On 30 April 2026, the Department of Personal Data Protection (“DPDP”) issued the Personal Data Protection Guideline on Data Protection Impact Assessment (“DPIA Guideline”), after much anticipation by the industry since the publication of the consultation paper on data protection impact assessment (“DPIA”) in early 2025.

The DPIA Guideline, in a nutshell, creates an additional obligation on data controllers to assess, document and manage risks that may arise from the carrying out of higher-risk personal data processing activities. For organisations that are already in compliance with the European Union’s General Data Protection Regulation (“GDPR”), the DPIA Guideline would not sound all that unfamiliar to you, but it does carry several features that are distinctive to the Malaysian framework. Hence, for organisations that are GDPR compliant, it would still be worthwhile to examine the DPIA Guideline before assuming that an existing global DPIA protocol will suffice.

This article sets out a practitioner’s read of what the DPIA Guideline requires, when there will be a need to conduct a DPIA, and what we suggest organisations do in the immediate term for compliance.

 

Who is responsible for carrying out a DPIA?

Similar to most of the obligations and controls that are being imposed under the Personal Data Protection Act 2010 (“PDPA”), the obligation to carry out a DPIA falls on the data controllers. The reason is simple – data controllers have control over the processing of personal data and they are the ones that determine the purpose and manner of the processing. As such, they would be best suited to assess the risks associated with the specific processing activities to be carried out.

Nevertheless, this does not mean that the DPIA Guideline does not concern the data processors at all. Where a data processing activity involves processing by data processors, they are expected to provide all reasonable and necessary assistance to the data controllers in carrying out the DPIA. This follows yet another simple reason that where third parties are involved in the processing of personal data, to properly and exhaustively assess the risks associated with the processing activities, it would be necessary to also consider the technology used by the data processors, their security measures, the involvement of sub-processors, among other things. To ensure cooperation by the data processors in the carrying out of a DPIA, data controllers should reinforce this expectation through clear contractual clauses.

 

When to carry out a DPIA – A two-tier trigger

The DPIA Guideline adopts a two-tier test for determining when a DPIA is required – a quantitative and a qualitative assessment. This is a very similar approach to the determination of whether an organisation requires to appoint data protection officers, or the determination of whether a personal data breach warrants a notification to the Personal Data Protection Commissioner.

Under the quantitative assessment, a DPIA must be carried out where the planned processing activity is expected to involve:

• (i) the personal data of more than 20,000 data subjects; or
• (ii) the sensitive personal data, including financial information, of more than 10,000 data subjects.
• .

These thresholds are absolute in that once either of them is met, the obligation for a data controller to carry out a DPIA in respect of the processing activity concerned crystallises. Where the quantitative threshold is not met, the data controllers are not required to then undertake a qualitative assessment.

When it comes to the qualitative assessment, things are less straightforward and clearcut. In carrying out a qualitative assessment, the data controllers are required to consider whether the processing activities concerned would result in high risks to the protection of personal data and if so, DPIA would be required to be carried out. As guidance to the data controllers, the DPIA Guideline sets out several qualitative factors that are neither exhaustive nor exclusive, where it can be said that there are high risks to the protection of personal data for the data subjects:

• a) Where a processing activity may cause potential legal or significant effects on the data subject (e.g., noticeable impact on the data subject’s legal status or rights, financial status, health, reputation, access to services or other economic or social opportunities) – examples would include where the outcome of the processing activities would determine whether data subjects can have access to loan facilities, or the rate of insurance premium payable.
• b) Where a processing activity involves systematic monitoring of the data subject – systematic monitoring of data subjects typically involves the use of facial recognition technology to identify each data subject, or the continuous tracking and monitoring of data subjects’ vitals through fitness trackers.
• c) Where a processing activity involves the use of innovative technologies, namely technologies that involve a new or significantly improved product (goods or services), a new process, a new marketing method, a new organisational method in business practices, or a new workplace organisation or external relations.
• d) Where a processing activity may result in the denial or restriction of rights of the data subject – an example would be where the refusal of data subjects to provide consent to the processing of their personal data would result in them being ineligible for certain services that are being offered by the data controllers.
• e) Where a processing activity involves the tracking of the data subject’s location or behaviour – this may be relevant where employers deploy technologies to monitor and track the location of each of their employees through company-issued devices.
• f) Where a processing activity targets children or vulnerable individuals – the operation of a remote learning platform that processes the students’ personal data may be caught under this qualitative factor.
• g) Where a processing activity involves automated decision-making and profiling that pose a high risk to the data subject.
• .

Where a processing activity does not meet the quantitative threshold but is nevertheless caught by the qualitative threshold, a DPIA will still be required to assess and mitigate risks associated with the processing activity. It is important to note that when it comes to the carrying out of the assessment, data controllers are supposed to assess each of its processing activities individually. A single data controller may have several processing operations, each of which needs to be tested separately against the quantitative and the qualitative thresholds.

 

How to conduct a DPIA – the DEICA methodology

Assuming that a data controller has completed the assessment and concluded that a DPIA is required for a particular processing activity, the next question is then how to carry out the DPIA according to the standards of the DPIA Guideline.

The DPIA Guideline adopts a five-step methodology, abbreviated as DEICA:

• • Describe the processing operations – this would require detailed description of the processing activities intended to be carried out, covering the nature of the processing, its scope, context and purposes;
• • Evaluate the compliance, necessity and proportionality of the processing operation in relation to its purposes – whether the intended processing activity would actually achieve the intended purposes, and if there is any other reasonable way to achieve the same objective without the proposed processing or with a lesser extent of processing;
• • Identify and analyse specific risks to the protection of personal data of the data subject – the DPIA Guideline specifically prescribes a “3 x 3 Risk Matrix”, likelihood of risks multiplied by its impact, scored 1 to 9. A risk score of 6 – 9 indicates high level of risks which then requires data controllers to implement robust risk treatment measures;
• • Consider mitigation measures to address the specific risks identified to safeguard the protection of personal data – e.g., not to collect certain types of data, reduce the frequency of processing or shorten retention periods, use de-identification techniques, etc.; and
• • Assess the overall residual risk level of the processing operation.
• .

If the above sounds all too complicated, fret not, the DPIA Guideline provides a DPIA Template as a reference to guide data controllers through the process of carrying out a DPIA.

 

What’s next after the conclusion of DPIA?

Upon completion of the DPIA, data controllers are generally expected to report all the risks identified following the DPIA to their senior management to ensure that they are fully informed of all identified risks, especially where the overall residual risk level is assessed as “high”.

If the data controllers resolve that they are going to proceed with the intended data processing activities, the DPIA Guideline would mandate the implementation of the risk mitigation measures identified during the DPIA process. The senior management may choose to implement additional risk mitigation measures to manage the risks and to allocate appropriate resources for implementing the risk mitigation measures identified.

 

What is the validity of a DPIA?

In case you may be wondering, a completed DPIA does have a fixed validity period. According to the DPIA Guideline, a completed DPIA is valid for two years from its date of completion. Upon expiry of that period, a refreshed DPIA is to be carried out.

Where a data controller has determined that DPIA is required for a particular processing activity, it will have to ensure that the DPIA is maintained throughout the duration of the processing activity, and for two years from its cessation. Such records are to be made available for inspection upon request by the Commissioner.

 

What now?

If you are reading this article and you are wondering how or where you should start to prepare yourself for DPIA, we would suggest following a few practical steps.

• (1) Data controllers should begin by identifying and creating an inventory of all existing and planned personal data processing activities. The inventory will be the first step for the carrying out of the quantitative and qualitative assessments to determine whether any of the personal data processing activities will require the conduct of a DPIA.
• (2) For each personal data processing activity that is identified to require a DPIA, the data controllers should designate a person to be the DPIA lead. Any person can be designated as DPIA lead, but in our view, the role should be undertaken by the data protection officer or the project manager for a given processing activity, considering that they would be the most familiar with the details of a particular processing activity.
• (3) The DPIA lead should then work with the relevant stakeholders (including the data protection officer where the DPIA lead is someone else) to develop a template for the DPIA to be carried out. Once a DPIA template has been completed, all that is left is to carry out the assessment according to the requirements of the DPIA Guideline and to monitor the 2-year validity of each DPIA accordingly.
• (4) Often times, data controllers may opt to engage the assistance of external legal counsels to advise on the applicability of DPIA for existing and planned processing activities, and to assist in the preparation of DPIA template. This can actually be very helpful especially for data controllers that do not have existing data protection officers, or those that lack internal subject matter experts for personal data protection.
• .

If you have any questions on personal data protection, please feel free to reach out to the partners in our Technology Practice Group, Ong Johnson and Lo Khai Yi, for a consultation. We have extensive experience in assisting organisations with personal data breaches and data security incidents, and have advised on and responded to breaches at both the international and regional levels.

The Technology Practice Group of Halim Hong & Quek continues to be recognised by leading legal directories and industry benchmarks. Recent accolades include FinTech Law Firm of the Year at the ALB Malaysia Law Awards (2024, 2025 and 2026), Law Firm of the Year for Technology, Media and Telecommunications by the In-House Community, FinTech Law Firm of the Year by the Asia Business Law Journal, a Band 2 ranking for FinTech by Chambers and Partners, and a Tier 3 ranking by Legal 500.

---

About the authors

Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.

◦

Ong Johnson
Partner
Head of Technology Practice Group
Fintech, Data Protection,
Technology, Media & Telecommunications (“TMT”),
IP and Competition Law
johnson.ong@hhq.com.my

---

More of our Tech articles that you should read:

• • DPIA, ADMP and DPbD: The 3 New PDPA Guidelines Setting a New Standard for Personal Data Protection in Malaysia
• • Ensuring Executable Exit in Technology Contracts
• • Top 10 Key Takeaways on Customer Information Breach Under BNM’s MCIPD: What Every FSP Should Be Paying Attention to