Author name: Wong Shen Ming

What DPbD means in practice, how it fits within the PDPA framework, and what businesses should start doing differently. 

For businesses in Malaysia using data to screen candidates and assess customers through automated systems, the new guideline on Automated Decision-Making and Profiling (ADMP) by the Personal Data Protection Department regulates how those decisions are made, and whether they are properly assessed and justified.  This article explains what ADMP means in practice, when it becomes relevant, and how businesses should approach it from a risk and compliance perspective.  ADMP overview  ADMP covers two things: Automated Decision-Making and Profiling.  Automated Decision-Making (ADM) Decisions made with little or no human involvement in determining the outcome such as:  The guideline clarifies that even where there is some human involvement, the process may still be considered automated if the system is effectively driving the outcome.   Profiling  Using personal data to predict or evaluate characteristics, behaviour, or outcomes relating to individuals, for example:  Taken together, ADMP applies where organisations use data to either make decisions about individuals or to analyse and predict their behaviour.  When ADMP becomes a concern  The guideline introduces a practical threshold focusing on impact on individuals. The issue arises where a process may:  “Significant affect” is interpreted broadly. It can include financial consequences, access to essential services, employment opportunities, or reputational impact. In more serious cases, it may lead to exclusion or discrimination.  To illustrate this, the guideline provides practical examples.   A company using an automated system to screen job applicants In this example, the system analyses candidate data, ranks applicants, and determines who is shortlisted for interviews. While this may appear to be a routine HR process, the outcome can be significant, candidates may be automatically excluded from job opportunities based on algorithmic assessment, without meaningful human review.  Link to PDPA compliance  This is where ADMP links directly back to the earlier DPIA framework. Where a process involves automated decision-making or profiling, organisations are expected to assess the risks before proceeding, in practice, this means conducting a Data Protection Impact Assessment (DPIA).  Importantly, this expectation is not limited to large-scale or complex systems. The focus is on impact on individuals, not just size or sophistication.  4 key steps for businesses  1. Transparency (Notice & Explanation)  You must inform individuals:  But: You are not required to disclose trade secrets or confidential information.  2. Right to withdraw consent  Under PDPA, individuals can withdraw consent. This right applies where ADMP is involved.  This means your system must be accessible, straightforward and user-friendly and must be designed to:  3. Sensitive personal data = higher risk  If your ADMP involves:  You must meet stricter legal bases (e.g. explicit consent) and implement stronger safeguards. 4. DPO involvement is not optional The Data Protection Officer (DPO) must:  The guideline does recognise that ADMP may be carried out in certain circumstances, such as where the processing is necessary:  However, these are not blanket exemptions. This means businesses should not assume that simply pointing to a contractual or consent basis is sufficient. The use of automated decision-making or profiling, especially where it has a significant impact on individuals, still requires careful consideration.  A note on AI  The guideline makes an important distinction. Not all automated decisions involve AI, and not all AI use falls within this scope. Where AI is used to make or support decisions about individuals, expectations increase and organisations should ensure that:  In practice, this also means avoiding over-reliance on AI. From an operational perspective, this may require organisations to:  If your business uses data to make or support decisions about people, you must be able to explain and justify those outcomes.  Together with DPIA, it pushes organisations towards a more practical standard of accountability, where decisions are not just efficient, but also understood and responsibly made.  PDPA compliance in 90 days with ELP   If your business requires assistance in reviewing data protection practices, preparing privacy notices, or developing PDPA compliance frameworks, our team at ELP can help ensure your organisation’s data handling practices align with the requirements of the PDPA.  

We break down the PDPD’s guideline on DPIAs which introduces a structured five-step approach, DEICA (Describe, Evaluate, Identify, Consider and Assess).

For schools, universities and other education providers in Malaysia, we walk you through industry-specific PDPA compliance. 

For clinics, hospitals, and other medical practitioners in Malaysia, we walk you through industry-specific PDPA compliance. 

For registered property developers in Malaysia, our guide walks you through full industry-specific PDPA compliance. 

If you are running a recruitment agency in Malaysia, our guide walks you through full PDPA compliance. 

A step-by-step guide to walk you through registration as a data controller with PDP.

An overview of PDPA 2010 for businesses, including how personal data is defined, data controllers, individual rights, and key principles.