1.1. Definition
Data encryption refers to the application of encryption methods and algorithms or technical measures to convert data from a recognizable format to an unrecognizable format. (Art. 3.16 Data Law 2024)
1.2. Well-known Types
Symmetric Encryption: Using the same key to both encryption and decryption. A commonly applied standard is the Advanced Encryption Standard algorithm (AES).
Advantage: Fast and efficient, suitable for the processing of large volumes of data.
Disadvantage: The distribution of encryption keys between parties gives rise to security risks.
Asymmetric Encryption: Uses a public key to encrypt and a private key to decrypt. A common example is the Rivest–Shamir–Adleman (RSA) algorithm, widely used to protect sensitive data over insecure networks.
Advantage: More secure, as the public key can be shared without exposing the private key.
Disadvantage: Slower and resource-intensive, less suitable for large data volumes.
One-way Encryption: Hashing uses a hash function to convert input data of any length into a fixed-length output (hash value). It is widely used to verify authenticity and integrity of information.
Advantage: Fast, efficient, and irreversible - ensuring data integrity without exposing the original data.
Disadvantage: Vulnerable to certain attacks if weak algorithms or short hash values are used. Hashes also cannot be decrypted to recover the original data.
1.3. The scope of application for encryption measures
Data in transit: ensuring data security when data is transferred between systems or elements of a system.
Data at rest: protecting data in databases, servers, and storage devices.
On digital devices: encrypting data on mobile devices, personal computers, etc.
(Article 11 Decree 165/2025/ND-CP)
2. Data Encryption in Privacy Management
Protection of privacy and prevention of data breaches: Encryption ensures that data cannot be easily attacked or accessed without the proper key. Even in cases where data is stolen, decryption is extremely difficult to achieve immediately.
Supports Compliance:
Art. 32.1.a of GDPR provides that encryption is one of the appropriate and secure technical measures that may be applied in the processing of personal data.
Many industries are subject to strict regulations regarding the protection of sensitive data. For example, the healthcare industry must adhere to the HIPAA while financial institutions must comply with the PCI DSS.
Art. 27 of Vietnam’s Data Law requires the adoption of “suitable technical measures” and encryption is one of the effective technical measures that businesses can apply to comply with Vietnamese data protection regulations.
Thus, by implementing data encryption, businesses can ensure that they are meeting these regulatory requirements and avoiding potential fines or penalties for non-compliance.
3. Best practices for data encryption
Under GDPR, PDPL and Data Law, businesses are required to apply encryption to state secrets, including personal data. Building on this legal foundation, several best practices can be followed to strengthen privacy, security, and compliance.
Apply encryption based on data classification
Instead of applying encryption to all data indiscriminately, organizations should establish a data classification framework to distinguish between general, important, core, or sensitive data. Encryption should be prioritized for sensitive and high-risk data categories, ensuring both security and operational efficiency. This targeted approach not only minimizes the impact of potential breaches and strengthens accountability, but also helps optimize resources by avoiding unnecessary encryption efforts, keeping costs and system performance under control while staying aligned with global best practices.
Safeguard the privacy and security of data throughout its lifecycle
Encryption should be applied consistently during both the storage and use of data, covering data in transit as well as data at rest. To remain effective, these encryption measures must be regularly reviewed and updated to address newly discovered vulnerabilities and prevent obsolescence. This continuous approach ensures that sensitive information is protected against cyberattacks, interception, and unauthorized access throughout its entire lifecycle.
Ensure that data encryption does not undermine business functionality, accessibility, or performance
Art. 22.3 of the Data Law and Art. 2.3 of the PDPL leave businesses free to choose suitable encryption methods. Accordingly, encryption strategies should be tailored to balance data protection with operational efficiency, avoiding disruptions to critical business functions or performance bottlenecks.
4. Conclusion
In today’s digital landscape, where data protection regulations are increasingly stringent, data encryption remains a cornerstone of information security. Implementing best practices not only ensures compliance but also strengthens organizational resilience against cyber threats.