or third parties, among others.
- Classify Personal Data: After identifying the data sources, the enterprise extracts and classifies the personal data based on the data subject (e.g., customer, partner, supplier, etc.). This step involves identifying which data types fall into the sensitive data category, and detailing each type of personal data, such as email, phone number, bank account details, e-identification, etc.
- Determine Data Flow: This means the enterprise clearly understands the start and end points and all transfer milestones of the data. This clarity helps define the procedures the enterprise must follow and clarifies the role of third parties concerning personal data.
- Define the Purpose of Personal Data Collection and Use: The enterprise must clearly document each intended purpose for data usage. This allows the enterprise to legally control the use of data by its own personnel or third parties. It also serves as the basis for handling damage claims or imposing labor discipline in the event personal data is used for any reason that deviates from the initial purpose.
- Establish Data Storage Methods: Set clear policies regarding the retention period and deletion of data when it is no longer necessary, in order to comply with regulated data retention principles. This also serves as a basis for defining retention periods for certain data as required by specialized laws (e.g., tax, insurance, labor, etc.).
To begin, enterprises should view personal data mapping as a foundational project for the entire data governance system. When the Data Map is properly established, the enterprise not only meets compliance requirements but also builds a sustainable data governance framework—where every decision is based on understanding, transparency, and accountability.
Time of writing: October 15, 2025
The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer at info@cdlaf.vn
Why choose CDLAF’s service?
- We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
- We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
- Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
- As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
- CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
- Strict information security procedures throughout the service performance and even after the service is completed.
You can refer for more information:
- Sensitive Data: What your business might be handling without knowing it
- Key considerations for Enterprises for Private placement of Shares
- New Provisions under the Corporate Income Tax Law effective from October 1, 2025
- Divorce involving foreigners in Vietnam and division of assets
- Conditions and issues to note when foreigners divorce in Vietnam
- When should enterprises enter into a short-term or long-term foreign loan agreement?
