Do YOU Need To Appoint A DPO In Malaysi

Do YOU Need To Appoint A DPO In Malaysia?

Table of Contents

Following the 2024 amendments to the Personal Data Protection Act 2010 and Circular of Personal Data Protection Commissioner No. 1/2025, many businesses in Malaysia that collect or handle personal data will be legally required to appoint a Data Protection Officer (DPO). 

However, depending on the nature and scale of its personal data processing activities, a business may not be required to appoint a DPO at all, or be required to appoint several!  

To know if your business needs to appoint a DPO, keep reading to the end. 

Which organisations need to appoint a DPO? 

According to the DPO Appointment Guideline by the Department of Personal Data Protection (PDP), an organisation must appoint a DPO if any of the following applies: 

  • you process personal data of more than 20,000 individuals
  • you handle sensitive personal data (e.g. health) of over 10,000 individuals, or
  • your activities involve regular and systematic monitoring of individuals 

The Guideline also states that if your organisation determines these thresholds are not met, you may maintain a record of the justification for not appointing a DPO

An exception in cases of “urgency”

Even if the thresholds are not met, where there is an urgency, the Commissioner may still require the appointment of a DPO.

While the Guideline does not define what constitutes “urgent”, organisations should evaluate and document any circumstances that could warrant such urgency.

Ultimately, it is the organisation’s responsibility to assess whether the thresholds are met, or, if they are not, to determine whether an appointment is still necessary, and to be prepared to justify that decision if requested by the Commissioner. 

DPO appointment options  

If your organisation is required to appoint a DPO, you generally have two options

  1. Appoint an internal team member (e.g. compliance officer, legal counsel, or IT lead); or 
  2. Outsource the DPO function to a qualified external service provider. 

Refer to our in-house vs outsourced DPO guide to evaluate which option works best. 

Regardless, the appointment must be submitted by the organisation via the official PDPA system, administered by the Commissioner. 

The obligation to appoint a DPO officially takes effect from 1 June 2025 and given the steps involved in identifying, assessing, and formally registering your DPO, organisations are strongly encouraged to begin the process as early as possible. 

Book a free DPO readiness consultation

Whether you are planning to appoint someone internally or explore an outsourced solution, our team can guide you through the requirements and help you make a confident and compliant decision. 

Book a free DPO readiness consultation with us today and take the first step toward PDPA compliance. 

Picture of Edwin Lee

Edwin Lee

Edwin is a corporate and technology lawyer. He is also the founder of Edwin Lee & Partners. Edwin has advised a range of companies from technology startups to multinational corporations on a range of matters. In 2020, Edwin was named as a Malaysian Rising Star by Asian Legal Business, a finalist for the Young Lawyer of the Year at the ALB Malaysia Law Awards as well as a lawyer in the annual ALB publication of Asia 40 under 40. View his full profile here.
shen-ming-casual

Wong Shen Ming

Shen Ming is a corporate and commercial lawyer who is deeply committed to supporting her clients in achieving their business goals. Specialising in commercial and employment law, she demonstrates her expertise by crafting and reviewing various types of commercial agreements.

View her full profile here.

Linkedin

Let us know how we can support your business

Contact Us illustration
Talk To Us
Drop us a message and let us better understand your needs. Get your first consultation within 24-hours, absolutely free of charge.

Leave a Comment

Your email address will not be published. Required fields are marked *

Share this article:
Post might interest you:

Want more content like this?

Drop us your email and be the first to know when we have more informative contents on the latest legal updates, just like this one.

ELP_Logo_White_960x200

A boutique corporate & commercial law firm in Kuala Lumpur.

FREE Legal Updates

Sign up for our newsletter to get the latest updates, happenings and goodies!
We don't spam, promise.
Global Chamber of Business Leaders logo - Light

 © Copyright 2025, Edwin Lee & Partners (Reg No.: 000020008633)

Edwin Lee & Partners is a Malaysian law firm registered with the Malaysian Bar and is regulated under the Legal Profession Act 1976. 
Click here to see our certificate of registration

Responsibilities of Executor:

  • Apply for and extract the grant of probate.
  • Make arrangements for the funeral of the deceased.
  • Collect and make an accurate inventory of the deceased’s assets.
  • Settling the debts and obligations of the deceased.
  • Distributing the assets.

Note for Digital Executor:
If you wish to leave your digital assets to certain people in your Will, there are important steps that need to be taken to ensure that your wishes can be carried out:

  • Keep a note of specific instructions on how to access your username and password of your digital asset.
  • You are advised to store these private and confidential information in a USB stick, password management tool or write them down.
  • Please inform your executor or a trusted person of the whereabouts of the tools so that they will have access to your digital asset.