PDPA CONNECT 2026: Businesses Takeaways On PDPA Compliance In 2026

The recent JPDP PDPA Connect programme signals a clear regulatory shift in Malaysia’s data protection landscape. The focus is no longer just on legal compliance under the Personal Data Protection Act 2010 (Act 709), but on embedding data governance, accountability, and trust into business operations. 

From compliance to accountability 

A consistent message across the event was the move away from a “checklist compliance” mindset towards a risk-based and accountability-driven approach. This aligns Malaysia more closely with international frameworks such as the EU GDPR, particularly in terms of accountability and governance expectations. This means: 

• businesses are expected to anticipate risks, not just react to breaches;  
• senior management and boards must take ownership of data governance; and  
• data protection is now treated as a business risk issue, not purely a legal function.  

Launch of Three Core Guidelines

A major highlight of the event was the official launch of three key guidelines: 

• Data Protection Impact Assessment (DPIA) – acts as a structured risk assessment tool before implementation 
• Data Protection by Design (DPbD)  – ensures systems are designed with privacy from the outset 
• Automated Decision-Making & Profiling (ADMP) – governs how AI and automated decisions are used responsibly 

Industry Insights: What Businesses Are Getting Wrong

The panel discussion, featuring industry leaders from Petronas, Tenaga Nasional Berhad, and CelcomDigi offered practical insights into how organisations are currently approaching data protection, and where gaps remain. 

1. Malaysia is shifting towards a “governance-by-design” approach, where data protection is embedded into business processes rather than treated as a compliance afterthought.  
2. The three new guidelines (DPIA, DPbD, ADMP) collectively form a practical framework for managing data risk, system design, and AI governance.  
3. DPIA should be conducted at the project design stage, not after implementation, and should involve cross-functional teams (legal, IT, business).  
4. Organisations should treat DPIA as a strategic decision-making tool, not a compliance checklist, enabling better risk visibility and business outcomes.  
5. Data Protection by Design (DPbD) is a mindset shift, privacy must be built into systems from the start to avoid costly redesign and operational disruption. 
6. Neglecting privacy early leads to hidden costs, including system retrofitting, reputational damage, operational inefficiencies, and vendor risk exposure. 
7. Automated decision-making (AI systems) must be supported by strong governance, with a clear requirement for human oversight (“human-in-the-loop”). 
8. Data quality is critical, poor data inputs can result in biased outcomes, unfair decisions, and regulatory risk. 
9. Vendor and third-party management is a key risk area, requiring end-to-end lifecycle controls (due diligence, contracting, monitoring, exit management)  
10. Data protection is increasingly recognised as a business enabler, supporting trust, innovation, and sustainable growth rather than hindering operations. 

Importantly, the discussion reinforced that organisations which embed privacy early, particularly through design and risk assessment frameworks, often experience better operational efficiency, smoother implementation, and stronger customer trust. 

Townhall session: Enforcement & regulatory direction

The townhall session was led by the Personal Data Protection Commissioner, YBrs. Puan Shariffah, who outlined JPDP’s strategic direction and enforcement priorities moving forward. 

1. JPDP’s 2026 strategy is built on four pillars: strengthening internal structure, improving service delivery, driving stronger cooperation, and increasing enforcement. 
2. A major regulatory direction is the increase in enforcement, particularly around data breach notification (DBN) compliance and organisational accountability.  
3. JPDP identified common compliance gaps, including weak internal governance, poor cyber hygiene, unpatched systems, and lack of incident response plans.  
4. Over 300+ data breach notifications were reported within less than a year, showing growing awareness but also highlighting systemic weaknesses across industries. 
5. JPDP is developing an integrated MyPDP system and call centre, aimed at streamlining registration, complaints, and stakeholder engagement.  
6. There is a strong push for international alignment, including participation in ASEAN initiatives and APEC Cross-Border Privacy Rules.  
7. JPDP clarified that local councils (PBTs) engaging in commercial activities may subject to PDPA, signalling broader enforcement scope.  
8. New regulatory developments are underway, including updated regulations, expanded data controller registration classes, and potential legislative amendments.  
9. Future frameworks include an AI governance framework, Appeals Tribunal, and Advisory Committee, indicating a more structured regulatory ecosystem.  
10. Long-term direction is the transformation of JPDP into a full Data Commission, with broader authority and a more robust enforcement role. 

During the session, I raised a question highlighting practical concerns faced by businesses, particularly on simplifying PDPA compliance for SMEs and the role of inter-agency data sharing in enforcement scenarios. 

This reflects a broader industry concern, as personal data breaches increasingly intersect with cybersecurity incidents and potential criminal activity, organisations must navigate not only PDPA obligations but also overlapping regulatory and enforcement frameworks. 

In response, the Commissioner confirmed that simplified compliance guidance for SMEs, especially those adopting cloud technologies, is currently in the pipeline. She also clarified that data sharing between JPDP and other enforcement agencies (such as the police and MCMC) is presently conducted on a case-by-case basis, rather than through a centralised or standardised platform. 

Overall, the townhall session makes it clear that JPDP is moving towards a more structured, enforcement-driven and internationally aligned regulatory approach. Businesses should expect higher scrutiny, particularly in areas such as data breach management, governance frameworks, and accountability. 

Practical business takeaways 

Businesses should consider the following immediate actions: 

• integrate DPIA into project approval processes, especially for high-risk or AI-related initiatives  
• embed DPbD into IT, procurement, and system development lifecycles  
• review use of AI and automation to ensure human oversight and transparency  
• strengthen vendor management frameworks, particularly where data processing is outsourced  
• elevate data protection to board-level oversight, rather than limiting it to compliance teams 

The PDPA Connect 2026 event reinforces a critical shift:  Data protection is no longer just about legal compliance, it is a core component of business governance, risk management, and digital trust. For more insights, updates, and official guidance, you may visit the JPDP website  and their official communication channels. 

PDPA compliance in 90 days with ELP  

If your business requires assistance in reviewing data protection practices, preparing privacy notices, or developing PDPA compliance frameworks, our team at ELP can help ensure your organisation’s data handling practices align with the requirements of the PDPA.