The Personal Data Protection Department (“JPDP” or Jabatan Perlindungan Data Peribadi) has just released the second tranche of the Personal Data Protection Guidelines under the Personal Data Protection Act 2010 (“PDPA“), namely the: (i) Data Protection Impact Assessment Guideline; (ii) Data Protection by Design Guideline; and (iii) Automated Decision-Making and Profiling Guideline (collectively, the “Guidelines“) on Thursday, 30 April 2026.
The Guidelines seek to provide practical guidance on how organisations should comply with their obligations under the PDPA. Based on our preliminary understanding of the newly-issued Guidelines (with reference to drafts of the Guidelines set out in earlier public consultation papers), the key areas addressed under each of the Guidelines are summarised as follows:
- The Data Protection Impact Assessment (“DPIA”) Guideline: The DPIA Guideline sets out the requirements for data controllers to conduct DPIAs, including: (i) the circumstances in which a DPIA would be required (based on quantitative thresholds and qualitative risk factors); (ii) the methodology for conducting DPIAs; (iii) notification obligations to the Commissioner; and (iv) post-DPIA obligations. As such, organisations should consider reviewing their data-processing activities to identify processes where a DPIA may be required under this framework.
- The Data Protection by Design (“DPbD”) Guideline: The DPbD Guideline introduces the concept of DPbD, which requires organisations to incorporate appropriate technical and organisational measures into the lifecycle of a processing activity. The DPbD Guideline sets out: (i) foundational DPbD principles; (ii) practical guidance on implementing DPbD across each of the personal data protection principles under the PDPA; and (iii) specific requirements for the protection of children’s privacy. Accordingly, organisations should begin assessing whether data protection considerations are embedded into the design, operation, and lifecycle of their systems, processes, and products.
- The Automated Decision-Making and Profiling (“ADMP”) Guideline: The ADMP Guideline introduces the concepts of automated decision-making and profiling into the data protection framework, including: (i) proposed rights for data subjects (such as the right to refuse, the right to information, and the right to human review); (ii) exceptions to those rights; and (iii) specific provisions addressing the use of artificial intelligence (“AI“) and generative AI, biometric data, and closed-circuit television (CCTV). In light of this, organisations should consider reviewing their internal data-processing activities to identify any automated decision-making and profiling processes and assess their readiness for the ADMP Guideline.
Please note that the summaries above are based on the public consultation papers issued last year, and accordingly, the finalised content of the newly-issued Guidelines may differ from the above.
At this juncture, organisations may wish to begin familiarising themselves with the areas of focus under the Guidelines and start preparing for compliance. As the Guidelines have just been issued, we will be reviewing them in detail and we will issue a detailed update highlighting the key developments that may be relevant to organisations.
For further queries, please feel free to contact our team members set out on this page.
Contribution Note
This Legal Update is contributed by the listed Contact Partners, with the assistance of Leslie Bong (Paralegal).
Please feel free to also contact Knowledge Management at RTApublications@rajahtann.com.
For regional Technology, Media and Telecommunications & Data Protection matters, please see Rajah & Tann Asia’s Regional Technology, Media & Telecommunications Practice and Regional Data & Digital Economy Practice for more information.
Disclaimer
Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.
The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.
Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.
