Personal Data Protection Department issues Guidelines on DPIA, Automated Decision-Making and Profiling, and Data Protection by Design

04 May 2026

• the Data Protection Impact Assessment Guideline (“DPIA Guideline”);
• the Automated Decision-Making and Profiling Guideline (“ADMP Guideline”); and
• the Data Protection by Design Guideline (“DPbD Guideline”). 

• Data controllers are responsible for DPIAs. The obligation to carry out a DPIA rests with the data controller. Ultimate responsibility for carrying out the DPIA and for any resulting decisions rests with the senior management of the data controller. Data processors involved in the processing are expected to provide reasonable and necessary assistance, which should be addressed through clear contractual clauses or other appropriate methods. 
• Two-Tier Threshold Test. Organisations must apply a two-tier approach to determine whether a DPIA is required:
  • Tier 1 – Quantitative Threshold: A DPIA is required where the processing involves: (a) more than 20,000 data subjects; or (b) sensitive personal data (including financial data) of more than 10,000 data subjects.
  • Tier 2 – Qualitative Factors: Where the quantitative thresholds are not met, the Data Protection Officer (“DPO”) is required to exercise best judgment to determine whether the processing is likely to result in high risk. Relevant qualitative factors include: (a) potential legal or significant effects on data subjects; (b) systematic monitoring; (c) use of innovative technologies; (d) denial or restriction of data subject rights; (e) tracking of data subject’s location or behaviour; (f) targeting of children or other vulnerable individuals; and (g) automated decision-making and profiling (“ADMP”) that pose a high risk. 

• The DEICA Framework. The Guideline prescribes a five-step DEICA methodology:

• Describe the processing operation and purposes;
• Evaluate compliance, necessity and proportionality;
• Identify personal data protection risks;
• Consider measures to address the risks; and
• Assess the overall residual risk level. 

• The DPO and the DPIA Lead. The DPO’s role is to support and advise on DPIAs. The DPIA may be led by the DPO, the project manager, or other personnel deemed appropriate by the data controller (“DPIA Lead”). The DPIA Lead is responsible for planning, executing and overseeing the DPIA, including consulting all relevant stakeholders (IT, legal, data processors, third parties, etc.). 
• High residual risks must be reported to senior management. Where the overall residual risk is assessed as “High”, the findings must be reported to senior management. That said, all risk levels should generally be reported to senior management regardless to ensure senior management is fully informed of all identified risks. Risk mitigation measures identified in the DPIA must be implemented before the processing commences. 
• DPIAs must be refreshed and retained. A completed DPIA is valid for two (2) years from completion and must then be refreshed. DPIA records must be kept for at least two (2) years from cessation of the relevant processing operation and made available to the Commissioner upon request. 

• Identify whether they carry out ADM or profiling. The relevant definitions are as follows:
  • "ADM" means the process of making decisions without any human involvement by wholly or partly automated means.
  • "Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a data subject, in particular to analyse or predict aspects concerning that data subject’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. 
• ADMP Threshold. The Guideline may not apply to all ADMP activities. The ADMP threshold is met where the outcome of an ADMP process may:
  • Result in legal effects concerning the data subject; or
  • Significantly affect the data subject.

• ADMP always triggers a DPIA. ADMP is a qualitative factor that triggers the requirement to carry out a DPIA, regardless of the nature or extent of its intended use. The DPO must ensure that a DPIA is carried out for any planned processing involving ADM or profiling. 
• Privacy notices should address ADMP. Data controllers must inform data subjects (via written notice) that their personal data is being processed through ADMP, including the types of decisions made, the reasons for such decisions, and the possible consequences. The level of disclosure should be as extensive as reasonably practicable, but need not include any confidential information, trade secret, intellectual property, proprietary rights, or other similar information. 
• Withdrawal mechanisms should be accessible. Organisations implementing ADMP systems should ensure that mechanisms for withdrawing consent, where applicable, are accessible, straightforward and user-friendly, and that data subjects are informed of those mechanisms. 
• Sensitive personal data requires additional safeguards. Where ADMP involves sensitive personal data, including biometric data, organisations must consider section 40 of the PDPA and should implement safeguards such as encryption and stricter access controls. 
• AI-enabled ADMP should be reviewed carefully. Organisations using AI in ADMP should, among others: (a) assess the risks before deployment; (b) implement measures to mitigate over-dependence on AI systems; (c) ensure that AI is not relied upon as the sole factor when making decisions concerning data subjects; (d) provide appropriate training to relevant personnel; and (e) designate trained human reviewers of AI outputs. 

• DPbD should be embedded throughout the data lifecycle. DPbD is defined as “an approach that incorporates appropriate technical and organisational measures, which are designed to implement the PDP Principles, into the entire lifecycle of a data processing activity, from design, development and deployment to decommissioning”. 
• The Four Core DPbD Elements:
  • Proactiveness: Anticipate and prevent privacy risks before they occur. This includes establishing governance arrangements, allocating resources to data risk management, and designing systems that minimise personal data collection and retention by default.
  • End-to-End Protection: Ensure data protection throughout the full lifecycle i.e. collection, processing, storage and disposal, consistently applying the PDP Principles at every phase.
  • Transparency: Be open and accountable about how personal data is handled and demonstrate compliance with stated practices.
  • User-Centricity: Design projects, products, services and processes around the interests and needs of data subjects, who retain the greatest vested interest in the management of their own personal data. 
• DPbD should be applied to each PDP principle. The Guideline provides detailed guidance on applying DPbD to each of the seven PDP Principles. 
• DPbD governance. The Guideline recommends senior leadership commitment, adequate resources, designation of responsible personnel, regular assessments and audits, DPO engagement and the use of DPIAs to identify and mitigate risks. 

• Review existing data processing operations to assess whether any current or planned activities trigger the DPIA requirements under the DPIA Guideline.
• Assess whether any processing activities involve ADM or profiling, and if so, ensure that a DPIA is conducted and that appropriate notice, consent and appropriate measures are in place in compliance with the ADMP Guideline.
• Embed DPbD principles into the design and development of new projects, systems, products and services, and review existing systems for DPbD compliance gaps.
• Update privacy notices and consent mechanisms to reflect ADMP activities and AI usage, where applicable.