SearchInform DLP in Vietnam: a 90-day playbook for Law 91/2025 compliance

Vietnam's Personal Data Protection Law 91/2025/QH15, Decree 356/2025 and the 116/2025 Cybersecurity Law are now in force. Real fines, a 72-hour breach-notification window and mandatory data classification push every Vietnamese enterprise — not just banks — to upgrade internal data controls. This is the pragmatic 90-day playbook for rolling out SearchInform.

1. Compliance map — clause to capability

How the SearchInform suite lines up with the Vietnamese framework:

• Article 3 (Principles) & Article 7 (Prohibited acts) — Law 91/2025: FileAuditor (DCAP) discovers and classifies personal data; DLP blocks unauthorised exfiltration channels.
• Article 18 — Data storage: FileAuditor scans cloud and on-prem stores, labels content and audits role-based access.
• Article 23 — 72-hour breach notice: Risk Monitor logs file activity and ships incident-report templates with data type, record count and timestamp — ready for the supervisory authority.
• Law 60/2024 Art. 13 — Data classification: FileAuditor classification scheme configurable per sector.
• Cybersecurity Law 116/2025 Art. 26 — Data safety: Context-aware access control, continuous monitoring, leak prevention and reporting — all on one platform.
• TCVN ISO/IEC 27002 8.2 / 9.2 / 12.4: Information classification, user access management and event logging out of the box.

2. The 90-day playbook

Weeks 1–2 · Discovery

Deploy FileAuditor in read-only mode on file servers, SharePoint/M365 and sample endpoints. Goal: map where personal data actually lives before writing policies. Most Vietnamese enterprises discover 30–50% of PII sitting in the wrong location.

Weeks 3–4 · Classification & shadow copy

Turn on automatic classification (national ID, card numbers, account numbers, medical records) and shadow copies for tier-1 data. This is the precondition for the recoverability obligation in Article 18.

Weeks 5–8 · DLP in learn mode

Run DLP in monitor mode (no blocking yet) across USB, print, corporate email, webmail, Telegram and cloud sync. Tune policies against real behaviour — false positives are how teams learn to ignore alerts.

Weeks 9–10 · Selective enforcement

Turn on blocking for the 3–5 highest-ROI policies (e.g. national ID to USB, customer-financial data to webmail). Auto-encrypt USB writes for staff with a legitimate business need.

Weeks 11–12 · Risk Monitor + process

Switch on UEBA and the incident workflow. Wire it into your 72-hour notification process: who triages, who classifies severity, who files with the supervisor. Run a tabletop once — this is the step most teams skip.

3. Lessons from regional deployments

• Start with discovery, not policy. Policies written from assumptions never match reality.
• Tell users why an action was blocked. "Why" messaging cuts internal complaints by 60%.
• Don't collect telemetry you won't act on. Unowned alerts are just technical debt.

Conclusion

Compliance with Law 91/2025 is not a one-off project. It is the ability to see your own data in real time — and prove it to the regulator. SearchInform is the platform. DigiWorkHub is the authorized Vietnam partner since 05/2026, walking with customers from discovery through 24/7 operations.