Part 3: Data Protection by Design Guideline (“DPbD Guideline”)
Introduction
This article is the final part of our three-part series on the guidelines issued by the Malaysia Department of Personal Data Protection (“DPDP”) on 30 April 2026 pursuant to subsection 48(g) of the Personal Data Protection Act 2010 (“PDPA”).
In Part 1, we examined the Data Protection Impact Assessment Guideline (“DPIA Guideline”), while Part 2 focused on the Automated Decision-Making and Profiling Guideline (“ADMP Guideline”).
In this final article, we summarise the key requirements and practical implications of the DPbD Guideline.
What is DPbD Guideline?
The DPbD Guideline sets out recommended best practices, applications and examples for integrating appropriate technical and organisational measures throughout the lifecycle of personal data processing activities to support compliance with the seven Personal Data Protection Principles under the PDPA.
To facilitate implementation, the DPbD Guideline provides a range of non-prescriptive and non-exhaustive concepts, applications and practical checklists for each of the Personal Data Protection Principles. Organisations are encouraged to adopt a risk-based approach and tailor these measures having regard to the nature, scope, context and purposes of their processing activities. The recommended measures are underpinned by the following four core DPbD elements:
- Proactiveness – anticipating and preventing risks before they occur, including designing systems that minimise the collection, use and retention of personal data and protect personal data by default;
- End-to-End Protection – ensuring protection of personal data throughout its entire lifecycle, including collection, processing, storage and disposal;
- Transparency – demonstrating accountability and being open about how personal data is processed and protected; and
- User-Centricity – recognising that personal data belongs to the data subject and designing systems, products and services around the interests and needs of the data subject.
The DPbD Guideline also provides that DPbD is about establishing a culture that adopts a principled and proactive approach to personal data management, which shall be applied across the organization and reflected in its products, services, governance and operations. To this end, it shall involve the following:
- Clear commitment from senior management to set and enforce high standards.
- Fostering a culture where all stakeholders share a commitment to continuous improvement in data protection standards.
- Establishing processes to identify gaps in current designs and practices and address issues before they occur proactively and systematically.
A comprehensive Data-Oriented and Process-Oriented Measures Checklist is included in Annex A of the DPbD Guideline, covering measures from predetermination and data minimisation to consent, notice, user control, breach management and third-party management.
Key Takeaways (DPbD Guideline)
Organisations should consider:
- embedding DPbD considerations into the design, development, procurement, implementation and decommissioning of systems, products and services involving personal data;
- adopting a risk-based approach and tailoring technical and organisational measures to the nature, scope, context and purposes of processing activities;
- fostering a culture of proactive personal data protection across all levels of the organisation;
- ensuring clear commitment and oversight from senior management; and
- reviewing existing policies, processes and governance arrangements to identify gaps and implement continuous improvements.
The DPbD Guideline highlights that personal data protection should not be treated as a standalone compliance exercise, but as an integral part of an organisation’s culture, operations and decision-making processes throughout the entire data lifecycle.
This alert is for general information purposes only and does not constitute legal advice. For further information, kindly contact us at general@wenlaw.co.