
Trump Administration Executive Order (EO) Tracker
On 25 February 2025, Malaysia’s Personal Data Protection Commissioner issued the Guideline (“Guideline”) on the Appointment of Data Protection Officers (“DPOs”)1.
We discuss the new requirements put forward by the Guideline, and its actionable impact on businesses that operate in Malaysia.
Requirements to appoint DPO
A data controller or a data processor must appoint one or more DPOs, if their processing of personal data involves:
Qualifications of the DPO
The DPO must be a resident of Malaysia (i.e. be physically present in Malaysia for at least 180 days in one calendar year) or easily contactable in Malaysia by any means. The DPO must be proficient in both the languages of Bahasa Melayu and English.
The DPO may be appointed from among existing employees or through outsourcing services based on a service contract with an individual or an external organisation.
While there are no minimum professional qualifications required prior to being appointed as a DPO, the DPO should demonstrate:
Registration of the DPO
The organisation is required to register the appointed DPO and submit his or her business contact information within 21 days from the date of appointment through the Personal Data Protection System via https://daftar.pdp.gov.my.
Record keeping requirement
The data controller or data processor must also maintain and retain records of the appointed DPO.
Responsibilities of the DPO
The core responsibilities of the DPO are:
To effectively comply with the new regulatory obligations, organisations should consider taking the following steps:
Organisations should begin by evaluating whether they need to appoint a DPO. Compared with other data protection laws in Asia-Pacific, Malaysia’s new regulations prescribe thresholds which if crossed mandate the appointment of a DPO.
Specifically, organisations that process personal data for over 20,000 individuals or sensitive data for more than 10,000 individuals are subject to this requirement.
The first step therefore is to ascertain whether these applicable thresholds are met by your business such as to trigger the requirement for a DPO to be appointed in Malaysia.
Once the need for a DPO is confirmed, organisations should evaluate potential candidates. A DPO can be appointed from existing employees, particularly those from legal or human resources teams.
In line with market practice, the new regulations also allow for outsourcing the DPO role to external organisations, provided they align with the organisation’s structure and help centralise policies and information. However, it is crucial that the appointed DPO be a Malaysian resident, and be proficient in Bahasa Melayu and English.
Whether appointing a DPO internally or outsourcing the role, it is essential to select a candidate with the necessary expertise. This includes a deep understanding of data protection laws, familiarity with the organisation’s operations, and the ability to maintain a high level of integrity in their role.
Organisations should review their internal policies or create a manual outlining the following:
In the same way, organisations should ensure their privacy notices, websites, and other platforms reflect the DPO's contact details.
This ensures clarity in the role and helps the organisation meet its compliance obligations.
The DPO plays a vital role in bridging the organization’s data practices with regulatory requirements. They are responsible for understanding complex data protection laws and developing processes that ensure compliance, thereby minimizing risks.
Should you need assistance or have enquiries about whether and how this new regulatory requirement affects your organisation, please reach out to your usual contact at Hogan Lovells or the authors.
Authored by Charmian Aw and Audrey Koh.
References
1. Personal Data Protection Guideline – Appointment of Data Protection Officer (issued on 25 February 2025).