The Technology Practice Group, led by Ong Johnson and Lo Khai Yi, is recognised as one of Malaysia’s most established and experienced teams in personal data protection and data privacy. The team provides comprehensive, end-to-end PDPA support, including advisory work, personal data protection notices and policy drafting, PDP framework development, PDP gap assessments, compliance audits, and structured training programmes for boards of directors, senior stakeholders, and heads of department. In addition to these advisory and compliance capabilities, the Technology Practice Group is particularly noted for its depth of experience in personal data breach advisory and incident response, an area that has become a defining and highly active component of the team’s work.

The Technology Practice Group advises a broad and diverse range of multinational and domestic organisations across virtually all major sectors. In addition to telecommunications, banking and financial services, food and beverage, manufacturing, property development, hospitality and tourism, and technology and digital platforms, the team regularly acts for clients in healthcare, insurance, energy, transportation and logistics, retail, e-commerce, government-linked entities, professional services, education, and emerging digital industries.

The team’s engagements extend across Malaysia and the wider region, with many advisory mandates involving cross-border coordination with international counsel. This reflects the team’s ability to operate effectively and seamlessly within multi-jurisdictional environments for personal data protection matters.

The Technology Practice Group also provides full DPO outsourcing services and currently acts as the appointed Data Protection Officer for numerous organisations, including multinational corporations and publicly listed companies. In this capacity, the role encompasses day-to-day governance oversight, compliance reviews, stakeholder engagement, regulatory liaison, and the ongoing operationalisation of data protection practices across organisations.

Personal data breach response forms a central and highly active component of the Technology Practice Group. The team operates and maintains a dedicated PDP incident-response function providing 24/7 support for personal data breach situations. The scope of work includes:

• Engagement with regulators, including preparation of notifications to the Personal Data Protection Commissioner;
• Drafting and issuance of notifications to affected data subjects;
• Coordination of breach investigation, containment, and remediation strategies;
• Collaboration with insurers, digital forensic specialists, and cybersecurity experts;
• Support on forensic reporting, internal documentation, and, where required, structured engagement relating to threat-actor communications.

Ong Johnson and Lo Khai Yi have substantial first-hand experience managing a significant volume of high-severity and regional breaches, including complex, multi-layered incidents involving multinational corporations. They are consistently commended for their practical, solutions-oriented approach, depth of experience in crisis management, and measured handling of sensitive regulatory engagements. Their tact and strategic judgement in navigating regulator investigations and notification processes have been particularly noted by clients, where their direct involvement across the incident-response lifecycle enables the delivery of structured, pragmatic, and timely guidance during critical events.

Ong Johnson and Lo Khai Yi were appointed by the Personal Data Protection Commissioner to lead and contribute to the drafting of key national PDP regulatory instruments, including:

• Data Protection Officer Competency Guideline
• Management of Data Protection Officer Training Service Providers Guideline
• Data Protection Officer Professional Development Pathway & Training Roadmap
• Personal Data Protection Framework Related to Artificial Intelligence
• Data Commission Establishment Concept Paper

Their advisory involvement with the PDPC and sector regulators reflects a defining role in shaping the PDPA’s national policy architecture, as well as a sophisticated command of its operational and enforcement dimensions. In recognition of these contributions, they were awarded Certificates of Appreciation by the Commissioner for their role in laying the foundation of Malaysia’s PDPA and DPO ecosystem and in advancing the national data protection landscape.

Ong Johnson and Lo Khai Yi are the authors of Personal Data Protection Law: A Legal and Corporate Guide to Data Privacy, a comprehensive reference text used by industry practitioners. They are frequently invited by BFM radio station, national media platforms, industry conferences, academic institutions, and regulators to share perspectives on data protection, governance, cybersecurity, and emerging technologies. They are recognised for their depth of PDP knowledge, clarity of analysis, and practical appreciation of how legal requirements must operate within real business and technology environments.

With a dedicated focus on personal data protection, extensive breach-response experience, direct involvement in regulatory drafting, and consistent engagement with industry and regulators, the Technology Practice Group has established itself as a leading authority in personal data protection and data breach matters in Malaysia. The team’s combination of legal expertise, regulatory insight, and technological understanding has earned sustained trust from organisations, industry bodies, and regulatory stakeholders alike.

Recognition

• Asian Legal Business Malaysia Law Awards in 2024 – 2026: Fintech Law Firm of the Year
• The Legal 500 Rankings 2025 and 2026: Tier 3 in Fintech and Financial Services Regulatory
• Chambers FinTech Legal 2025 and 2026: Band 2
• Asia Business Law Journal 2024 – 2026 – Winner in the Fintech
• Asia Business Law Journal 2024 – Winner in the Technology, Media & Telecoms
• asialaw 2025 – Notable Firm in Technology and Telecommunications