Data Protection Officer (DPO) vs Chief Security Officer (CSO) A Definitive Guide

Data Protection Officer (DPO) vs Chief Security Officer (CSO): A Definitive Guide

Table of Contents

As Malaysia strengthens its legal framework for data privacy and cyber security with the Personal Data Protection (Amendment) Act 2024 (PDPA) and Cyber Security Act 2024 (CSA), Malaysian organisations assessing their compliance obligations may be unsure if they need both a Data Protection Officer (DPO) and a Cyber Security Officer (CSO)

Below, we have broken down the legal requirement, roles, responsibilities, and qualifications for both positions so you can determine which your organisation must appoint. 

Legal requirement 

As expressly outlined in Section 12A of the PDPA and supported by official DPO guideline, as of 2025, it is mandatory for organisations in Malaysia to appoint a DPO if they:  

  • process personal data exceeding 20,000 data subjects; or 
  • process sensitive personal data exceeding 10,000 data subjects; or 
  • engage in activities that require regular and systematic monitoring (e.g. CCTV, wearables, telco systems). 

In contrast, the CSA 2024 does not expressly mandate the appointment of a Chief Security Officer (CSO) or Chief Information Security Officer (CISO).

However, designated NCII entities are subject to a wide range of cybersecurity obligations and as a result, may benefit from appointing a designated CSO or similar role as a practical measure to ensure compliance with the CSA 2024.  

Defining “NCII entity”:

“NCII entity” means any government entity or person that owns or operates NCII. “NCII” means a computer or computer system in which if it is disrupted or destroyed, it will result to a detrimental effect to the delivery of service relating to the security, defence, foreign relations, economy, public health, public safety, public order or the ability of the government to carry out its functions effectively.  

Roles and responsibilities 

The table below summarises the key differences between the two roles: 

Aspect Data Protection Officer (DPO) Chief Security Officer (CSO)  
Primary Mandate Oversee compliance with data protection laws including to ensure lawful processing of personal data and manage personal data breaches.  Develop and enforce cyber security strategies, ensure system security, manage cyber risks and respond to cyber threats.  
Key Regulator Personal Data Protection Commissioner (“PDPC”) National Cyber Security Agency (“NACSA”)  
Roles Acts as liaison to PDPC, supports Data Protection Impact Assessments, monitors compliance, and manages breach notifications.  Leads the incident response for cyber security attacks and oversees compliance and reporting obligations under CSA 2024.  
Focus Area Personal Data & Privacy Risk Information Systems & Cyber Threats  
Mandatory by Law Yes No 

Qualifications 

While there is some overlap in competencies, each role demands specific expertise: 

Data Protection Officer (DPO) 

A DPO can be chosen from an internal member or outsourced, and in either case should: 

  • have sound knowledge of the PDPA and relevant data protection laws
  • understand of the organisation’s data processing operations
  • understand technical and organisational security measures, and 
  • have Integrity and ability to advise independently

What is a Data Protection Officer?

A Data Protection Officer (DPO) is a company employee responsible for ensuring an organisation’s full compliance with the Personal Data Protection Act (PDPA). As of 2025, appointing one is a legal requirement for many businesses in Malaysia.

To learn more, read our guides:

Chief Security Officer (CSO) 

While the CSA 2024 does not expressly require organisations to appoint a Chief Security Officer (CSO), appointing such a role is considered a best practice for NCII entities as a CSO plays a key role in ensuring the organisation meets cybersecurity obligations under the CSA 2024. 

What to look for in a CSO: 

  • background in IT security, risk management, or computer science 
  • capability to lead incident response and cyber crisis management, and 
  • familiarity with regulatory expectations and coordination with national agencies (e.g., NACSA) 

Note: CyberSecurity Malaysia has introduced the Certified Chief Information Security Officer (CCISO) programme. The certification is aligned with international standards and tailored to meet Malaysia’s compliance landscape under the CSA 2024.  

Appointment Context: it is highly recommended for organisations designated as the NCII entity. These include sectors deemed essential to national security, economy, public health, or safety, such as banks, telcos, utilities, hospitals, and government-linked entities. 

When to appoint both 

An organisation can consider appointing both especially if: 

  • you process large volumes of personal data (e.g. more than 20,000 individuals); and 
  • you operate in a high-risk or high-value sector where cybersecurity threats are common 

Example of when to appoint a DPO and CSO:

A Imagine a private hospital that runs a 24/7 emergency ward, stores thousands of electronic medical records (EMRs), and operates a telemedicine platform for remote consultations. 

  • The DPO ensures patients are given proper privacy notices, handles consent for health data sharing, and manages requests for access or correction of patient records, all required under the PDPA. 
  • Meanwhile, the CSO defends the hospital’s infrastructure against threats like ransomware locking critical systems, DDoS attacks on the teleconsultation portal, or unauthorised access to diagnostic devices connected to the network. 

While the DPO covers personal data protection, the CSO focuses on cybersecurity, and together they provide the hospital with a truly comprehensive protection against threat actors and mistakes.

Can a DPO also serve as CSO? 

Technically yes, since there is no express prohibition under the acts against one person serving as both DPO and CSO. However, dual-role arrangements should only be considered if: 

  • there is no conflict of interest 
  • the individual is suitably qualified in both data protection and cybersecurity 
  • the risk profile is low 

However, bear in mind that while both roles support security, they cover distinct subjects, and best practice would be to separate DPO and CSO functions for better oversight and risk management. 

Conclusion 

Appointing a DPO and a CSO is not a duplication, Where the DPO covers personal data protection, a CSO focuses on cybersecurity, and any organisation with both will enjoy better protection and ability to respond to regulatory expectations. 

Picture of Edwin Lee

Edwin Lee

Edwin is a corporate and technology lawyer. He is also the founder of Edwin Lee & Partners. Edwin has advised a range of companies from technology startups to multinational corporations on a range of matters. In 2020, Edwin was named as a Malaysian Rising Star by Asian Legal Business, a finalist for the Young Lawyer of the Year at the ALB Malaysia Law Awards as well as a lawyer in the annual ALB publication of Asia 40 under 40. View his full profile here.
shen-ming-casual

Wong Shen Ming

Shen Ming is a corporate and commercial lawyer who is deeply committed to supporting her clients in achieving their business goals. Specialising in commercial and employment law, she demonstrates her expertise by crafting and reviewing various types of commercial agreements.

View her full profile here.

Linkedin

Let us know how we can support your business

Contact Us illustration
Talk To Us
Drop us a message and let us better understand your needs. Get your first consultation within 24-hours, absolutely free of charge.

Leave a Comment

Your email address will not be published. Required fields are marked *

Share this article:
Post might interest you:
standard-quality-control-collage

Why Malaysian Companies Should Adopt GDPR Standards

The Malaysian Personal Data Protection Act (PDPA), effective since November 15, 2013, governs the processing of personal data within Malaysia. It applies to all businesses involved in commercial transactions. However,

Want more content like this?

Drop us your email and be the first to know when we have more informative contents on the latest legal updates, just like this one.

ELP_Logo_White_960x200

A boutique corporate & commercial law firm in Kuala Lumpur.

FREE Legal Updates

Sign up for our newsletter to get the latest updates, happenings and goodies!
We don't spam, promise.
Global Chamber of Business Leaders logo - Light

 © Copyright 2025, Edwin Lee & Partners (Reg No.: 000020008633)

Edwin Lee & Partners is a Malaysian law firm registered with the Malaysian Bar and is regulated under the Legal Profession Act 1976. 
Click here to see our certificate of registration

Responsibilities of Executor:

  • Apply for and extract the grant of probate.
  • Make arrangements for the funeral of the deceased.
  • Collect and make an accurate inventory of the deceased’s assets.
  • Settling the debts and obligations of the deceased.
  • Distributing the assets.

Note for Digital Executor:
If you wish to leave your digital assets to certain people in your Will, there are important steps that need to be taken to ensure that your wishes can be carried out:

  • Keep a note of specific instructions on how to access your username and password of your digital asset.
  • You are advised to store these private and confidential information in a USB stick, password management tool or write them down.
  • Please inform your executor or a trusted person of the whereabouts of the tools so that they will have access to your digital asset.