Design. Assess. Automate—Safely: Malaysia’s New PDPA Guidelines at a Glance

The Personal Data Protection Commissioner’s Office (“JPDP”) has issued three new non-binding guidelines under the Personal Data Protection Act 2010 (“PDPA”): Data Protection by Design, Data Protection Impact Assessment, and Automated Decision-Making and Profiling. Together, they advance Malaysia’s data protection framework from reactive compliance to proactive, risk-based governance aligned with global standards.

Data Protection by Design

The DPbD Guideline requires embedding personal data protection throughout the data processing lifecycle—from design to decommissioning. It is structured around proactiveness, end-to-end protection, transparency, and user-centricity, applying these across the seven Personal Data Protection Principles. Compliance is not mandatory but encourages a risk-based approach tailored to each organisation’s processing activities.

Data Protection Impact Assessment

The DPIA Guideline provides guidance on identifying, assessing, and managing risks in personal data processing. A DPIA is required where processing is likely to result in high risk—determined quantitatively(more than 20,000 data subjects, or 10,000 data subjects where sensitive personal data (including financial data) is involved) or qualitatively (potential legal or significant effects on the data subject, systematic monitoring of the data subject, use of innovative technologies, denial or restriction of the data subject’s rights, tracking of the data subject’s location or behaviour, targeting of children or vulnerable individuals, and automated decision-making and profiling that present a high risk to the data subject). The Guideline prescribes the five-step “DEICA” methodology (Describe, Evaluate, Identify, Consider, Assess) and requires that DPIAs be refreshed every two years.

Automated Decision-Making and Profiling

The ADMP Guideline addresses automated systems used in personal data processing, despite the PDPA not containing specific provisions on such activities. It applies where outcomes may have legal or significant effects on data subjects (e.g., financial, employment, or service access decisions). Compliance with the Notice and Choice Principle is required, preserving the data subject’s right to withdraw consent. Notably, AI must not be the sole factor in decisions concerning data subjects, and the use of ADMP itself triggers the requirement for a DPIA.

JPDP’s power to issue guidelines

The PDPA confers on JPDP functions that include issuing guidance. Each of the three documents—the DPbD, DPIA and ADMP Guidelines—expressly records that it is issued by JPDP pursuant to subsection 48(g) of PDPA. They supplement the Act and related subsidiary instruments and are not intended to override them or to be prescriptive.

Are the Guidelines binding or legally effective?

In short, no. The DPbD, DPIA and ADMP Guidelines are non‑binding instruments issued to provide guidance and promote good practice; they expressly state that they supplement and do not override the Act or subsidiary legislation. A failure to follow a Guideline does not, by itself, constitute an offence unless such non-compliance triggers a breach of the PDPA or subsidiary legislation.      

Conclusion

Taken together, these guidelines form a cohesiveframework reinforcing the obligations of data controllers and processors under the PDPA. The DPbD Guideline embeds privacy at the design stage, the DPIA Guideline ensures high-risk processing is rigorously assessed, and the ADMP Guideline addresses the particular challenges of automated technologies and AI.

If you have any questions or require any additional information, please contact Nadarashnaraj Sargunaraj or the partner you usually deal with in Zaid Ibrahim & Co. This alert was prepared with the assistance of Hana Wong Xin Yi, Associate in Zaid Ibrahim & Co.

This alert is for general information only and is not a substitute for legal advice.