Public Consultation Papers on Data Protection Impact Assessment, Data Protection by Design & Automated Decision Making and Profiling Issued
24 March 2025
The Department of Personal Data Protection (“JPDP”) issued three public consultation papers (“PCP”) on 20 March 2025 to seek feedback from the public on the aspects to be addressed in the proposed guidelines on (i) data protection impact assessments (“DPIA”); (ii) data protection by design (“DPbD”); and (iii) automated decision making and profiling (“ADMP”).
The PCP (which are published in bilingual format with the Bahasa Malaysia version preceding the English language version) are as follows:
- PCP No. 1/2025: Data Protection Impact Assessment Guideline
To recap, the Personal Data Protection (Amendment) Act 2024 (“Amendment Act”) introduces the new Section 12A to the Personal Data Protection Act 2010 (“PDPA”) which mandates the appointment of a data protection officer (“DPO”). One of the responsibilities of the DPO is to provide support and advise on the implementation of DPIA. In this regard, the Personal Data Protection Commissioner (“Commissioner”) is developing a guideline to provide guidance on conducting a DPIA.
This PCP seeks to gather views and feedback from the public regarding aspects that should be addressed in the proposed guidelines, which include:
- Definition of DPIA;
- Applicability the DPIA requirement (i.e. whether both data controllers and data processors will be required to carry out DPIA);
- Manner and timeframe for conducting a DPIA;
- Notification to the Commissioner.
- PCP No. 2/2025: Data Protection by Design Guideline
Presently, there is no explicit requirement for data controllers and data processors to implement DPbD. However, while DPbD is not a concept that is currently expressly referenced in the PDPA, its principles are inherently reflected in the Personal Data Protection Principles (“PDP Principles”). To align Malaysia’s personal data protection framework with the global data protection regulatory landscape, the Commissioner is developing a guideline on DPbD to adopt a DPbD approach in complying with the PDP Principles.
This PCP seeks to gather public feedback regarding aspects that will be or should be included and addressed in the proposed guideline, which include:
- Definition of DPbD;
- Introduction of seven foundational principles of DPbD;
- Implementation of DPbD in accordance with the PDP Principles;
- Protection of children’s privacy.
- PCP No. 3/2025: Automated Decision Making and Profiling Guideline
Presently, the PDPA does not specifically address ADMP. As technology advances, more decisions are being automated through technology such as artificial intelligence (AI) and machine learning. Such systems and processes, which enable automated decision-making (including profiling), can have a significant impact on individuals’ lives.
The Commissioner is developing a guideline on ADMP to provide guidance on the introduction and implementation requirements for ADMP. As such, this PCP seeks to gather public view and feedback regarding aspects that will be or should be addressed in the proposed guideline, which include:
- Definition of “automated decision making” and “profiling”;
- Circumstances under which automated decision-making and/or profiling should be regulated;
- Data subject’s rights concerning automated decision making, including profiling;
- Circumstances where the automated decision making and profiling should be allowed;
- Use of personal data for AI training and output;
- Additional requirements for the processing of biometric data.
Interested parties and members of the public may submit their views and feedback on the PCP to JPDP via this
link by
19 May 2025.
For further information, please contact Jillian Chia (Head/Partner), Natalie Lim (Partner) and Charmayne Ong (Partner) of the Personal Data Protection Practice of Skrine.