Skip to main content
Perspective:

Adapting to Malaysia’s Data Protection Officer (DPO) Requirements

Outsource with DPO as a Service (DPOaaS)

Under the Personal Data Protection (Amendment) Act 2024, Malaysia now mandates the appointment of a DPO. This publication outlines the key provisions of the recently issued DPO Guideline and introduces DPOaaS as a solution to help organisations meet these requirements.

Overview
The Personal Data Protection (Amendment) Act 2024 represents a major update to Malaysia’s data privacy laws, reinforcing the country’s commitment to protecting personal data and ensuring alignment with global privacy standards. The amendments introduce several key changes to the Personal Data Protection Act (PDPA) 2010, with one of the most significant amendments being the requirement for certain organisations to appoint a Data Protection Officer (DPO).

This DPO mandate is a critical step in enhancing both the accountability and transparency of personal data protection practices. By appointing a DPO, organisations can establish clear oversight over their data processing activities, ensuring compliance with the evolving landscape of data protection regulations and increasingly complex data handling operations. Additionally, this change helps build greater trust among consumers and stakeholders, as it underscores the organisation’s commitment to responsible data stewardship.

DPO Guideline
To support organisations in complying with these new legal obligations, the Malaysian Personal Data Protection Commissioner issued the DPO Guideline ('Guideline') on 25 February 2025. The Guideline outlines the roles and responsibilities of data controllers and data processors in relation to the DPO role, which include ensuring compliance with data protection laws, overseeing data processing activities, and serving as the point of contact between the organisation and regulatory authorities.

The guideline addresses several key areas, including but not limited to:
(1) DPO appointment obligation
(2) Registration of DPO
(3) Business contact information of DPO
(4) Roles and responsibilities of DPO
(5) Background and expertise of DPO
(6) Organisational responsibilities

The provisions outlined in the Guideline take effect on 1 June 2025, marking the date by which eligible organisations must have a DPO in place.

Appointing a DPO
The Guidelines allow organisations the flexibility of appointing a DPO in one of two ways: either by selecting an existing employee within the organisation or by outsourcing the role. One popular outsourcing option is the DPO as a Service (DPOaaS) model, which offers a more flexible and scalable solution for businesses.

To further assist organisations in deciding the most appropriate approach to fulfilling their data protection needs, in the brochure, we have provided a comparison between an in-house DPO and an outsourced DPO model. This comparison considers various factors such as cost, expertise, scalability, and flexibility, which collectively support informed discussions and decisions regarding the appointment of a DPO. The brochure also highlights the importance of strategically positioning the DPO within the organisation, ensuring independence and direct access to senior management, while examining three governance models — centralised, decentralised, and hybrid — to determine the most effective approach for data protection oversight.

Each organisation's specific circumstances, including its size, resources, and the complexity of its data processing activities, will significantly influence the decision-making process. By carefully evaluating the benefits and challenges of each option, organisations can select the most appropriate model that aligns with their operational requirements and compliance with data protection obligations.

How We Can Help
Deloitte’s DPOaaS offers organisations a flexible, scalable solution for managing data protection compliance without the need for a dedicated DPO function. Leveraging deep expertise in data privacy and regulatory compliance, Deloitte provides a range of services within the DPOaaS offering, including advisory support, development of privacy framework / policies / procedures, privacy risk management, development of data inventories and data protection impact assessments (DPIAs), incident response and breach management, data subject rights management, training, and ongoing privacy compliance monitoring. These services help organisations stay abreast with the evolving legal requirements, while focusing on their core operations.

Deloitte’s DPOaaS is designed to accommodate organisations of all sizes, providing customised, expert support to effectively manage data protection. As organisations work to meet the requirements of the latest amendments, this publication aims to assist businesses better understand and navigate the evolving legal landscape in Malaysia.

Did you find this useful?

Thanks for your feedback