If you have been following our Tech Tuesday series every Tuesday, (and occasionally on Wednesdays, our apologies for any unintended publication delays), you will know that one of our key goals is to make legal developments practical and actionable from a business perspective for general counsel and in-house legal teams. Another key objective of Tech Tuesday is to break down and deliver timely updates on the latest legal and regulatory developments that directly impact your organisations and businesses – in an age of information overload, we intend to cut through the noise and bring you what truly matters to your organization.
This week’s Tech Tuesday article falls squarely into the category of “what truly matters”.
On 21 July 2025, the Personal Data Protection Department publicly announced and confirmed the upcoming release of 3 key documents that will be officially released and made publicly accessible on 1 August 2025:
i. The Data Protection Officer Competency Guideline;
ii. The Guideline on the Management of Data Protection Officer Training Service Providers; and
iii. The Data Protection Officer Professional Development Pathway & Training Roadmap.
We would also like to make a full disclosure, with humility and appreciation, that both authors of this article, Ong Johnson and Lo Khai Yi, are part of the drafting committee that worked closely with the Personal Data Protection Department and the Personal Data Protection Commissioner’s Office in drafting, designing, and developing these three documents. It is an honour and responsibility that we will never take for granted, and we are deeply grateful for the opportunity and privilege to contribute to the development of Malaysia’s regulatory foundation for the entire Data Protection Officers ecosystem and the broader personal data protection landscape.
As these 3 documents will only be officially released on 1 August 2025, this article will focus on what has already been publicly disclosed and provide a high-level overview of what these documents intend to achieve, without delving into the full details until their official publication.
To set the context, since 1 June 2025, the mandatory appointment of a Data Protection Officer (DPO) has come into force in Malaysia. Up to this point, the main references and guidance available have been the Appointment of DPO Guideline and the Appointment of DPO Circular. Following the implementation of this requirement, we have naturally observed an increase in questions from the industry, spanning legal, operational, and functional aspects. From a broader perspective, these questions tend to fall within three key categories:
i. Appointment and Competency of DPOs – Organisations are asking: Who can be appointed as a DPO? What are the required competencies or qualifications? If the role is outsourced to an external DPO service provider, what competencies must that provider satisfy to effectively fulfil the legal responsibilities of a DPO? These are fundamental questions that go beyond formal appointment as they touch on the practical capabilities required to carry out the role.
ii. DPO Training and Training Service Providers – Given that specific competencies are required, it follows that DPOs must undergo appropriate training. This raises further questions: Who is qualified to provide such training? Are there standards to distinguish between recognized and unrecognized DPO training providers? A simple online search will reveal countless courses offering “DPO training certification” yet the quality and validity of such offerings remain unclear. In an unregulated DPO training landscape that is growing rapidly, how should the market assess credibility and compliance of DPO training service providers?
iii. Professional Development Pathway for DPOs – It is now widely recognised that the role of a DPO is not merely a title, as it comes with real, substantive legal and organisational responsibilities. Like lawyers, engineers, or doctors, there should be a structured professional development pathway with regulatory oversight, tiering, and recognition. The natural question arises: does such a pathway exist in Malaysia, and if not, will it be developed?
The above are not abstract issues and concerns, they are the precise and recurring questions raised by the public and the industry since the DPO appointment requirement came into effect. It is, therefore, only natural that a comprehensive DPO ecosystem must be developed in parallel with the appointment obligation, and this is exactly the intent and purpose behind the 3 new documents announced by the Personal Data Protection Department to address these gaps and continue developing a more structured and credible DPO framework in Malaysia:
i. The Data Protection Officer Competency Guideline outlines the expected competencies that must be satisfied or possessed by a DPO, reinforcing the notion that the role is not merely symbolic, but comes with substantive legal duties under the PDPA;
ii. The Guideline on the Management of Data Protection Officer Training Service Providers aims to regulate the DPO training landscape by setting up a framework that ensures quality and consistency of DPO training service providers, as this not only helps the Personal Data Protection Department monitor and streamline the standard of DPO training offered, but also assists DPOs and organisations in identifying credible and approved training providers amid a growing and fragmented market; and
iii. The Data Protection Officer Professional Development Pathway & Training Roadmap introduces a forward-looking plan to develop the DPO role into a recognised professional track, with certification tiers and structured recognition similar to other established professions.
Together these 3 documents are set to form a strong foundation for further strengthening and developing the DPO ecosystem and the PDPA regulatory framework in Malaysia. While the full details of each document can only be shared once they are officially released and published on 1 August 2025, the announcement by the Personal Data Protection Department on 21 July 2025 offers a clear signal of what is to come in Malaysia.
One thing that is absolutely certain is that gone are the days when PDP laws were seen as a mere paper tiger as the regulators are moving decisively, and they are not slowing down. Companies that have yet to take these developments seriously should begin paying close attention now.
If your organization would like to learn more about DPO outsourcing services, training or assess whether your organization requires a DPO, you may reach out to us for a consultation.
If your organization needs help with further insights and legal guidance on Personal Data Protection (Amendment) Act 2024 or Data Protection Officer outsourcing services, please feel free to reach out to the firm’s Technology Practice Group. Lawyers from the Technology Practice Group have a wealth of experience assisting clients with their legal needs, particularly pertaining to compliance with the Personal Data Protection Act 2010, and will certainly be able to assist.
Our Technology Practice continues to be recognised by leading legal directories and industry benchmarks. Recent accolades include FinTech Law Firm of the Year at the ALB Malaysia Law Awards (2024 and 2025), Law Firm of the Year for Technology, Media and Telecommunications by the In-House Community, FinTech Law Firm of the Year by the Asia Business Law Journal, a Band 2 ranking for FinTech by Chambers and Partners, and a Tier 3 ranking by Legal 500.
About the authors
Ong Johnson Partner Head of Technology Practice Group Technology, Media & Telecommunications (“TMT”), Fintech, TMT Disputes, TMT Competition, Regulatory and Compliance [email protected]
◦ Lo Khai Yi Partner Co-Head of Technology Practice Group Technology, Media & Telecommunications (“TMT”), Technology Acquisition and Outsourcing, Telecommunication Licensing and Acquisition, Cybersecurity [email protected].
New DPO Guidelines Are Coming in August: What Companies Need to Know About Malaysia’s Latest DPO Regulatory Development
If you have been following our Tech Tuesday series every Tuesday, (and occasionally on Wednesdays, our apologies for any unintended publication delays), you will know that one of our key goals is to make legal developments practical and actionable from a business perspective for general counsel and in-house legal teams. Another key objective of Tech Tuesday is to break down and deliver timely updates on the latest legal and regulatory developments that directly impact your organisations and businesses – in an age of information overload, we intend to cut through the noise and bring you what truly matters to your organization.
This week’s Tech Tuesday article falls squarely into the category of “what truly matters”.
On 21 July 2025, the Personal Data Protection Department publicly announced and confirmed the upcoming release of 3 key documents that will be officially released and made publicly accessible on 1 August 2025:
We would also like to make a full disclosure, with humility and appreciation, that both authors of this article, Ong Johnson and Lo Khai Yi, are part of the drafting committee that worked closely with the Personal Data Protection Department and the Personal Data Protection Commissioner’s Office in drafting, designing, and developing these three documents. It is an honour and responsibility that we will never take for granted, and we are deeply grateful for the opportunity and privilege to contribute to the development of Malaysia’s regulatory foundation for the entire Data Protection Officers ecosystem and the broader personal data protection landscape.
As these 3 documents will only be officially released on 1 August 2025, this article will focus on what has already been publicly disclosed and provide a high-level overview of what these documents intend to achieve, without delving into the full details until their official publication.
To set the context, since 1 June 2025, the mandatory appointment of a Data Protection Officer (DPO) has come into force in Malaysia. Up to this point, the main references and guidance available have been the Appointment of DPO Guideline and the Appointment of DPO Circular. Following the implementation of this requirement, we have naturally observed an increase in questions from the industry, spanning legal, operational, and functional aspects. From a broader perspective, these questions tend to fall within three key categories:
The above are not abstract issues and concerns, they are the precise and recurring questions raised by the public and the industry since the DPO appointment requirement came into effect. It is, therefore, only natural that a comprehensive DPO ecosystem must be developed in parallel with the appointment obligation, and this is exactly the intent and purpose behind the 3 new documents announced by the Personal Data Protection Department to address these gaps and continue developing a more structured and credible DPO framework in Malaysia:
Together these 3 documents are set to form a strong foundation for further strengthening and developing the DPO ecosystem and the PDPA regulatory framework in Malaysia. While the full details of each document can only be shared once they are officially released and published on 1 August 2025, the announcement by the Personal Data Protection Department on 21 July 2025 offers a clear signal of what is to come in Malaysia.
One thing that is absolutely certain is that gone are the days when PDP laws were seen as a mere paper tiger as the regulators are moving decisively, and they are not slowing down. Companies that have yet to take these developments seriously should begin paying close attention now.
If your organization would like to learn more about DPO outsourcing services, training or assess whether your organization requires a DPO, you may reach out to us for a consultation.
If your organization needs help with further insights and legal guidance on Personal Data Protection (Amendment) Act 2024 or Data Protection Officer outsourcing services, please feel free to reach out to the firm’s Technology Practice Group. Lawyers from the Technology Practice Group have a wealth of experience assisting clients with their legal needs, particularly pertaining to compliance with the Personal Data Protection Act 2010, and will certainly be able to assist.
Our Technology Practice continues to be recognised by leading legal directories and industry benchmarks. Recent accolades include FinTech Law Firm of the Year at the ALB Malaysia Law Awards (2024 and 2025), Law Firm of the Year for Technology, Media and Telecommunications by the In-House Community, FinTech Law Firm of the Year by the Asia Business Law Journal, a Band 2 ranking for FinTech by Chambers and Partners, and a Tier 3 ranking by Legal 500.
About the authors
Ong Johnson
Partner
Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”),
Fintech, TMT Disputes, TMT Competition, Regulatory
and Compliance
[email protected]
◦
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
[email protected].
More of our Tech articles that you should read: