Malaysia: Personal Data Protection Department opened consultation on data protection impact assessment guideline

On 20 March 2025, Malaysia's Personal Data Protection Department opened a public consultation on the data protection impact assessment (DPIA) guideline under Malaysia’s Personal Data Protection Act 2010 (Act 709), until 19 May 2025. The guideline outlines minimum requirements and practical steps for organisations to identify, assess, and manage risks associated with personal data processing. The guideline proposes a two-tier quantitative and qualitative threshold to determine when DPIAs are required, a five-step methodology for conducting them, and obligations to notify the Commissioner if residual risks remain high. The consultation also seeks views on implementation aspects, including post-DPIA responsibilities and the need for templates or examples to support data protection officers in fulfilling their duties.