Following the amendments to the Personal Data Protection Act 2010 (“PDPA”), companies operating in Malaysia are now under heightened scrutiny to demonstrate not only compliance with statutory obligations, but also a commitment to accountable data governance. A central figure in this transformation is normally the Data Protection Officer (“DPO”), the appointment of which has been made compulsory 2 months ago for data controllers and data processors that meet certain thresholds.
To support this development, the Personal Data Protection Commissioner (“PDPC”) has issued a comprehensive suite of guidelines and documents (“Guidelines”) – namely the:
(i) Data Protection Officer Competency Guideline; (ii) Data Protection Officer Professional Development Pathway & Training Roadmap; and (iii) Management of Data Protection Officer Training Service Providers Guideline.
These Guidelines collectively provide a framework for the development of competencies of DPOs. It sets out a structured foundation for organisations to appoint, train and support the competencies of their appointed DPOs.
The authors of this article, Johnson and Khai Yi, are both part of a working committee established by the PDPC to develop the Guidelines. With their insight to the “behind-the-scene” of the development of the Guidelines, this article aims to provide legal practitioners and DPOs in Malaysia a summary of the Guidelines, as well as some tips for appointed DPOs in navigating the intricacies of developing their own competencies. For readers who are trying to study the Guidelines, we would recommend going through the individual Guidelines following the sequence that we have listed them above. Similarly, we will unpack the content of each of the Guidelines following the same sequence in this article.
1. DPO Competency Guideline – Defining the Role
The DPO Competency Guideline forms the foundation of the DPO competencies development framework as it lays down the minimum competencies expected of appointed DPOs under the PDPA. It introduces a structured model based on six (6) core functional roles of DPOs:
(a) Advisory & Support: Providing timely and accurate guidance on personal data protection requirements to the organisations that have appointed them; (b) Risk Management & Assessment: Evaluating risks across the personal data lifecycle and to recommend risk management and mitigation strategies to the organisations; (c) Compliance Oversight & Monitoring: Assisting the organisations to achieve compliance of the regulatory obligations under the PDPA and to ensure continued adherence thereto; (d) Audit & Reporting: Conducting periodic audit on the data processing activities of the organisations to assess level of compliance with the PDPA, as well as to document and report compliance efforts; (e) Communications & Stakeholder Engagement: Facilitating awareness and engagement with the internal stakeholders of the organisations in relation to the PDPA and to foster a culture of personal data protection within the organisation; (f) Regulatory & Data Subject Management: Being the main point of contact between the organisations and the PDPC as well as the data subjects, including during the handling of data subjects’ requests and data breach management
These functional areas are mapped to a Knowledge, Skills and Abilities (KSA) model, offering organisations a practical reference to assess whether their appointed DPOs are equipped to perform the role effectively.
Importantly, this particular guideline introduces a two-tiered competency structure:
● Fundamental Tier, encompassing the baseline capabilities as demonstrable through the 6 core functional areas highlighted above, required to be met by all DPOs in order to perform their key functions within the organisations; and ● Advanced Tier, encompassing strategic competencies such as the ability to drive intra-company personal data protection initiatives, cross-border compliance efforts, and group wide governance framework formulation, which are more relevant for larger or high-risk organisations.
When appointing a DPO, it is important for data controllers and data processors to evaluate the complexity and risk exposure of the organisation’s data processing activities. A higher-risk profile may warrant an Advanced Tier DPO or a team with complementary capabilities.
2. DPO Professional Development Pathway & Training Roadmap
After laying down the foundation for the core competencies of DPOs, the DPO Professional Development Pathway & Training Roadmap (“DPO Training Roadmap”) comes into play as a roadmap to guide DPOs to attain the necessary competencies through structured training – starting with the fundamentals and building towards strategic leadership.
The DPO Training Roadmap essentially sets out a framework that allows recognised training providers to deliver training to the DPOs, with training programme structured around the competency requirements of Fundamental Tier and Advanced Tier DPOs. It also outlines how certification of DPOs might work in the future, indicating PDPC’s intention to develop the DPO function into a profession in the future.
3. Guideline on Management of DPO Training Providers
While training providers will generally be given the liberty to develop their own training programmes and syllabus, as long as they are aligned with the core competency areas of the DPOs laid down in the DPO Competency Guideline, quality and consistency of the training may still be a problem if not managed carefully. This is why the PDPC has also published the Guideline on Management of DPO Training Providers (“TP Guideline”).
The TP Guideline introduces a potential framework for recognising training providers that meet certain standards. These include:
(a) Having experienced trainers who know the PDPA and with ability to translate legal and technical knowledge to application; (b) Having the necessary resources to deliver the training programmes effectively; (c) A structured assessment mechanism to evaluate the effectiveness of the training programme based on the participants’ learning outcome; (d) A mechanism for continuous review of the training content and delivery method, taking into consideration changes in the PDPA, personal data protection trends, and feedback from participants.
Key Points of Considerations
In light of the announcement of the Guidelines, organisations should be assessing whether the current appointed DPOs meet the core competencies set out in the Guidelines, whereas for DPOs, an honest self-assessment of the required competencies would be helpful at this juncture. Through the assessment exercise, organisations and DPOs are able to identify the core competency areas that may still be lacking. Although there are still no formally recognised training providers in the market as at the date of writing of this article, organisations can in the meantime approach legal professionals for training on the PDPA to at least equip their appointed DPOs with the knowledge on PDPA. Ultimately, the core competencies of DPOs are all built upon a foundational understanding of the requirements of the PDPA.
Once the entire DPO development ecosystem has been established and in operation, organisations should quickly take advantage of the training programmes to better equip their appointed DPOs with the necessary skillsets to assist the organisations to attain full compliance with the PDPA.
Based on recent development, Malaysia’s data protection framework seems to be catching up fast – and that is a good thing. The new Guidelines give organisations the tools to get the DPO function right. Whether you are hiring a new DPO, upskilling an existing team member, or reviewing training providers, there is now a clear benchmark to follow.
If your organization needs help with further insights and legal guidance on Personal Data Protection (Amendment) Act 2024 or Data Protection Officer outsourcing services, please feel free to reach out to the firm’s Technology Practice Group. Lawyers from the Technology Practice Group have a wealth of experience assisting clients with their legal needs, particularly pertaining to compliance with the Personal Data Protection Act 2010, and will certainly be able to assist.
Our Technology Practice continues to be recognised by leading legal directories and industry benchmarks. Recent accolades include FinTech Law Firm of the Year at the ALB Malaysia Law Awards (2024 and 2025), Law Firm of the Year for Technology, Media and Telecommunications by the In-House Community, FinTech Law Firm of the Year by the Asia Business Law Journal, a Band 2 ranking for FinTech by Chambers and Partners, and a Tier 3 ranking by Legal 500.
About the authors
Lo Khai Yi Partner Co-Head of Technology Practice Group Technology, Media & Telecommunications (“TMT”), Technology Acquisition and Outsourcing, Telecommunication Licensing and Acquisition, Cybersecurity [email protected].
◦
Ong Johnson Partner Head of Technology Practice Group Technology, Media & Telecommunications (“TMT”), Fintech, TMT Disputes, TMT Competition, Regulatory and Compliance [email protected]
Introducing Malaysia’s New DPO Competency Development Framework: What You Need to Know
Following the amendments to the Personal Data Protection Act 2010 (“PDPA”), companies operating in Malaysia are now under heightened scrutiny to demonstrate not only compliance with statutory obligations, but also a commitment to accountable data governance. A central figure in this transformation is normally the Data Protection Officer (“DPO”), the appointment of which has been made compulsory 2 months ago for data controllers and data processors that meet certain thresholds.
To support this development, the Personal Data Protection Commissioner (“PDPC”) has issued a comprehensive suite of guidelines and documents (“Guidelines”) – namely the:
(i) Data Protection Officer Competency Guideline;
(ii) Data Protection Officer Professional Development Pathway & Training Roadmap; and
(iii) Management of Data Protection Officer Training Service Providers Guideline.
These Guidelines collectively provide a framework for the development of competencies of DPOs. It sets out a structured foundation for organisations to appoint, train and support the competencies of their appointed DPOs.
The authors of this article, Johnson and Khai Yi, are both part of a working committee established by the PDPC to develop the Guidelines. With their insight to the “behind-the-scene” of the development of the Guidelines, this article aims to provide legal practitioners and DPOs in Malaysia a summary of the Guidelines, as well as some tips for appointed DPOs in navigating the intricacies of developing their own competencies. For readers who are trying to study the Guidelines, we would recommend going through the individual Guidelines following the sequence that we have listed them above. Similarly, we will unpack the content of each of the Guidelines following the same sequence in this article.
1. DPO Competency Guideline – Defining the Role
The DPO Competency Guideline forms the foundation of the DPO competencies development framework as it lays down the minimum competencies expected of appointed DPOs under the PDPA. It introduces a structured model based on six (6) core functional roles of DPOs:
(a) Advisory & Support: Providing timely and accurate guidance on personal data protection requirements to the organisations that have appointed them;
(b) Risk Management & Assessment: Evaluating risks across the personal data lifecycle and to recommend risk management and mitigation strategies to the organisations;
(c) Compliance Oversight & Monitoring: Assisting the organisations to achieve compliance of the regulatory obligations under the PDPA and to ensure continued adherence thereto;
(d) Audit & Reporting: Conducting periodic audit on the data processing activities of the organisations to assess level of compliance with the PDPA, as well as to document and report compliance efforts;
(e) Communications & Stakeholder Engagement: Facilitating awareness and engagement with the internal stakeholders of the organisations in relation to the PDPA and to foster a culture of personal data protection within the organisation;
(f) Regulatory & Data Subject Management: Being the main point of contact between the organisations and the PDPC as well as the data subjects, including during the handling of data subjects’ requests and data breach management
These functional areas are mapped to a Knowledge, Skills and Abilities (KSA) model, offering organisations a practical reference to assess whether their appointed DPOs are equipped to perform the role effectively.
Importantly, this particular guideline introduces a two-tiered competency structure:
● Fundamental Tier, encompassing the baseline capabilities as demonstrable through the 6 core functional areas highlighted above, required to be met by all DPOs in order to perform their key functions within the organisations; and
● Advanced Tier, encompassing strategic competencies such as the ability to drive intra-company personal data protection initiatives, cross-border compliance efforts, and group wide governance framework formulation, which are more relevant for larger or high-risk organisations.
When appointing a DPO, it is important for data controllers and data processors to evaluate the complexity and risk exposure of the organisation’s data processing activities. A higher-risk profile may warrant an Advanced Tier DPO or a team with complementary capabilities.
2. DPO Professional Development Pathway & Training Roadmap
After laying down the foundation for the core competencies of DPOs, the DPO Professional Development Pathway & Training Roadmap (“DPO Training Roadmap”) comes into play as a roadmap to guide DPOs to attain the necessary competencies through structured training – starting with the fundamentals and building towards strategic leadership.
The DPO Training Roadmap essentially sets out a framework that allows recognised training providers to deliver training to the DPOs, with training programme structured around the competency requirements of Fundamental Tier and Advanced Tier DPOs. It also outlines how certification of DPOs might work in the future, indicating PDPC’s intention to develop the DPO function into a profession in the future.
3. Guideline on Management of DPO Training Providers
While training providers will generally be given the liberty to develop their own training programmes and syllabus, as long as they are aligned with the core competency areas of the DPOs laid down in the DPO Competency Guideline, quality and consistency of the training may still be a problem if not managed carefully. This is why the PDPC has also published the Guideline on Management of DPO Training Providers (“TP Guideline”).
The TP Guideline introduces a potential framework for recognising training providers that meet certain standards. These include:
(a) Having experienced trainers who know the PDPA and with ability to translate legal and technical knowledge to application;
(b) Having the necessary resources to deliver the training programmes effectively;
(c) A structured assessment mechanism to evaluate the effectiveness of the training programme based on the participants’ learning outcome;
(d) A mechanism for continuous review of the training content and delivery method, taking into consideration changes in the PDPA, personal data protection trends, and feedback from participants.
Key Points of Considerations
In light of the announcement of the Guidelines, organisations should be assessing whether the current appointed DPOs meet the core competencies set out in the Guidelines, whereas for DPOs, an honest self-assessment of the required competencies would be helpful at this juncture. Through the assessment exercise, organisations and DPOs are able to identify the core competency areas that may still be lacking. Although there are still no formally recognised training providers in the market as at the date of writing of this article, organisations can in the meantime approach legal professionals for training on the PDPA to at least equip their appointed DPOs with the knowledge on PDPA. Ultimately, the core competencies of DPOs are all built upon a foundational understanding of the requirements of the PDPA.
Once the entire DPO development ecosystem has been established and in operation, organisations should quickly take advantage of the training programmes to better equip their appointed DPOs with the necessary skillsets to assist the organisations to attain full compliance with the PDPA.
Based on recent development, Malaysia’s data protection framework seems to be catching up fast – and that is a good thing. The new Guidelines give organisations the tools to get the DPO function right. Whether you are hiring a new DPO, upskilling an existing team member, or reviewing training providers, there is now a clear benchmark to follow.
If your organization needs help with further insights and legal guidance on Personal Data Protection (Amendment) Act 2024 or Data Protection Officer outsourcing services, please feel free to reach out to the firm’s Technology Practice Group. Lawyers from the Technology Practice Group have a wealth of experience assisting clients with their legal needs, particularly pertaining to compliance with the Personal Data Protection Act 2010, and will certainly be able to assist.
Our Technology Practice continues to be recognised by leading legal directories and industry benchmarks. Recent accolades include FinTech Law Firm of the Year at the ALB Malaysia Law Awards (2024 and 2025), Law Firm of the Year for Technology, Media and Telecommunications by the In-House Community, FinTech Law Firm of the Year by the Asia Business Law Journal, a Band 2 ranking for FinTech by Chambers and Partners, and a Tier 3 ranking by Legal 500.
About the authors
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
[email protected].
◦
Ong Johnson
Partner
Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”),
Fintech, TMT Disputes, TMT Competition, Regulatory
and Compliance
[email protected]
More of our Tech articles that you should read: