Malaysia issues three data protection risk management guides

What is a DPIA?

As set out in the DPIA Guideline, a Data Protection Impact Assessment (DPIA) is a structured process used to evaluate and manage risks associated with the handling of personal data. Its purpose is to help organizations systematically identify potential privacy risks in planned data processing activities and implement appropriate safeguards. The assessment should be aligned with the organization’s operational needs, business processes, and regulatory obligations.

Responsibility for conducting a DPIA

Accountability for ensuring that a DPIA is carried out lies with the data controller, with ultimate oversight resting with senior management.

The Data Protection Officer (DPO) plays a key supporting role by:

• Developing a tailored DPIA template or checklist suitable for the organization.
• Determining whether a DPIA is required for a specific activity.
• Advising on the execution of the DPIA and recommending appropriate risk mitigation measures.

When is a DPIA required?

The DPIA Guideline indicates that a DPIA should be conducted where a data processing activity is likely to pose a high risk to individuals’ personal data. This may arise in the following situations:

1. Based on quantitative thresholds

• Processing sensitive personal data (eg. health, biometric, religious, political, criminal-related data) involving more than 10,000 individuals.
• Processing other types of personal data involving more than 20,000 individuals.

2. Based on qualitative considerations, such as:

• Activities that may significantly affect individuals’ legal rights or status.
• Continuous or systematic monitoring of individuals.
• Use of new or emerging technologies.
• Processing involving children or other vulnerable groups.

These triggers are intended to ensure that privacy risks are assessed early, before the organization proceeds with the processing activity.

Key steps in conducting a DPIA

The Guideline indicates that a DPIA should follow a structured approach comprising the following steps:

1. Describe the Processing Activity: Clearly outline the nature, scope, context, and objectives of the data processing.
2. Assess Compliance and Necessity: Evaluate whether the processing is lawful, necessary, and proportionate to its intended purpose.
3. Identify and Evaluate Risks: Determine potential risks to individuals’ personal data and assess their severity and likelihood.
4. Define Risk Mitigation Measures: Identify safeguards and controls to reduce or eliminate identified risks.
5. Determine Residual Risk: Assess the level of risk remaining after mitigation measures have been applied.

Actions after completing a DPIA

As set out in the Guideline, once the DPIA is complete, organizations should:

• Escalate findings to senior management for review and decision-making on whether to proceed.
• Implement the recommended safeguards to address identified risks.
• Review and update the DPIA periodically, particularly after significant changes or at least every two years.
• Maintain proper documentation, keeping DPIA records for a minimum of two years after the processing activity has ended, and ensuring they are available for regulatory review if required.

Core Elements of DPbD

The DPbD Guideline provides that this approach is supported by four key elements:

1. Proactive risk management

Organizations should take a forward-looking approach by identifying and mitigating potential risks before they arise. This includes establishing appropriate governance structures, allocating sufficient resources, and designing systems that limit data collection and ensure privacy-friendly default settings.

2. End-to-end data protection

Data protection measures should apply across the full lifecycle of personal data, from collection and use, to storage and eventual deletion. Each stage must comply with the applicable data protection principles to ensure continuous safeguarding of personal data.

3. Transparency and accountability

Organizations should maintain openness in how they manage personal data. This includes clearly communicating data practices and being prepared to demonstrate compliance with internal policies and legal requirements.

4. User-centric approach

Personal data should be handled in a way that respects the interests and rights of individuals. This means systems, products, and processes should be intentionally designed to give data subjects meaningful control over their data and to reflect their needs.

Embedding DPbD into organizational culture

The Guideline emphasizes that DPbD is not limited to technical measures but requires a broader cultural shift. Organizations should foster a culture that prioritizes responsible data management and proactive risk mitigation.

This includes:

• Leadership commitment: Senior management setting clear expectations and promoting high data protection standards.
• Shared responsibility: All stakeholders contributing to improved data protection practices.
• Ongoing review and improvement: Regularly identifying and addressing gaps in systems and processes.

Overview of ADMP

Automated Decision-Making and Profiling (ADMP) refers to the use of automated processes, including algorithms and systems, to evaluate personal data and make decisions about individuals or to analyze and predict their behaviour, preferences, or characteristics.

While automated tools can improve efficiency and consistency, they may also introduce risks to individuals’ rights and freedoms. As such, ADMP activities must be carefully assessed and managed within the framework of applicable data protection requirements.

Relationship with DPIA

The Guideline provides that, before implementing any ADMP activity, organizations must first conduct a DPIA. This ensures that risks are identified and addressed at an early stage.

Additional safeguards for high-impact ADMP

Where ADMP is likely to result in legal effects (eg. termination of a contract) or have a significant and lasting impact on individuals, additional obligations apply. These include:

1. Compliance with data protection requirements

Organizations must ensure compliance with the Personal Data Protection Act 2010 (as amended), including obtaining explicit consent where required, particularly for sensitive personal data.

2.Transparency and notice

Data subjects must be informed of ADMP activities through clear, written notices that are easily accessible and kept up to date.

3. Mechanisms to withdraw consent

Organizations must provide simple and user-friendly mechanisms for individuals to withdraw consent to ADMP processing.

4. Informing data subjects of their rights

Individuals must be clearly informed of their right to withdraw consent and how to exercise that right.