Malaysia: Personal Data Protection Department closes consultation on data protection impact assessment guideline

On 19 May 2025, Malaysia's Personal Data Protection Department closes its consultation on the data protection impact assessment (DPIA) guidelines under Malaysia’s Personal Data Protection Act 2010 (Act 709). The guideline outlines minimum requirements and practical steps for organisations to identify, assess, and manage risks associated with personal data processing. The guideline proposes a two-tier quantitative and qualitative threshold to determine when DPIAs are required, a five-step methodology for conducting them, and obligations to notify the Commissioner if residual risks remain high. The consultation also sought views on implementation aspects, including post-DPIA responsibilities and the need for templates or examples to support data protection officers in fulfilling their duties.