PDPA Updates: Appointment of a Data Protection Officer

The Personal Data Protection Department of Malaysia issued a set of guidelines in February 2025, expanding on the amendments made to the primary Act in 2024. This includes the introduction of the mandatory requirement for employers to appoint a Data Protection Officer (DPO) within the Company. Please note that this requirement will take effect on 1 June 2025. We have summarised the guidelines in Q&A format for your better understanding. 

1. Is my company required to appoint a Data Protection Officer (DPO)

   The guidelines have set conditions where the appointment of a DPO is mandatory. The conditions are as follows:

   • If your company processes personal data of 20,000 or more data subjects. 
     

   • If your company processes sensitive personal data of 10,000 or more data subjects (Both of the above are not limited to your employees but include all other personal data, including customer information, suppliers, visitors, etc.)

     
     

   • Any activity involving personal data which requires systematic or regular monitoring, although not meeting the above minimum threshold 

2. What are personal data and sensitive personal data?
   

   Personal Data: Personal data refers to any information that can identify a living individual, either on its own or when combined with other information. Examples include names, identification numbers, addresses, contact details, or any other data that makes it possible to recognize a specific person.

   Sensitive Personal Data:

   Sensitive personal data is a specific category of personal data that requires higher protection due to its sensitive nature. This includes information related to an individual's:

• Health (physical or mental condition)

• Political opinions

• Religious beliefs or similar convictions

• Criminal records or allegations, including conduct or statements related to offenses

3. If I am required to appoint a DPO, who can I appoint?

   You have to ensure that the considered DPO is a resident of Malaysia, is easily contactable and is proficient in Bahasa Malaysia and English. 

4. Can I hire a part-timer or a 3rd party as a DPO?

   Yes, this is permitted as long as the conditions in point no.2 are met. Further, the Company is required to ensure that:

• Relevant training is provided for the DPO to understand the requirements of the Personal Data Protection Act.

• Operational understanding with regards to your Company’s processing of personal data, including security measures.

• Operational structure, including higher Management’s responsibility in personal data protection.

• Access to encourage responsible personal data management within your Company.

5. What are the roles and responsibilities of a DPO?
   

   • Be aware and understand the methods in which personal data are being processed within your Company.

• Support the organisation’s activities in an effort to comply with the requirements of the Personal Data Protection Act. 

• Ensure incident management processes are in place.

• To act as the main contact liaison for any personal data related matters - for both data subjects and Commissioner.

6. Are there any other rules that we need to be aware of?

   DPOs must be provided with a dedicated email address in carrying out his / her functions as a DPO. This is a requirement even if the DPO is an external party. 

   Upon confirming the appointment of the DPO, the Commissioner must be notified within 21 days via the PDP web portal. Any termination of DPOs must also be notified within 14 days of termination. 

   Lastly, the Company is also required to publish the DPO’s contact information on the Company’s website or Privacy Policy. 

7. Is this HR’s responsibility?

   
   

   This depends. If the bulk of your personal data consist of employee information, it is highly likely that HR will be tasked with this responsibility. However, if your Company deals with a high volume of other personal data (clients, vendors, etc) then only the employee portion should be handled by HR. You are encouraged to discuss this with your Management / Legal & Compliance team. 

If you wish to refer to the official guidelines issued by the Ministry of Digital, kindly click on the link here: https://www.pdp.gov.my/ppdpv1/en/guidelines-and-circular-on-personal-data-protection-appointment-of-data-protection-officer-dpo-and-data-breach-notification/

The requirement to appoint a DPO marks a significant shift in Malaysia’s data protection landscape. While this requirement may not be applicable to all employers, this should be viewed and taken as an opportunity to strengthen the data governance framework through responsible practices. As a matter of best practice, employers are encouraged to review existing policies related to data protection and privacy, conduct regular audits, and encourage a responsible and accountable culture through awareness and education campaigns. Should you require further support, including specific training for your employees or selected DPO, please contact our Consultants for more information.