There is little doubt that 2025 marked a watershed moment for the personal data protection landscape in Malaysia. With the full incorporation of the amendments introduced under the Personal Data Protection (Amendment) Act 2024, these amendments have brought about a genuine sea change that has reshaped the landscape in a lasting way, including the introduction of the requirement to appoint a Data Protection Officer, the personal data breach notification obligation, the removal of the whitelist for cross-border data transfers, and the right to data portability. Taken together, these reforms have fundamentally transformed the compliance expectations within Malaysia.
While 2025 has been a particularly active and, in many respects, striking year that has pushed personal data protection compliance to the very top of the priority list for many organisations and legal teams in Malaysia, we trust that the momentum will only continue from here. From all indications, matters are certainly not slowing down and are, in fact, accelerating. In that sense, if 2025 was the foundational year, 2026 may well prove to be the year of transformation.
Against that backdrop, this article aims to highlight five key developments that are likely to shape the next phase of Malaysia’s personal data protection framework over 2026 and 2027. These are trends and regulatory developments that personal data protection lawyers, in-house counsel, compliance teams, and broader legal functions would be well advised to monitor closely.
Of course, we do not have the benefit of a crystal ball. However, based on the developments already underway and the direction in which the nation appears to be heading, we believe these five developments are steadily brewing and may, in due course, be introduced in 2026–2027:
- 1. Data Protection Impact Assessment
- 2. Data Protection by Design
- 3. Automated Decision-Making and Profiling
- 4. Amendments to the Personal Data Protection Regulations 2013
- 5. AI and Personal Data Protection Framework
- .
- 1. Data Protection Impact Assessment
Data Protection Impact Assessment, or DPIA, first came into sharper focus in Malaysia last year through the issuance of the Public Consultation Paper No. 1/2025: Data Protection Impact Assessment Guideline.
DPIA remains a relatively new concept, not only in Malaysia but across many jurisdictions, however, it is also becoming increasingly important, particularly as organisations continue to deploy personal data across new products, services, technologies, and operational initiatives with growing speed and complexity.
In simple terms, a DPIA may be understood as a structured legal risk assessment carried out before, or at an appropriate stage during, a new or ongoing project involving personal data. Its purpose is to help an organisation step back and examine, in a disciplined and practical way, how personal data will be handled within the project and whether the proposed processing gives rise to any material legal, regulatory, or operational concerns. At a fundamental level, a DPIA seeks to address a number of key questions. What personal data is the organisation collecting for the project? Why is the organisation collecting and using that data? How will the data be processed throughout the lifecycle of the project? Where might the legal or compliance risks arise? And, importantly, what measures should be put in place to reduce those risks before legal issues begin to crystallise?
In that sense, a DPIA is a legal assessment designed to give organisations a clear view of the personal data processing mechanisms involved in a particular project, especially a new project or launch, and to evaluate whether those mechanisms align with the requirements of personal data protection law and the relevant regulatory guidance. From a broader corporate and practical perspective, the DPIA concept can be viewed through a simple analogy such that before a car is released to the market, it is subjected to impact and safety testing to identify weaknesses and reduce foreseeable harm. A DPIA serves a broadly similar function in the personal data context, as it allows an organisation to test, assess, and refine a project’s data processing framework before it is rolled out too far, and before avoidable compliance issues develop into more serious problems.
.
- 2. Data Protection by Design
The concept of Data Protection by Design was first formally introduced in Malaysia through the Public Consultation Paper No. 2/2025: Data Protection by Design Guideline.
Data Protection by Design may be understood as a legal and governance mechanism intended to ensure that the appropriate personal data protection framework, safeguards, and protocols are properly built into a product, system, process, or business model from the very beginning, rather than being added only later, after launch, or when compliance concerns begin to arise. Viewed more broadly, if a DPIA is concerned with assessing the data protection impact and processing mechanisms before and during the launch and implementation of a project, Data Protection by Design goes a step further, as it requires organisations to actively, intentionally, and proactively design the project, system, and workflow with personal data protection firmly in mind from the outset.
By way of illustration, take the development and launch of an AI tool. Before a company proceeds to develop, implement, and launch the tool, and indeed even while the tool is still being designed and programmed, it ought already to be working alongside data protection counsel to embed the necessary personal data protection framework into the design itself. This includes ensuring that the tool is structured in a manner that complies with the applicable personal data protection laws and regulatory requirements before launch, rather than attempting to remedy those issues only afterwards. That distinction is extremely important because once a product or system has already been built and released, any attempt to retrofit personal data protection safeguards will often be considerably more difficult, more expensive, and more disruptive, as it may require parts of the architecture itself to be revisited, rebuilt, or redesigned.
In that sense, Data Protection by Design is ultimately about ensuring that personal data protection is prioritised at the very starting point of a project, and treated as a core design consideration, rather than as an afterthought or a later-stage compliance exercise.
.
- 3. Automated Decision-Making and Profiling
Automated Decision-Making and Profiling, or ADM, was first introduced in Malaysia through the Public Consultation Paper No. 3/2025: Automated Decision-Making and Profiling Guideline.
In contrast to DPIA and Data Protection by Design, which are principally concerned with organisational governance, risk assessment, and compliance architecture, ADM is more directly focused on the rights and interests of data subjects.
As AI tools, algorithms, and related technologies continue to develop, more and more organisations are using such systems to make decisions about individuals. In some cases, those decisions may carry very serious consequences, particularly where there is little or no meaningful human involvement and the outcome is left largely, or entirely, to the machine. Take job screening as a simple example, if a company uses an AI tool to filter candidates, the system may, depending on the parameters used or the way the model operates, exclude or deprioritise candidates on grounds that are improper or unfair, including factors indirectly linked to race, background, or other sensitive characteristics, rather than genuine merit. The same concern may arise in many other settings, including school admissions, loan applications, insurance assessments, or even law enforcement and suspicious activity flagging tools.
Against that backdrop, the ADM framework appears to focus primarily on three core rights.
- (i) The right to refuse
- In essence, a data subject may have the right to object to being subject to a decision made purely by automated means, without meaningful human involvement, where that decision produces legal effects or otherwise significantly affects the individual.
- .
- (ii) The right to information
- Where an organisation uses automated decision-making, the individual should at the very least be informed that this is taking place, in a manner that is clear and understandable. That should include, at an appropriate level, what the automated decision-making involves and what the potential consequences may be for the individual concerned.
- .
- (iii) The right to human review
- Even where automated decision-making is used, the individual should be able to request that the outcome be reviewed by an actual person, and this is important because automated systems may be wrong, biased, incomplete, or simply unable to appreciate context in the way a human decision-maker can. Human review therefore serves as an important safeguard, allowing additional facts to be considered, judgment to be applied, and unfair or mistaken outcomes to be corrected.
- .
Ultimately, while there is little doubt that AI tools and related technologies are here to accelerate processes and materially improve efficiency and effectiveness, ADM helps ensure that the law continues to preserve an appropriate balance. It is not about resisting technology, but about ensuring that efficiency does not come at the expense of fairness, accountability, and an individual’s ability to retain a meaningful degree of control, rather than being left entirely at the mercy of automated systems.
.
- 4. Amendments to the Personal Data Protection Regulations 2013
Another important development to watch is the proposed amendments to the Personal Data Protection Regulations 2013, which were introduced through Public Consultation Paper No. 4/2025. While the consultation paper contains a number of proposed amendments, it is sufficient for present purposes to note that these are not merely minor housekeeping updates. Rather, they form part of the broader effort to align the subsidiary legislation with the amended Personal Data Protection Act 2010 and with the evolving compliance expectations in Malaysia.
For the purposes of this article, we do not propose to go too deeply into the finer details of these amendments, as we have previously examined this Public Consultation Paper in much greater depth in an earlier article. Readers who wish to explore the proposals more closely may therefore wish to refer to that earlier piece for a fuller discussion.
With that being said, a few items stand out as particularly significant. These include the proposed introduction of the term “Personal Data Protection Notice”, the alignment of terminology from “data user” to “data controller”, clearer guidance on the obtaining of valid consent, the requirement to display the Data Protection Officer’s business contact information in the notice, the proposal for written contracts between data controllers and data processors, and the move towards imposing more direct obligations and liability on data processors themselves.
.
- 5. AI and Personal Data Protection Framework
Finally, we note that an AI and Personal Data Protection Framework may also be in development, as remarks to that effect have been made by the Personal Data Protection Commissioner in certain public forums.
At present, however, public visibility remains relatively limited, as there has not yet been any public consultation paper or similarly detailed instrument issued on this front. Even so, the broader direction of travel is becoming increasingly clear that the personal data protection landscape is moving forward at a deliberate and notably active pace, and it is evident that the law appears to be advancing with a sharper sense of urgency in order to meet the demands of a rapidly changing technological environment.
Indeed, anyone following developments in Malaysia even from a modest distance will have noticed that 2026 to 2027 is shaping up to be a period of genuine AI adoption and embrace. As that momentum gathers, it would be unsurprising to see a range of AI-related legal and regulatory instruments begin to emerge with greater frequency and clarity. And when it comes to AI, personal data protection is not some peripheral consideration waiting politely at the edge of the room. It is, in many respects, the foundation, and for that reason, active legal development in this space appears not only likely, but already well on its way.
.
Closing Thoughts
Of course, the five trends outlined above reflect what we presently expect may emerge, in one form or another, over the course of 2026 to 2027. The eventual legal instruments may not arrive in precisely the same shape, and certain developments may evolve differently in practice, but the broader point remains that the regulatory development in Malaysia is actively progressing towards a more mature and more forward-looking personal data protection framework. For in-house counsel, legal teams, and organisations more broadly, this is definitely a moment to watch closely.
The Technology Practice Group of Halim Hong & Quek continues to be recognised by leading legal directories and industry benchmarks. Recent accolades include FinTech Law Firm of the Year at the ALB Malaysia Law Awards (2024 and 2025), Law Firm of the Year for Technology, Media and Telecommunications by the In-House Community, FinTech Law Firm of the Year by the Asia Business Law Journal, a Band 2 ranking for FinTech by Chambers and Partners, and a Tier 3 ranking by Legal 500.
If you have any questions on the personal data protection, please feel free to reach out to the partners at the Technology Practice Group, Ong Johnson and Lo Khai Yi, for consultation.
About the authors
Ong Johnson
Partner
Head of Technology Practice Group
Fintech, Data Protection,
Technology, Media & Telecommunications (“TMT”),
IP and Competition Law
johnson.ong@hhq.com.my
◦
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.
More of our Tech articles that you should read:
