PUTRAJAYA: The Personal Data Protection Department (JPDP) has introduced three new guidelines aimed at strengthening proactive measures for data handlers, including the use of artificial intelligence (AI) in personal data processing.
According to Personal Data Protection Commissioner Shariffah Rashidah Syed Othman, the new guidelines are grounded in risk management and accountability, where organisations are required to understand the implication of data usage and take responsibility for every decision.
She noted that the use of technologies such as AI and data analytics brings new challenges in the area of personal data protection, adding to a growing urgency to strengthen the implementation of the Personal Data Protection Act 2010 (Act 709).
"For example, one of the guidelines ensures that we retain human elements to avoid bias or possible risks especially in situations where AI is used in the decision-making process," she said at the PDPA Connect: Strengthening Digital Trust 2026 event here today (April 30), adding that steps were also taken to ensure the guidelines are aligned with latest international standards.
The new guidelines are Data Protection Impact Assessment (DPIA), Data Protection by Design (DPbD) and Automated Decision-Making and Profiling (ADMP).
Deputy Digital Minister Datuk Wilson Ugak Kumbong described the launch as a strategic step towards strengthening the execution of Act 709, which aims to regulate the processing of personal data in commercial transactions by data users and protect the interest of data subjects.
"First, DPIA aims to help organisations identify and manage risk at the preliminary stage in data handling operations, while ensuring that preventive measures are implemented before any system is introduced," said Wilson Ugak.
He added that DPbD is designed to ensure personal data protection is wholly integrated throughout the entire lifecycle of data processing activities from the design to disposal phase.
"Thirdly, ADMP guidelines emphasise the responsible implementation of automated decisions and profiling activities by ensuring transparency, fairness and accountability in processes that affect data subjects," he added.
Wilson Ugak called on all parties to take proactive measures to execute the new guidelines.
Under Act 709, Shariffah Rashidah said the Personal Data Protection Commissioner has the power to decide on action that can be taken for non-compliance, including issuing compounds to up to RM100,000.
"However, we're focusing on helping data handlers develop a better understanding on the new guidelines first," she added.
While the Personal Data Protection Act is not applicable for government agencies or bodies, Shariffah Rashidah said her department is looking to embed personal data protection measures in the public sector.
The new guidelines are available on the JPDP website.
