Launch of Personal Data Protection Guidelines for Data Protection Officer Appointment and Mandatory Data Breach Notification

Introduction

Following from our previous Legal Update setting out our analysis on the latest amendments to the Personal Data Protection Act 2010 (“PDPA“) pursuant to the Personal Data Protection (Amendment) Act 2024 (“Amendment Act“), which can be accessed here, and our News Alert on the appointment dates for the coming into force of the amendment provisions under the Amendment Act in stages, which can be accessed here, the Personal Data Protection Commissioner (“Commissioner“) has just launched the following personal data protection guidelines on 25 February 2025:

1. Personal Data Protection Guideline: Data Protection Officer (“DPO“)(“DPO Guideline“); and
2. Personal Data Protection Guideline: Data Breach Notification (“DBN Guideline“).

(collectively, “Guidelines“).

By way of background, the Digital Minister (“Minister“) announced in early 2024 that the Commissioner will develop and issue a suite of personal data protection guidelines to supplement the latest amendments to the PDPA. These guidelines were intended to be released in two tranches as follows:

First Tranche of Guidelines

1. Data Protection Officer Guideline;
2. Data Breach Notification Guideline;
3. Data Portability Guideline;
4. Cross-Border Data Transfer Guideline;

Second Tranche of Guidelines

5. Data Protection Impact Assessment Guideline;
6. Privacy by Design Guideline; and
7. Profiling and Automated Decision-Making Guideline.

The Guidelines are the first two guidelines from the first tranche of guidelines to be issued, whilst the remaining guidelines from the first tranche of guidelines are expected to be issued by Q2 this year. The Guidelines take effect on 1 June 2025. The DPO Guideline and the DBN Guideline can be accessed here and here, respectively.

The Guidelines are intended to be read together with Circular of Personal Data Protection Commissioner No. 1/2025 (Appointment of Data Protection Officer) (accessible here) and Circular of Personal Data Protection Commissioner No. 2/2025 (Data Breach Notification) (accessible here), which have been issued by the Commissioner. 

Overview of the Key Requirements under the Guidelines

This Legal Update seeks to provide a brief overview of the key provisions under the Guidelines.

Key Requirements under the DPO Guideline

Section 12A of the PDPA introduces a new obligation for data controllers and data processors (“Organisations“) to appoint a DPO for their Organisation for the purposes of overseeing the Organisation’s compliance with the PDPA. The DPO Guideline sets out additional guidance and requirements to assist Organisations to comply with the new DPO appointment requirement. The key requirements under the DPO Guideline are as follows:

1. Criteria for appointment of DPOs. An organisation will be required to appoint a DPO if the Organisation satisfies at least one of the following threshold requirements:

• • it processes personal data exceeding 20,000 or more data subjects;
  • it processes sensitive personal data, including financial information, exceeding 10,000 data subjects; or
  • its personal data processing involves activities that require regular and systematic monitoring of personal data.

2. Expertise and qualifications of DPOs. The DPO Guideline prescribes the minimum expertise and qualifications DPOs should possess to be appointed as a DPO (e.g. understanding of corporate governance and the information technology (IT) & data security). The DPO’s expertise and qualifications must also be appropriate taking into consideration the data processing activities of the Organisation.

3. Registration of DPO. The DPO Guideline requires Organisations to register their DPO with the Commissioner within 21 days from the date of appointment of the DPO, and provide the Commissioner with the business contact information of the DPO.

4. Responsibilities of DPO. The DPO Guideline provides a range of core responsibilities for DPOs. Briefly, these responsibilities include:

• • acting as the Organisation’s main contact point with the Commissioner;
  • serving as the liaison point between the Organisation and its data subjects; and
  • advising and supporting the Organisation in its data processing activities as well as monitoring the Organisation’s compliance with the PDPA (e.g. ensuring proper data breach and security incident management etc.).

5. Other matters to note. The DPO Guideline also sets out additional important details regarding the appointment/position of the DPO and the legal implications of the DPO role. Examples include the following:

• • appointment of DPOs may be internal or external;
  • DPOs must be ordinarily a resident of Malaysia or easily contactable by any means;
  • the Organisation must ensure that the role and function of the DPO is adequately safeguarded and that the DPO’s role and position is well embedded in the Organisation (e.g. ensuring the DPO is involved in all matters relating to the protection of personal data within the Organisation); and
  • the Organisation’s appointment of a DPO does not absolve the Organisation from the requirement to ensure compliance with the PDPA when processing personal data, and Organisations will remain responsible for any non-compliance with the PDPA.

Key Compliance Requirements: Organisations must assess if they are subject to the mandatory DPO appointment obligation. Should they satisfy the DPO appointment thresholds, they would need to designate a DPO – whether from within the Organisation or externally – who satisfies the minimum expertise and qualification requirements specified in the DPO Guideline. Organisations would also need to review and enhance their internal data protection policies and procedures in order to clearly define the DPO’s role, position and functions, in compliance with the requirements under the DPO Guideline. Amongst others, this should include outlining the DPO’s core duties in the internal data protection policies of the Organisation, as well as ensuring that the DPO has direct reporting access to the Organisation’s senior management.

Due to the extensive requirements set out under the DPO Guideline, Organisations are strongly encouraged to review the DPO Guideline carefully prior to appointing a DPO. For those Organisations that are unable to appoint a DPO from their own internal resources, or where Organisations need more time in order to identify a suitably qualified person to fill the role, outsourcing the DPO role may serve an effective interim solution. 

Key Requirements under the DBN Guideline

Section 12B of the PDPA imposes a new mandatory obligation on data controllers to notify both the Commissioner and affected data subjects (“Affected Data Subjects“) of personal data breaches (collectively, “DBN Notification Requirement“). “Personal data breach” is broadly defined under the PDPA as any breach, loss, misuse or unauthorised access of personal data.

The DBN Notification Requirement set out under Section 12B of the PDPA cross refers the manner and form of notification to be “as determined by the Commissioner”. In this regard, the DBN Guideline provides the following key requirements and guidance to assist data controllers in complying with the DBN Notification Requirement:

1. Materiality threshold for data breach notifications. The DBN Guideline requires data controllers to notify the Commissioner of personal data breaches where the personal data breach causes or is likely to cause “significant harm” to the data subjects or is of a “significant scale”. Data controllers must also inform the Affected Data Subjects of the personal data breach if the personal data breach results in or is likely to result in “significant harm” to the Affected Data Subjects. “Significant harm” includes instances where there is a risk that the compromised personal data may result in physical harm, financial loss, negative effects on the data subject; may be misused for illegal purposes; consists of sensitive personal data, etc. “Significant scale”, on the other hand, refers to instances where the number of Affected Data Subjects exceeds or is likely to exceed a certain numeric threshold (in this case, 1,000 individuals). These notification thresholds are further explained in the DBN Guideline. 

That said, Section 12B of the PDPA provides that the data controller shall notify the Commissioner where the data controller has reason to believe that a personal data breach has occurred.

2. Timeline for data breach notification. Data controllers must notify the Commissioner of the personal data breach as soon as practicable but no later than 72 hours after the occurrence of the data breach. While this may imply that the personal data breach notification is limited to cases of where the personal data breach has actually occurred, Section 12B of the PDPA requires data controllers to make a data breach notification to the Commissioner where the data controller has reason to believe that a personal data breach has occurred. Therefore, it follows that data controllers may still be required to make notification to the Commissioner in cases of suspected personal data breaches as well.

3. Data breach notification process. The DBN Guideline provides a template data breach notification form and the channel for notifying the Commissioner of personal data breaches, and outlines the manner for making personal data breach notifications to the Commissioner, which may vary depending on the circumstances (e.g. delayed notifications, phased notifications).

4. Notification to Affected Data Subjects. The DBN Guideline provides the manner for notifying Affected Data Subjects of a personal data breach and details the information that data controllers must provide to the Affected Data Subjects in their notification (e.g. details of the personal data breach that has occurred, details of the likely consequences pursuant to the breach, measures taken by the data controller to address the breach, and mitigation measures that can be taken by the Affected Data Subjects). The DBN Guideline also stipulates that the data controller has to notify the Affected Data Subjects of the personal data breach without unnecessary delay, but no later than seven days after the initial personal data breach notification is made to the Commissioner.

5. Duty of data controllers regarding their data processors. The DBN Guideline contains requirements for data controllers to contractually impose obligations on their data processors to notify the data controller of a personal data breach and assist the data controller in respect of handling said personal data breach.

Key Compliance Measures: Data controllers should commence developing or reviewing their internal data breach management and reporting procedures to ensure that the compliance requirements under the DBN Guideline are fully complied with. Additionally, data controllers should review template data processing contractual clauses and agreements entered into with their data processors in order to ensure the inclusion of terms relating to (i) the data processors’ obligations to notify data controllers of personal data breaches, and (ii) the data processors’ responsibility to facilitate their respective data controllers’ compliance with data breach notification obligations, amongst others.

Failure to comply with Section 12B of the PDPA may result in penalties of a fine of up to RM250,000, or imprisonment for a term of up to two years, or both. 

Concluding Remarks

The Guidelines offer much-needed clarity and guidance to the newly introduced DPO appointment requirement and DBN requirements under Sections 12A and 12B of the PDPA, respectively. All organisations involved in the processing of personal data are advised to review the extensive requirements under the Guidelines to ensure their full compliance with Sections 12A and 12B of the PDPA, given that the requirements under the said Sections will come into effect on 1 June 2025.

That said, these Guidelines only mark the beginning of the significant shifts that we expect to see in the Malaysian personal data protection regulatory framework in the coming months. As we anticipate the Commissioner to release personal data protection regulations, revised Personal Data Protection Standards (replacing the Personal Data Protection Standards 2015), personal data protection circulars and five additional personal data protection guidelines before the end of 2025, all organisations involved in the processing of personal data are advised to remain vigilant for these forthcoming regulatory developments.

We trust the above provides a useful update on the key requirements in the Guidelines. Should you require any assistance or clarification in relation to the above, or any matter relating to personal data protection, please feel free to contact us at your convenience.

This Legal Update is contributed by the Contact Partners listed here, with the assistance of Yu Xin Yi (Associate, Christopher & Lee Ong).