Launch of Personal Data Protection Guideline for Data Protection Impact Assessment

5 May 2026

Introduction

Further to our previous News Alert on the release of the second tranche of the Personal Data Protection Guidelines under the Personal Data Protection Act 2010 (“PDPA“) by the Personal Data Protection Department (JPDP or Jabatan Perlindungan Data Peribadi), accessible here, this Update provides an overview of the key guidance under the Data Protection Impact Assessment (“DPIA“) Guideline.

By way of background, the PDPA requires data controllers and data processors to appoint one or more Data Protection Officers (“DPOs“) to oversee their compliance with the PDPA, whose core responsibilities include supporting and advising on the carrying out of a DPIA.

The DPIA Guideline describes a DPIA as an assessment of the impact of a planned processing operation on personal data protection. It involves identifying, assessing, and managing personal data protection risks based on the organisation’s functions, requirements, and processes of an organisation. Its aim is to assist organisations in ascertaining the risks associated with a processing operation.

Duty to Carry out a DPIA

The obligation to carry out a DPIA rests with the data controller, with the senior management of the data controller bearing ultimate responsibility for the DPIA and any resulting decisions. Nevertheless, where a data processor is involved in the processing operation, the data processor is expected to provide all reasonable and necessary assistance to the data controller in carrying out the DPIA. This expectation should be reinforced by the data controller through clear contractual clauses or other appropriate mechanisms.

Although supporting the carrying out of a DPIA is one of the DPO’s core responsibilities, the DPO may not necessarily be the individual leading the carrying out of a DPIA. Instead, the “DPIA Lead” is the key person responsible for planning and executing the DPIA. The DPIA Lead may be the DPO, the project manager or any other personnel deemed appropriate by the data controller.

When conducting a DPIA, the data controller should involve all relevant stakeholders from the various functions of the organisation connected with the processing operation, including the data processor, where applicable.

When to Carry out a DPIA

A DPIA shall be carried out by a data controller where the data controller foresees that a processing operation is likely to result in a high risk to the protection of a data subject’s personal data. In assessing whether a DPIA is required, the data controller should adopt a two-tier approach:

Tiers	Assessment threshold	When the threshold is met
1.	Quantitative Threshold: A DPIA shall be carried out where the Quantitative Threshold is met.	The Quantitative threshold is met if (i) the processing of personal data is expected to involve more than 20,000 data subjects; or (ii) processing of sensitive personal data, including financial data, is expected to involve more than 10,000 data subjects.
2.	Qualitative Threshold: If the Quantitative Threshold is not met, the DPO shall exercise their best judgment in considering the relevant Qualitative Factors to determine whether a DPIA is required.	When deciding whether a processing activity meets the Qualitative Threshold, the DPO is required to consider factors that are likely to result in a high risk to the protection of a data subject’s personal data, such as: potential legal or significant effects on the data subject (e.g. noticeable impact on the data subject's legal status or rights, financial status, health, reputation, access to services or other economic or social opportunities); systematic monitoring of the data subject; use of innovative technologies, namely technologies that involve a new or significantly improved product (goods or services), a new process, a new marketing method, a new organisational method in business practices, or a new workplace organisation or external relations; denial or restriction of rights of the data subject; tracking of the data subject's location or behaviour; targeting of children or vulnerable individuals; and Automated Decision-Making and Profiling (ADMP) that pose a high risk to the data subject (collectively, the "Qualitative Factors"). In considering the Qualitative Factors, the DPO should exercise their best judgment, including by taking into account factors not expressly listed above, to determine whether a processing operation is likely to result in a high risk to the protection of a data subject's personal data.

Where it is not clear whether a DPIA is required, it is prudent for the data controller to carry out a DPIA nonetheless as a matter of best practice.

How to Carry out a DPIA

A data controller is expected to adopt a five-step approach, known as “DEICA” – Describe, Evaluate, Identify, Consider and Assess – to analyse a processing operation in terms of its purposes, specific risks and the measures to be taken. The table below summarises the key actions under DEICA.

No.	DEICA Step	Key actions
1.	Describe: Describe the processing operation, including the extent of personal data involved, the data flow and the purposes of the processing.	The "Describe" step requires the data controller to describe the processing by reference to the following aspects: Nature: what is planned with the personal data (e.g. how the personal data will be collected, stored, used, accessed and disclosed with relevant parties); Scope: what the processing covers (e.g. the volume and variety of the personal data, the extent, frequency and duration of the processing, the number of data subjects involved, the geographical area covered and whether there is cross border transfer); Context: the wider circumstances that may affect expectations and impact (e.g. the nature of the relationship with the data subject and any current issues of public concern); and Purposes: the reasons why the organisation wishes to process the personal data, including the intended outcome for the data subject and the expected benefits for the organisation.
2.	Evaluate: Evaluate the compliance, necessity, and proportionality of the processing operation in relation to its purposes.	The "Evaluate" step may involve considering: whether the organisation's plans actually help to achieve the intended purposes; and whether there is any other reasonable way to achieve the same result without the proposed processing, or with a lesser extent of processing (e.g. whether a cross border transfer is necessary in the processing operation to achieve the intended purposes).
3.	Identify: Identify and analyse the specific risks to the protection of the data subject's personal data.	The "Identify" step may take into account the risk of breaching any personal data protection principles or other requirements under the PDPA, as well as the potential impact on the data subject and any harm that may arise from the processing. Examples of such risks include: security risks (including sources of risk and the potential impact for each type of breach); inability to exercise data subject's rights; loss of control over the use of personal data; identity theft or fraud; financial loss; physical harm; loss of confidentiality; and inadequate privacy and data protection laws in the country to which the personal data is transferred. In analysing the specific risks identified, the likelihood of the harm occurring and the impact of such harm on the data subject should be considered. The DPIA Guideline provides for the use of a "3 x 3 Risk Matrix" for this purpose, under which the risk score is calculated by multiplying the likelihood score by the impact score. Based on the resulting risk score, the risk may be classified as low, medium or high, with corresponding actions ranging from monitoring the risk through existing controls, to implementing additional mitigation measures, or robust risk treatment measures where the risk is high.
4.	Consider: Consider the measures to be taken to address the specific risks identified and to safeguard the protection of personal data.	The "Consider" step may involve measures such as: not collecting certain types of personal data; reducing the frequency of processing or shortening retention periods; implementing additional security measures; anonymising or pseudonymising certain personal data; using a different technology; incorporating additional contractual safeguards with third parties involved in the processing; and conducting a Transfer Impact Assessment (TIA) to determine whether the transfer is permitted under the PDPA and/or whether the receiving country has adequate data protection and privacy laws.
5.	Assess: Assess the overall residual risk level of the processing operation, such as whether it is high, medium or low.	The "Assess" step may involve considering the risk level assigned to each specific risk identified, together with the proposed measures to address those risks, in order to determine the overall residual risk level of the processing operation.

What to do After a DPIA

Upon completion of the DPIA, where the overall residual risk level is assessed as “high”, the findings should be reported to the organisation’s senior management. The senior management should then consider the DPIA findings and provide input on the processing operation. This may include: (i) accepting the overall residual risk level arising from the processing operation; (ii) deciding on any additional mitigation measures to manage the risks; and (iii) allocating appropriate resources to implement the risk mitigation measures.

Once a decision has been made to proceed with the processing operation, the identified risk mitigation measures should be implemented accordingly to address and manage the specific risks identified in the DPIA. In this regard, the DPIA Lead is the key person responsible for overseeing the implementation of the risk mitigation measures. However, ultimate responsibility for implementing the risk mitigation measures rests with the senior management of the data controller.

Validity of a DPIA

A completed DPIA is valid for two years from its date of completion. Upon expiry of this period, a refreshed DPIA should be carried out. Notwithstanding the validity period, and throughout the duration of the processing operation, the DPIA Lead should monitor any developments that may affect the processing operation, the risks identified or the risk mitigation measures adopted.

Record-keeping

All relevant DPIA documentation should be properly maintained for at least two years from the cessation of the processing operation. For example, if the processing operation lasts for five years, the DPIA and its relevant records should be retained for a further two years from the cessation of the processing operation. Accordingly, the record-keeping period in that scenario would be at least seven years.

Comment

The DPIA Guideline represents a significant development in Malaysia’s personal data protection framework, introducing a structured and risk-based approach to assessing processing activities that may pose heightened risks to data subjects. In particular, the two-tier assessment framework provides organisations with clearer parameters for determining when a DPIA is required, while preserving an element of judgment where the Quantitative Threshold is not met but the nature of the processing may nevertheless give rise to higher risks.

The DPIA Guideline also places ultimate responsibility for the DPIA and any resulting decisions on the senior management of the data controller. Organisations should therefore ensure that DPIA outcomes are properly escalated to senior management, particularly where the overall residual risk is assessed as high.

Organisations should also review their contractual arrangements with data processors. Although the primary obligation to carry out a DPIA rests with the data controller, the DPIA Guideline expects data processors involved in the processing operation to provide reasonable and necessary assistance. Data controllers should therefore ensure that their data processing agreements expressly require processors to provide relevant information, cooperate in risk assessments, and assist with any documentation or mitigation measures required for the DPIA process.

In light of the two-year validity period of a completed DPIA and the applicable record-keeping requirements, organisations should not view DPIAs as a one-off exercise. Instead, DPIAs should be reviewed whenever there are material changes to the processing operation, the technology used, or the categories of personal data processed. This is particularly important for organisations operating in fast-moving digital environments, where processing activities may evolve significantly over time.

We trust the above provides a helpful overview of the key guidance and requirements under the DPIA Guideline. Should you require any assistance or clarification regarding the above or any other matter relating to personal data protection, please feel free to get in touch with us at your convenience.

Further Information

For more information on the other two Guidelines issued concurrently with the DPIA Guideline, please click on the following links to read our Legal Updates:

For regional Technology, Media and Telecommunications & Data Protection matters, please see Rajah & Tann Asia’s Regional Technology, Media & Telecommunications Practice and Regional Data & Digital Economy Practice for more information.

Contribution Note

This Legal Update is contributed by the listed Contact Partners, with the assistance of Paralegal Leslie Bong.

Please feel free to also contact Knowledge Management at RTApublications@rajahtann.com.

Disclaimer

Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.

The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.

Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.