With the introduction of the Data Protection by Design (DPbD) Guideline, Malaysia is signalling a shift from reactive compliance to a more proactive, risk-based approach in managing personal data.
This article explains what DPbD means in practice, how it fits within the PDPA framework, and what businesses should start doing differently.
Data Protection by Design overview
The guideline defines DPbD as:
- incorporating appropriate technical and organisational measures; and
- implementing the PDP Principles throughout the entire lifecycle of data processing.
In other words, DPbD data protection is designed into how the system works from the outset instead of reliance on human processes and after-the-fact controls, and the guideline gives a useful illustration:
Companies often store customer email addresses but rarely review when to delete them, causing data to be retained longer than necessary and tracking to be inconsistent. With DPbD, retention rules are built into the system and deletion happens automatically based on predefined logic.
4 core DPbD principles
The guideline sets out four key elements
| 1. Proactiveness | Anticipate and prevent risks before they happen. This includes:
Not: “We fix it if something goes wrong” But: “We design so it doesn’t go wrong” |
| 2. End-to-End Protection |
Data protection must apply across the entire lifecycle:
DPbD requires thinking about what happens after collection. |
| 3. Transparency |
Organisations must be able to:
This is about accountability, not just disclosure. |
| 4. User-Centricity |
Personal data ultimately belongs to the individual. Products, services, and systems should be designed to:
|
DPbD and PDPA compliance
The guideline makes it clear that DPbD works together with multiple aspects of PDPA compliance. This includes:
- Personal Data Protection Standards
- Data Breach Notification Guideline
- Cross-Border Personal Data Transfer Guideline
- Codes of Practice
This means DPbD is how businesses operationalise existing PDPA obligations in their systems and processes.
DPbD and the 7 PDPA Principles
The guideline also illustrates how DPbD applies across the 7 Personal Data Protection Principles:
| PDPA Principle | What DPbD Means in Practice |
| 1. General | Define purpose clearly at the design stage. Ensure data collected is necessary and proportionate, not “collect first, justify later”. |
| 2. Notice & Choice | Build clear privacy notices and consent mechanisms directly into user flows. Make choices visible and easy to understand. |
| 3. Disclosure | Design systems to control and restrict data sharing. Ensure access is limited to authorised parties only. |
| 4. Security | Embed security measures into systems from the start (e.g. access controls, encryption, risk assessment, internal safeguards). |
| 5. Retention | Implement automated retention and deletion rules. Avoid keeping data longer than necessary. |
| 6. Data Integrity | Ensure systems support accurate and up-to-date data, with design features that minimise inaccuracies. |
| 7. Access | Design processes that allow individuals to access and correct their data efficiently. |
The guideline also provides a practical checklist and assessment template, covering data-related controls and process and governance measures.
What businesses should start doing now
1. Bring data protection into how projects are designed
Data protection should be considered at the earliest stage, not after systems are built. This applies across:
- new systems, apps, and platforms
- product development
- digital transformation initiatives
2. Look beyond new systems and review what already exists
In many cases, the greater risk sits not in new innovation, but in long-standing systems that were never designed with data protection in mind. DPbD applies across the entire lifecycle, including existing environments. Organisations should assess:
- legacy databases
- existing customer-facing platforms
- internal systems such as HR or finance tools
3. Build structured risk assessment into decision-making
A recurring theme in the guideline is the need for systematic identification and management of risks. This includes:
- using tools such as DPIA to assess higher-risk processing
- identifying gaps in current systems and practices
- addressing risks before they materialise
4. Strengthen governance at management level
The guideline places clear emphasis on senior leadership responsibility. This involves:
- clear accountability at senior management level
- allocating sufficient resources for data protection measures
- integrating data protection into governance and reporting structures
- ensuring regular engagement with the Data Protection Officer (where applicable)
5. Move towards continuous monitoring and improvement
DPbD is not static. It requires ongoing oversight. Organisations are expected to:
- conduct periodic reviews and audits
- update controls as systems and risks evolve
- encourage teams to suggest improvement to data protection practices
Data protection by design is ultimately about how your business operates. It requires organisations to think ahead, to build systems, processes, and decisions in a way that already takes data protection into account, rather than fixing issues later.
PDPA compliance in 90 days with ELP
If your business requires assistance in reviewing data protection practices, preparing privacy notices, or developing PDPA compliance frameworks, our team at ELP can help ensure your organisation’s data handling practices align with the requirements of the PDPA.
