Malaysia: Personal Data Protection Department's circular on Data Protection Officer appointment (Circular No. 1/2025) enters into force

On 1 June 2025, the Personal Data Protection Department's circular on Data Protection Officer appointment (Circular No. 1/2025) enters into force. The circular implements the amended Personal Data Protection Act by requiring organisations that process large volumes of personal data to appoint qualified DPOs. The DPO appointments are required if an organisation processes personal data of over 20’000 individuals, handles sensitive data (such as financial information) for more than 10'000 individuals, or conducts systematic monitoring. The DPO must be a Malaysian resident, physically present in the country for at least 180 days a year, and fluent in both Malay and English. DPOs are responsible for overseeing compliance, conducting impact assessments, and managing data breaches. They must have relevant legal and technical knowledge, understand business operations, uphold ethical standards, and promote a data protection culture.