Malaysia Makes a Data Protection Impact Assessment Mandatory for Automated Decisions and Profiling
Regulatory summary: Malaysia's data protection regulator issued three guidelines on 30 April 2026 under the amended PDPA. Together they make automated decision-making and profiling a trigger for a mandatory impact assessment before a system goes live, and set volume thresholds that force assessments for large-scale processing.
By Anthony Guerriero, Founder, The Leveraged Years · Reviewed by The Leveraged Years Editorial Desk · Published July 9, 2026 · Last updated July 9, 2026
The Leveraged Years AI Regulation Tracker
Key takeaways
Malaysia moved from having no formal impact-assessment or automated-decision guidance to a set of three guidelines that give these tools a compliance classification under the Act. The DPIA guideline introduces quantitative thresholds and qualitative factors that determine when a DPIA is required, and names automated decision-making as a qualitative factor. The ADMP guideline sets expectations for human oversight and bias mitigation in automated decisions and profiling. Data Protection by Design sets out privacy-by-design principles, described in the guidance as recommended rather than exhaustive.
Data protection officers, privacy and compliance leads, and product and engineering owners at any organization processing personal data in Malaysia; banks, insurers, lenders and fintechs running automated credit or eligibility decisions; HR, e-commerce and marketing teams using profiling or personalization; and vendors selling AI decision systems into the Malaysian market.
Status: Issued and published on 30 April 2026.
Inventory every system that carries out automated decision-making or profiling on personal data in Malaysia, and every processing activity likely to exceed 20,000 data subjects (10,000 for sensitive data), then run a DPIA using the DEICA method before those systems go live or continue at scale.
Date
Jurisdiction
Rule
Affected professionals
Status or effective date
2026-07-09
Malaysia
Malaysia moved from having no formal impact-assessment or automated-decision guidance to a set of three guidelines that give these tools a compliance classification under the Act. The DPIA guideline introduces quantitative thresholds and qualitative factors that determine when a DPIA is required, and names automated decision-making as a qualitative factor. The ADMP guideline sets expectations for human oversight and bias mitigation in automated decisions and profiling. Data Protection by Design sets out privacy-by-design principles, described in the guidance as recommended rather than exhaustive.
Data protection officers, privacy and compliance leads, and product and engineering owners at any organization processing personal data in Malaysia; banks, insurers, lenders and fintechs running automated credit or eligibility decisions; HR, e-commerce and marketing teams using profiling or personalization; and vendors selling AI decision systems into the Malaysian market.
Issued and published on 30 April 2026. The three guidelines are available from the Personal Data Protection Department and form part of the operational framework for the amended PDPA.
Frequently Asked Questions
Are the Malaysian DPIA, ADMP and Data Protection by Design guidelines legally binding?
They are guidelines issued under the Personal Data Protection Act 2010 (Act 709) on 30 April 2026. They interpret the Act rather than creating new primary legislation, but the DPIA guideline states when a DPIA must be done, so for regulated organizations they function as binding compliance expectations.
Does automated decision-making require a DPIA?
Yes. The DPIA guideline treats automated decision-making as a qualitative factor that requires a DPIA, and read with the ADMP guideline, automated decision-making and profiling trigger a DPIA before the processing begins, regardless of volume.
What are the DPIA volume thresholds?
Processing expected to involve more than 20,000 data subjects, or processing of sensitive personal data, including financial information, expected to involve more than 10,000 data subjects. The guideline calls these the Quantitative Threshold.
What method does the DPIA follow?
A five-step method the guideline abbreviates as DEICA: Describe, Evaluate, Identify, Consider and Assess the processing, its necessity, its risks, its safeguards and its residual risk.
Why does this matter for AI?
It is the first time Malaysian data protection guidance addresses AI-driven processing directly. Systems that score, rank, personalize or decide about people, including credit scoring and eligibility engines, now fall squarely within the DPIA trigger.