Skip to content
← Back to Blog
google-workspacedata-protectionpdplcompliance

Google Workspace Data Protection in Vietnam: Where Your Compliance Gaps Are Hiding

CompliScan Team6 min read

Google Workspace is the backbone of daily operations for thousands of Vietnamese companies. Drive stores contracts, Gmail carries negotiations, Sheets hold payroll data, and Docs contain policies. It works well for productivity — but it was never designed to be a compliance platform.

Under Vietnam's PDPL (Law 91/2025/QH15) and Decree 356, every piece of personal data in your workspace must be identified, classified, access-controlled, and documented. For most companies, Google Workspace is where the biggest gaps between actual practice and legal requirements exist.

Where Personal Data Hides in Google Workspace

The challenge is not that companies intentionally mishandle data. It is that Google Workspace makes it extremely easy to create, share, and forget about files containing personal information.

Google Drive

Drive is typically the largest source of compliance risk. Common findings include:

  • HR onboarding folders containing scanned CCCD/CMND cards, tax registration certificates, and bank account details — often shared with "Anyone in the organization" or even "Anyone with the link"
  • Payroll spreadsheets with employee names, national ID numbers, salary figures, and bank accounts stored in shared team drives without access restrictions
  • Contract PDFs with full personal details accessible to people who no longer need them

The problem is compounded by Drive's default sharing behavior. When someone creates a file in a shared drive, it inherits the drive's permissions — which may be far broader than appropriate for documents containing sensitive personal data.

Gmail

Email is the most common channel for informal data sharing. Vietnamese businesses routinely send:

  • Employee CCCD scans as attachments during onboarding
  • Tax codes and bank account numbers in plain text email bodies
  • Salary slips and benefits summaries to personal email addresses

Once sent, these emails sit in inboxes and sent folders indefinitely. They cannot be recalled, and they are rarely audited.

Google Sheets

Sheets are often used as informal databases. It is common to find:

  • Employee master lists with CCCD numbers, phone numbers, and home addresses
  • Client contact databases with personal identification data
  • Vendor lists with bank account and tax information

These sheets are frequently shared across departments with no access controls or data classification.

Google Docs

Policy documents, meeting notes, and internal memos may contain references to specific employees — including their personal data. These documents are rarely reviewed for PII after creation.

Why This Matters Under the PDPL

Vietnam's PDPL (Law 91/2025/QH15) and Decree 356 establish specific obligations for personal data processing:

Data minimization. You should only collect and retain personal data that is necessary for a specific, stated purpose. Spreadsheets containing CCCD numbers "just in case" violate this principle.

Access limitation. Personal data must be accessible only to people who need it for their defined role. A shared Drive folder accessible to the entire company does not meet this standard.

Data inventory and classification. You must know what personal data you hold, where it is, and who can access it. Most companies using Google Workspace cannot answer these questions accurately without a systematic scan.

Cross-border transfer controls. Google Workspace data is stored on Google's global infrastructure. Under the PDPL, this may constitute a cross-border data transfer requiring registration with the Ministry of Public Security and explicit consent from data subjects.

Audit trail. You must be able to demonstrate lawful processing. If personal data exists across hundreds of unversioned Drive files and email threads, constructing a compliant audit trail is extremely difficult.

Practical Steps to Improve Your Google Workspace Data Posture

1. Run a PII Discovery Scan

Before you can fix problems, you need to find them. A systematic scan of your Google Workspace identifies exactly which files contain Vietnamese PII (CCCD numbers, tax codes, phone numbers, bank accounts), who has access, and what the sharing settings are.

2. Review and Restrict Sharing Permissions

After identifying sensitive files, tighten sharing:

  • Remove "Anyone with the link" access from files containing personal data
  • Restrict shared drives containing HR or payroll data to specific groups
  • Disable download and copy permissions for sensitive documents
  • Review external sharing policies in the Google Admin console

3. Implement Data Classification

Establish a simple classification system — even if it is just "Contains PII" and "Does not contain PII" — and apply it to Drive folders. Google Workspace labels can help, though they require Business Standard or higher.

4. Enable Data Loss Prevention (DLP)

Google Workspace offers built-in DLP rules that can detect and flag sensitive data patterns in Drive and Gmail. Configure rules for Vietnamese PII patterns: 12-digit numbers (CCCD), Vietnamese phone formats, and tax code patterns. DLP will not catch everything, but it adds a layer of automated protection.

5. Establish a Retention Policy

Determine how long personal data should be retained and configure Drive and Gmail retention policies accordingly. Delete files that are no longer needed for a legitimate business purpose.

6. Train Your Team

Technical controls are necessary but not sufficient. Staff need to understand that emailing CCCD scans or sharing payroll spreadsheets via link creates compliance exposure. Brief, practical training — focused on what not to share and how — goes further than abstract policy documents.

The Cross-Border Question

Every company using Google Workspace should consider whether their data storage constitutes a cross-border transfer under the PDPL. Google stores data across its global infrastructure, and unless you have configured data region policies (available on Enterprise plans), your Vietnamese employees' personal data may reside on servers outside Vietnam.

If it does, you may need to complete a Cross-border Transfer Impact Assessment and register with the Ministry of Public Security under Decree 356. This is an area where many companies have significant unrecognized exposure.

Start With Visibility

You cannot fix what you cannot see. The first step toward Google Workspace compliance is understanding what personal data exists in your environment, where it is, and who can access it.

CompliScan performs read-only Google Workspace compliance scans that identify Vietnamese PII across Drive, Gmail, Sheets, and Docs. We deliver a detailed risk report with findings, severity ratings, and a prioritized remediation plan — all within 48 hours. Request your free risk assessment →

This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for advice specific to your company's situation.

Share on LinkedIn

Related Posts

decree-337labor-contracts
6 min read

July 1, 2026 Deadline: What Every Company in Vietnam Must Know About Electronic Labor Contracts

Decree 337 requires all employers in Vietnam to use electronic labor contracts by July 1, 2026. Here's what the law requires, who it affects, and the three steps you should take now.

pdplforeign-companies
5 min read

Vietnam's PDPL: What Foreign-Invested Companies Need to Know

Vietnam's Personal Data Protection Law (Law 91/2025/QH15) imposes requirements beyond GDPR. Here's what foreign-invested companies must do to comply — including cross-border transfer registration, Vietnamese DPIAs, and local data categories.