Malaysia’s Personal Data Protection Department (PDPD) has recently issued a guideline on Data Protection Impact Assessment (DPIA), a major step towards strengthening personal data governance practices.
Businesses are now expected to demonstrate, in a structured and documented way, that they have thought through the risks of their data activities before carrying them out.
What is a DPIA?
The guideline introduces a structured five-step approach, DEICA (Describe, Evaluate, Identify, Consider and Assess).
This framework helps organisations systematically think through how personal data is used, what risks may arise, and how those risks should be managed before proceeding:
| Step | Key Focus | Guiding Questions |
| 1. Describe | Understand the processing activity | What data is collected? How is it used, stored, and shared? |
| 2. Evaluate | Assess justification | Is the processing necessary, proportionate, and legally justified? |
| 3. Identify | Identify and analyse specific risks | What could go wrong (e.g. data breach, misuse, loss of control, financial or identity theft or fraud)? Each identified risk is assessed based on: the likelihood of the risk occurring; and the impact if it materialises |
| 4. Consider | Reduce risks | How can risks be mitigated (e.g. minimise data, strengthen security, anonymise, improve vendor controls)? |
| 5. Assess | Assess the overall residual risk | After mitigation, is the remaining risk acceptable? |
The guideline also provides a risk scoring methodology, along with sample DPIA templates and process flow, which serve as useful practical references for organisations looking to implement DPIA in a structured and consistent manner.
Who is responsible?
The responsibility for carrying out a DPIA and proceed with a particular data processing activity ultimately rests with the data controller (the organisation). This is because the data controller determines the purpose and manner of processing and is therefore best placed to assess whether the risks are acceptable and whether the processing should proceed.
While advising on DPIA forms part of the Data Protection Officer (DPO)’s role as reflected in our DPO guideline, the DPO’s function remains advisory in nature.
When to conduct a DPIA
Under the guideline, a DPIA is required where a data controller foresees that a processing activity is likely to result in a high risk to the protection of personal data, and the guideline introduces a 2-step test to help organisations assess whether a DPIA is required.
1. Quantitative Threshold
You should conduct a DPIA if:
- processing involves more than 20,000 individuals, OR
- processing involves sensitive data (e.g. financial) of more than 10,000 individuals
2. Qualitative Threshold
Even if you don’t hit the numbers, DPIA may still be required if your activity involves:
- Automated decision-making (e.g. automated credit scoring system)
- AI or new technologies
- Location or behaviour tracking
- Potential legal or significant effects on the individuals
- Systematic monitoring of individuals
- Restricting user rights (e.g. forcing consent)
- Targeting children or vulnerable groups
Businesses should start thinking about DPIA when they are:
- rolling out new digital platforms or applications
- using analytics, profiling, or AI-driven decision-making
- tracking user behaviour (whether online or offline)
- introducing new technologies into existing operations
From a commercial perspective, this means DPIA will become increasingly relevant for organisations that are digitally driven, data-intensive, or undergoing transformation.
What happens after a DPIA
If “high” risk remains, the matter should be escalated to senior management for consideration, and:
- appropriate mitigation measures should be implemented
- proper records should be maintained
- processing activities should be continuously monitored
A DPIA is generally valid for two years from its completion and should be reviewed periodically, especially where there are changes to the processing activity. Records should be retained for at least two years after the processing ends.
Impact on PDPA compliance
The DPIA guideline shifts how many organisations approach PDPA compliance as a documentation exercise involving privacy notices, consent clauses, policies.
At its core, a DPIA is a risk assessment tool designed to help organisations identify, assess, and manage personal data risks to avoid costly mistakes and potential data breaches associated with a planned processing activity.
It introduces a more operational question: Before we process this data, have we properly assessed the risks, and can we justify our decisions?
PDPA compliance in 90 days with ELP
If your business requires assistance in reviewing data protection practices, preparing privacy notices, or developing PDPA compliance frameworks, our team at ELP can help ensure your organisation’s data handling practices align with the requirements of the PDPA.
