For businesses in Malaysia using data to screen candidates and assess customers through automated systems, the new guideline on Automated Decision-Making and Profiling (ADMP) by the Personal Data Protection Department regulates how those decisions are made, and whether they are properly assessed and justified.
This article explains what ADMP means in practice, when it becomes relevant, and how businesses should approach it from a risk and compliance perspective.
ADMP overview
ADMP covers two things: Automated Decision-Making and Profiling.
Automated Decision-Making (ADM)
Decisions made with little or no human involvement in determining the outcome such as:
- auto-rejecting loan applications
- algorithm-based hiring shortlists
- automated pricing or discount eligibility
The guideline clarifies that even where there is some human involvement, the process may still be considered automated if the system is effectively driving the outcome.
Profiling
Using personal data to predict or evaluate characteristics, behaviour, or outcomes relating to individuals, for example:
- credit scoring
- customer segmentation
- behavioural targeting
Taken together, ADMP applies where organisations use data to either make decisions about individuals or to analyse and predict their behaviour.
When ADMP becomes a concern
The guideline introduces a practical threshold focusing on impact on individuals. The issue arises where a process may:
- affect a person’s legal position (for example, approval of a contract or entitlement); or
- significantly affects the individual
“Significant affect” is interpreted broadly. It can include financial consequences, access to essential services, employment opportunities, or reputational impact. In more serious cases, it may lead to exclusion or discrimination.
To illustrate this, the guideline provides practical examples.
A company using an automated system to screen job applicants
In this example, the system analyses candidate data, ranks applicants, and determines who is shortlisted for interviews. While this may appear to be a routine HR process, the outcome can be significant, candidates may be automatically excluded from job opportunities based on algorithmic assessment, without meaningful human review.
Link to PDPA compliance
This is where ADMP links directly back to the earlier DPIA framework. Where a process involves automated decision-making or profiling, organisations are expected to assess the risks before proceeding, in practice, this means conducting a Data Protection Impact Assessment (DPIA).
Importantly, this expectation is not limited to large-scale or complex systems. The focus is on impact on individuals, not just size or sophistication.
4 key steps for businesses
1. Transparency (Notice & Explanation)
You must inform individuals:
- that automated decision-making or profiling is taking place
- the reasons for such decisions
- the possible consequences
But: You are not required to disclose trade secrets or confidential information.
2. Right to withdraw consent
Under PDPA, individuals can withdraw consent. This right applies where ADMP is involved. This means your system must be accessible, straightforward and user-friendly and must be designed to:
- stop processing upon withdrawal
- not “lock in” automated decisions
3. Sensitive personal data = higher risk
If your ADMP involves:
- health data
- biometric data
- financial or behavioural profiling
You must meet stricter legal bases (e.g. explicit consent) and implement stronger safeguards.
4. DPO involvement is not optional
The Data Protection Officer (DPO) must:
- be involved at the earliest possible stage
- support DPIA
- oversee ADMP implementation
The guideline does recognise that ADMP may be carried out in certain circumstances, such as where the processing is necessary:
- to enter into or perform a contract;
- to comply with legal obligations; or
- where the individual has given consent.
However, these are not blanket exemptions. This means businesses should not assume that simply pointing to a contractual or consent basis is sufficient. The use of automated decision-making or profiling, especially where it has a significant impact on individuals, still requires careful consideration.
A note on AI
The guideline makes an important distinction. Not all automated decisions involve AI, and not all AI use falls within this scope. Where AI is used to make or support decisions about individuals, expectations increase and organisations should ensure that:
- AI is used only for its intended purpose
- outputs are reviewed where appropriate
- there is meaningful human oversight, particularly where decisions have a significant impact
In practice, this also means avoiding over-reliance on AI. From an operational perspective, this may require organisations to:
- involve relevant personnel in reviewing AI-driven outcomes
- ensure those individuals are properly trained
- embed AI use within existing risk management and governance processes
- put in place a clear AI usage policy to guide how AI is used within the organisation
If your business uses data to make or support decisions about people, you must be able to explain and justify those outcomes.
Together with DPIA, it pushes organisations towards a more practical standard of accountability, where decisions are not just efficient, but also understood and responsibly made.
PDPA compliance in 90 days with ELP
If your business requires assistance in reviewing data protection practices, preparing privacy notices, or developing PDPA compliance frameworks, our team at ELP can help ensure your organisation’s data handling practices align with the requirements of the PDPA.
