Articles

Guidelines for Drafting the Personal Data Protection Plan in the Cross-Border Personal Data Transfer Impact Assessment Dossier (Part 2)

After the enterprise has identified and presented the technical and organizational measures for personal data protection in Part 1 of the cross-border personal data transfer impact assessment (DPIA), the next step is to demonstrate that these measures are operating effectively and are subject to continuous monitoring. This content is typically reflected through the application of personal data protection standards, together with periodic cybersecurity inspections and assessments of the entire personal data processing system. This is an essential requirement to ensure that personal data transferred abroad continues to be protected on an ongoing basis, in accordance with the level of risk and the enterprise’s actual operational context.

Source: pexels-fotios-photos-1092671

1. Application of Personal Data Protection Standards

The enterprise shall record the standards that it refers to and applies internally; for example, adopting the CAP (College of American Pathologists Accreditation Program) as a personal data protection standard, or other standards that the enterprise may include in the dossier, such as:

Group of Security Governance – Personal Data Standards

  • ISO/IEC 27701:2019: A standard specifically for a Personal Information Management System (PIMS), which supplements ISO 27001.
  • ISO/IEC 27001:2022: Information Security Management System (ISMS) — the mandatory foundational framework for organizations that process data.
  • NIST Privacy Framework: A privacy governance framework widely adopted by global corporations.
  • GDPR – EU General Data Protection Regulation (if the enterprise is connected to the EU market or EU data subjects).
  • CERT-In or SOC 2 for enterprises providing information technology or SaaS services.

Group of Technical and Cybersecurity Standards

  • OWASP ASVS / OWASP Top 10: Standards for web application security.
  • TLS 1.3, AES-256, FIPS 140-2: Standards for secure encryption and data transmission.
  • ISO/IEC 27017 & 27018: Standards on data security and personal data protection in cloud computing.

Group of Sector-Specific Standards or Quality Accreditations

(Enterprises shall record these only if they are genuinely relevant to their business activities.)
Examples:

  • CAP (College of American Pathologists Accreditation Program) for medical institutions and laboratories.
  • HIPAA (Health Insurance Portability and Accountability Act) for services processing health data related to the U.S. market.
  • PCI-DSS for payment-card data in e-commerce operations.

In the section describing the standards that the enterprise applies, the enterprise shall explain how such standards are implemented and applied to its personal data system, with a focus on two principal rules: the Privacy Rule and the Data Security Rule. In particular:

For the Privacy Rule, the enterprise shall address the following points:

  • Access limitation;
  • Identification of information requiring protection;
  • Privacy notice (providing individuals with complete information on how their data is collected, stored, and shared);
  • Confidentiality commitments from third parties: in cases where personal data is shared with or accessed by partners, service providers, or any third parties, the enterprise must require relevant parties to execute confidentiality commitments and personal data protection obligations. Such commitments must clearly stipulate the scope of data use, confidentiality responsibilities, mandatory information security measures, and legal consequences in the event of violations.
  • Complaint-handling mechanism: The enterprise shall establish a mechanism for individuals to raise concerns or lodge complaints when they suspect that their privacy has been infringed.

For the Data Security Rule, the enterprise shall clearly analyze how it implements the following measures:

  • Access control: The enterprise has established identity-authentication mechanisms and clearly defined access permissions for each function and role within the system. Each employee is granted only the minimum level of access necessary to perform their duties, and all access activities must be logged and continuously monitored to promptly detect any unauthorized or excessive access behavior.
  • Data encryption: The enterprise has applied encryption to data during storage and transmission to prevent unauthorized access.
  • Periodic risk assessment: The enterprise has established a periodic security-risk assessment process to identify, at an early stage, threats that may affect personal data. The assessment results are used to update and strengthen existing control measures, ensuring that the system maintains an appropriate level of security in line with actual risk levels.
  • Incident response and breach notification: The enterprise has issued and is operating an incident-response procedure for personal-data-related events, including isolating and handling the incident, investigating its cause, restoring data, and implementing preventive lessons learned. In cases where a data breach affecting data subjects is detected, the enterprise has a mechanism for transparent and timely notification in accordance with current legal requirements.
  • Security awareness training: The enterprise regularly organizes training sessions and internal reminders on information security and personal data-handling responsibilities for employees. Training content is categorized by role to ensure that each individual possesses sufficient awareness and necessary skills to mitigate risks arising from human factors.
  • Data backup and recovery: The enterprise has implemented a periodic personal-data backup mechanism and established a recovery procedure in the event of an incident or disaster. The recovery plan is tested to ensure data integrity and availability, thereby supporting business continuity when risks occur.

 2. Cybersecurity Inspection for Information Systems, Means, and Devices to Protect Personal Data

The enterprise shall clearly record the methods used to conduct cybersecurity inspections and inspections of information systems, means, and devices within the plan applied for the purpose of ensuring the safety of personal data when transferring personal data across borders.

Implementation content: The enterprise has established mechanisms for periodic inspections and ad-hoc inspections of all information systems, means, and data-processing devices to promptly detect security vulnerabilities and implement remedial measures. At the same time, the enterprise regularly conducts penetration testing and cybersecurity risk assessments with the support of specialized tools or professional units to ensure that the system maintains a high level of security.

Inspection subjects: Security inspection and assessment activities are applied to all systems that process personal data, including but not limited to:

  • Email systems: Gmail, Microsoft Outlook
  • Identity and access management systems: Microsoft Active Directory
  • Internal and cloud storage systems: Google Drive, OneDrive
  • Server and database systems: MySQL on internal servers
  • Data backup and recovery systems: storage on AWS S3 or Google Cloud Storage
  • Internal network systems and remote-access connections: LAN, VPN
  • Endpoint devices: computers, laptops, and phones used by employees for work
  • External access interfaces: the enterprise’s website and applications

Frequency of implementation: The enterprise records that system-security inspections are conducted monthly or quarterly, depending on the risk level of each type of data, and ad-hoc or supplementary inspections are carried out when new systems are deployed, when upgrades or configuration changes occur, or when there are signs of attacks or suspected data breaches.

Purpose of the inspection activities:

  • To ensure that personal data protection measures are operating effectively;
  • To promptly update and strengthen security controls in line with the development of cybersecurity risks;
  • To enhance the enterprise’s ability to prevent, detect, and respond to unauthorized access or cyberattacks.

The development of a Personal Data Protection Plan is not only intended to meet legal requirements in the dossier for the assessment of cross-border data transfers, but also serves as a statement of the enterprise’s risk-management capacity and commitment to the privacy of customers, employees, and partners. A well-prepared plan, supported by clear technical and organizational foundations, enables the enterprise to be more confident during the appraisal process while establishing a solid basis for safe, transparent, and sustainable cross-border data transfers in accordance with international standards.

Time of writing: 26/11/2025

The article contains general information which is of reference value, in case you want to receive legal opinions on issues you need clarification on, please get in touch with our Lawyer  at  info@cdlaf.vn

Why choose CDLAF’s service?

  • We provide effective and comprehensive legal solutions that help you save money and maintain compliance in your business;
  • We continue to monitor your legal matters even after the service is completed and update you when there are any changes in the Vietnamese legal system;
  • Our system of forms and processes related to labor and personnel is continuously built and updated and will be provided as soon as the customer requests it;
  • As a Vietnamese law firm, we have a thorough understanding of Vietnam’s legal regulations, and grasp the psychology of employees, employers, and working methods at competent authorities;
  • CDLAF’s team of lawyers has many years of experience in the field of labor and enterprises, as well as human resources and financial advisory.
  • Strict information security procedures throughout the service performance and even after the service is completed.

You can refer for more information:

    SEND CONSULTATION REQUEST









    Author
    Nguyen Thi Hoa (Ms.)

    Nguyen Thi Hoa (Ms.)

    Managing Partner

    (+84) 974 682 139

    hoa.nguyen@cdlaf.vn

    Other Articles View all

    What should advertising enterprises prepare to comply with the personal data protection law?

    In the context of the Law on Personal Data Protection 2025 and Decree No. 356/2025/ND-CP, tightening the requirements for the...

     Articles | 12 May, 2026

    Responsibilities of Enterprises when employing Foreign Workers

    Author:  Nguyen Thi Huyen Anh – Senior Associate Tran Nguyen Phuong Thanh – Paralegal In the course of business operations,...

     Articles | 12 May, 2026

    Is it Mandatory for Enterprises to Appoint Personal Data Protection Personnel?

    The emergence of the Law on Personal Data Protection, Decree No. 356/2025/ND-CP, and most recently, the Draft Decree on sanctioning...

     Articles | 8 May, 2026

    How Does the Draft Decree on Administrative Sanctions for Personal Data Violations Regulate Acts and Penalties? (Part 2)

    If Part 1 focused primarily on the initial stages of data collection and processing, Part 2 will examine the sanctions...

     Articles | 8 May, 2026

    How Does the Draft Decree on Administrative Sanctions for Personal Data Violations Regulate Acts and Penalties? (Part 1)

    Immediately following the entry into force of the Law on Personal Data Protection and Decree No. 356/2025/ND-CP, the latest development...

     Articles | 8 May, 2026

    Guidelines for Drafting a Personal Data Protection Policy Under the New Law (Part 1)

    A personal data protection policy is defined as a mandatory document that every enterprise must develop to comply with the...

     Articles | 17 April, 2026