Malaysia introduces mandatory data officer appointment – What this means for your business

On 25 February 2025, Malaysia’s Personal Data Protection Commissioner issued the Guideline (“Guideline”) on the Appointment of Data Protection Officers (“DPOs”)¹.

We discuss the new requirements put forward by the Guideline, and its actionable impact on businesses that operate in Malaysia.

Appointment of DPO

Requirements to appoint DPO

A data controller or a data processor must appoint one or more DPOs, if their processing of personal data involves:

1. personal data exceeding 20,000 data subjects;
2. sensitive personal data, including financial information data exceeding 10,000 data subjects; or
3. involves activities that require regular and systematic monitoring of personal data.

Qualifications of the DPO

The DPO must be a resident of Malaysia (i.e. be physically present in Malaysia for at least 180 days in one calendar year) or easily contactable in Malaysia by any means. The DPO must be proficient in both the languages of Bahasa Melayu and English.

The DPO may be appointed from among existing employees or through outsourcing services based on a service contract with an individual or an external organisation.

While there are no minimum professional qualifications required prior to being appointed as a DPO, the DPO should demonstrate:

1. a sound knowledge of Malaysia’s Personal Data Protection Act 2010 (“PDPA”), and any other applicable data protection laws, where relevant;
2. a sound understanding of the data controller or data processor’s operations and the personal data processing operations that are carried out by it;
3. a sound understanding of information technology and data security;
4. personal qualities such as integrity, understanding of corporate governance and high professional ethics; and
5. an ability to promote data protection culture within the organisation.

Registration of the DPO

The organisation is required to register the appointed DPO and submit his or her business contact information within 21 days from the date of appointment through the Personal Data Protection System via https://daftar.pdp.gov.my.

Record keeping requirement

The data controller or data processor must also maintain and retain records of the appointed DPO.

Responsibilities of the DPO

The core responsibilities of the DPO are:

1. informing and advising the data controller or data processor on the processing of personal data;
2. supporting the data controller or data processor in complying with the PDPA;
3. ensuring proper data breach and security incident management by assisting the data controller or data processor in preparing, processing and submitting reports and other documents required by the Commissioner in respect of personal data breaches;
4. acting as a facilitator and point of contact between data subjects and the data controller or data processor regarding the processing of the data subjects’ personal data and their rights; and
5. acting as the liaison officer and the main point of reference between the data controller or data processor and the Commissioner.

What this means for your business

To effectively comply with the new regulatory obligations, organisations should consider taking the following steps:

1. Assess the need for a DPO

Organisations should begin by evaluating whether they need to appoint a DPO. Compared with other data protection laws in Asia-Pacific, Malaysia’s new regulations prescribe thresholds which if crossed mandate the appointment of a DPO.

Specifically, organisations that process personal data for over 20,000 individuals or sensitive data for more than 10,000 individuals are subject to this requirement.

The first step therefore is to ascertain whether these applicable thresholds are met by your business such as to trigger the requirement for a DPO to be appointed in Malaysia.

2. Evaluate DPO suitability

Once the need for a DPO is confirmed, organisations should evaluate potential candidates. A DPO can be appointed from existing employees, particularly those from legal or human resources teams.

In line with market practice, the new regulations also allow for outsourcing the DPO role to external organisations, provided they align with the organisation’s structure and help centralise policies and information. However, it is crucial that the appointed DPO be a Malaysian resident, and be proficient in Bahasa Melayu and English.

Whether appointing a DPO internally or outsourcing the role, it is essential to select a candidate with the necessary expertise. This includes a deep understanding of data protection laws, familiarity with the organisation’s operations, and the ability to maintain a high level of integrity in their role.

3. Update internal policies

Organisations should review their internal policies or create a manual outlining the following:

• The DPO’s qualifications and responsibilities.
• The DPO’s appointment requirements.
• The DPO’s reporting structure within the organisation.

In the same way, organisations should ensure their privacy notices, websites, and other platforms reflect the DPO's contact details.

This ensures clarity in the role and helps the organisation meet its compliance obligations.

Conclusion

The DPO plays a vital role in bridging the organization’s data practices with regulatory requirements. They are responsible for understanding complex data protection laws and developing processes that ensure compliance, thereby minimizing risks.

Should you need assistance or have enquiries about whether and how this new regulatory requirement affects your organisation, please reach out to your usual contact at Hogan Lovells or the authors.

Authored by Charmian Aw and Audrey Koh.