PDPD launches public consultations on guidelines for data protection impact assessments, data protection by design, and automated decision making and profiling

26 March 2025

On 20 March 2025, the Personal Data Protection Department (“PDPD”) issued three public consultation papers on the following guidelines:

• Data Protection Impact Assessment;
• Data Protection by Design; and
• Automated Decision Making and Profiling.

This article discusses key proposals set out in the public consultation papers.

Public Consultation Paper No. 1/2025: Data Protection Impact Assessment Guideline

Public Consultation Paper No. 1/2025 defines a data protection impact assessment (“DPIA”) as “an assessment of the impact of planned processing operations on personal data protection, which may involve identifying, assessing and managing personal data protection risks, considering the organisation’s functions, requirements and processes”.

The PDPD proposes that a mandatory DPIA be conducted if the data controller’s processing of personal data:

• involves sensitive personal data of more than 10,000 data subjects;
• is for automated decision-making purposes of more than 10,000 data subjects;
• involves the personal data of more than 20,000 data subjects; or
• involves any factors that the data controller would consider as warranting a DPIA, such as, for instance:
• any potential legal or significant effects on data subjects;
• the use of innovative technology; or
• involving any denial or restriction of any data subject rights.

The Public Consultation Paper on the Data Protection Impact Assessment Guideline is available here.

Public Consultation Paper No. 2/2025: Data Protection by Design Guideline

“Data protection by design” (“DPbD”) is a globally recognised concept where data controllers are encouraged to proactively integrate privacy considerations into all aspects of their personal data management from the beginning stages of its data procession operations to the end.

The PDPD proposes that data controllers adopt seven foundational principles (“Principles”) as a guiding framework for how to implement DPbD. The Principles are set out in Public Consultation Paper No. 2/2025 but are not intended to be mandatory or exhaustive.

The Principles are as follows:

• Proactive not reactive; preventive not remedial, that is, anticipating and preventing privacy risks before they occur and actively building processes to prevent data breaches;
• Privacy as the default setting, therefore ensuring personal data is automatically protected in any given system;
• Privacy embedded into design, that is, integrating privacy into technologies, operations, and information architectures in a holistic, integrative and creative way;
• Full functionality (positive sum, not zero sum), meaning accommodating all legitimate interests and objectives in a manner that benefits all stakeholders, without making unnecessary trade-offs against privacy;
• End-to-end security (full lifecycle protection), entailing data controllers to ensure data security throughout the entire lifecycle of the personal data involved - all data should be securely retained, and then securely destroyed at the end of the process, in a timely fashion;
• Visibility and transparency (keep it open) demonstrating accountability for personal data processing activities; and
• Respect for user privacy (keep it user-centric) by protecting the interests of the individual by offering measures such as strong privacy defaults, appropriate notice, and empowering user-friendly options.

The Public Consultation Paper on the Data Protection by Design Guideline is available here.

Public Consultation Paper No. 3/2025: Automated Decision Making and Profiling Guideline

The PDPD proposes to introduce the concepts of “automated decision making” and “profiling” into Malaysia’s data protection framework in light of technological advancements in artificial intelligence and machine learning.

Public Consultation Paper No. 3/2025 proposes to define “automated decision making” as “decision-making processes by automated means without any human involvement”, and “profiling” as “any form of automated processing of personal data to assess personal aspects of an individual, such as performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”. Both terms are currently not defined in the Personal Data Protection Act.

The PDPD also sets out the proposed framework for the regulation of automated decisions and profiling, including conferring the following rights, subject to certain exceptions, on a data subject:

• Right to refuse to be subjected to a decision based entirely on automated decision making (including profiling) which significantly affects the data subject;
• Right to be informed if automated decision making is being implemented; and
• Right to request for the automated decision making to be reviewed by a human.

The Public Consultation Paper on the Automated Decision Making and Profiling Guideline is available here.

Moving forward

The PDPD is inviting feedback on the Public Consultation Papers to be provided via this link by 19 May 2025.