PART 1
Introduction
The Malaysia Department of Personal Data Protection (“DPDP”) has issued three long-awaited guidelines on 30 April 2026, namely:
- the Data Protection Impact Assessment Guideline;
- the Automated Decision-Making and Profiling Guideline; and
- the Data Protection by Design Guideline,
(collectively, the “Guidelines”).
The issuance of these Guidelines marks another significant milestone in the continued implementation of the Personal Data Protection (Amendment) Act 2024 and follows the introduction of the mandatory Data Protection Officer (“DPO”) framework, mandatory data breach notification requirements and the Cross-Border Personal Data Transfer Guideline. Together, these developments signal a shift towards a more structured, risk-based and accountability-driven personal data protection regime in Malaysia.
The Guidelines were issued by the Personal Data Protection Commissioner (“Commissioner”) pursuant to subsection 48(g) of the Personal Data Protection Act 2010 (“PDPA”) and supplement the PDPA and other relevant legislative instruments issued under it.
Given the breadth of these Guidelines, we will be publishing this write-up as a three-part series, with each article focusing on one Guideline. This approach aims to provide a more focused and reader-friendly overview of the key requirements, practical implications and recommended actions for organisations seeking to strengthen their personal data protection compliance framework.
The three articles in this series will cover:
Part 1: Data Protection Impact Assessment Guideline (“DPIA Guideline”)
Part 2: Automated Decision-Making and Profiling Guideline (“ADMP Guideline”)
Part 3: Data Protection by Design Guideline (“DPbD Guideline”)
In this article, we summarise the key requirements and practical implications of the DPIA Guideline.
Part 1: Data Protection Impact Assessment Guideline (“DPIA Guideline”)
What is a Data Protection Impact Assessment (“DPIA”)?
A DPIA is an assessment of the impact of a planned processing operation on personal data protection. It involves identifying, assessing and managing personal data protection risks based on the organisation’s functions, requirements and processes. In essence, DPIA is a process designed to analyse and mitigate personal data protection risks.
Why carry out a DPIA?
Carrying out a DPIA may assist organisations to:
- identify and evaluate risks associated with a processing operation, taking into account the purpose and nature of the processing;
- identify personal data protection risks at an early stage;
- determine and implement appropriate preventive and mitigative measures to manage such risks;
- ensure compliance with the PDPA;
- enhance organisational accountability and transparency in relation to personal data processing activities; and
- strengthen public confidence and trust in the organisation’s handling of personal data.
Who is responsible for carrying out a DPIA?
The obligation to carry out a DPIA rests on the data controller. Importantly, the ultimate responsibility for carrying out the DPIA and any resulting decisions rests with the senior management of the data controller.
While the DPO has a responsibility to support the carrying out of DPIAs, the DPIA Guideline recognises that the exercise may be led by a designated DPIA Lead, who may be the DPO, project manager or other appropriate personnel (“DPIA Lead”). The DPIA Lead is responsible for planning, executing and overseeing the DPIA, including consulting all relevant stakeholders (IT, legal, data processors, third parties, etc.).
When to carry out DPIA?
The DPIA Guideline introduces a two-tier assessment framework comprising quantitative thresholds and qualitative factors.
Quantitative thresholds
A DPIA must be carried out where planned processing of personal data is expected to involve:
- more than 20,000 data subjects; or
- sensitive personal data (including financial information data) involving more than 10,000 data subjects.
Qualitative factors
Where the quantitative thresholds are not met, the DPO is required to exercise best judgment in assessing whether the planned processing is likely to result in a high risk to the protection of personal data. In determining whether a processing operation is likely to result in such high risk, the DPIA Guideline identifies a number of non-exhaustive factors for consideration, including whether the processing operation:
- may produce legal effects or similarly significant effects on the data subject, such as a noticeable impact on the data subject’s legal status or rights, financial status, health, reputation, access to services, or other economic or social opportunities;
- involves systematic monitoring of data subjects;
- uses innovative technologies, including technologies involving a new or significantly improved product, good or service, a new process, a new marketing method, a new organisational method in business practices, or a new workplace organisation, external relations or business arrangement;
- involves the denial or restriction of the rights of data subjects;
- involves the tracking of the location or behaviour of data subjects;
- targets children or vulnerable individuals; or
- involves automated decision-making and profiling that may pose a high risk to data subjects.
Notably, the DPIA Guideline expressly states that where it is unclear whether a DPIA is required, it would be prudent for a data controller to carry out a DPIA as a matter of best practice.
How to carry out a DPIA?
The DPIA Guideline adopts a five-step methodology known as DEICA:
D – Describe the processing operation;
E – Evaluate compliance, necessity and proportionality;
I – Identify risks to personal data protection;
C – Consider mitigation measures; and
A – Assess residual risks.
Post-DPIA obligations
Once a DPIA has been completed, organisations should:
- Report to senior management for input on whether and how to proceed with the processing operation regardless of the risk level.
- Implement the identified risk mitigation measures.
- Carry out a refreshed DPIA, when the two-year validity period expires.
- Keep the relevant records for at least two years from the cessation of the processing operation, which shall be made available for inspection upon the Commissioner’s request.
A DPIA Template (in Annex A to the DPIA Guidelines) and flowchart (Annex B to the DPIA Guidelines) are included in the Guideline for reference, though organisations may adapt them or develop their own templates.
Key Takeaways (DPIA Guideline)
Organisations should consider:
- assessing whether any existing or proposed processing activities meet the quantitative thresholds or qualitative factors that trigger the requirement to carry out a DPIA;
- establishing or reviewing internal DPIA procedures, templates and record-keeping processes to support ongoing compliance with the DPIA Guideline;
- identifying and assigning appropriate roles and responsibilities, including those of senior management, the DPO and the DPIA Lead;
- implementing processes to monitor changes to processing activities and carrying out refreshed DPIAs where necessary; and
- maintaining adequate records and ensuring they are available for inspection upon the Commissioner’s request.
The DPIA Guideline reinforces the importance of adopting a proactive and risk-based approach to personal data protection. Organisations should review their existing governance frameworks and integrate DPIA processes into their operational and decision-making activities to strengthen accountability and ensure compliance with evolving regulatory expectations.
This alert is for general information purposes only and does not constitute legal advice. For further information, kindly contact us at general@wenlaw.co.