The Personal Data Protection Act 2010 Malaysia (PDPA) provides the principal legal framework governing personal data protection in Malaysia. Among its enforcement mechanisms, Section 108 empowers the Personal Data Protection Commissioner (“Commissioner”) to issue enforcement notices where a data user is either contravening a provision of the Act or has contravened it in circumstances making further contravention likely. The increasing regulatory emphasis on Data Protection Impact Assessments (DPIAs)—particularly following the issuance of the Malaysian DPIA Guideline—raises a key question: whether failure to conduct a DPIA can, in practice, justify the issuance of enforcement notice under Section 108.

While DPIAs are not expressly mandated under the PDPA, the introduction of the DPIA Guideline has significantly altered the compliance landscape by embedding DPIAs within the Commissioner’s expectations of risk-based accountability, particularly for high-risk processing.

Section 108(1) provides that following an investigation, the Commissioner may issue an enforcement notice where a data user:

• (a) is contravening the Act; or
• (b) has contravened it in circumstances where the contravention is likely to continue or be repeated.

This structure reflects a preventive enforcement model, allowing regulatory intervention before harm escalates. The provision is grounded in an evidential investigation, but it grants the Commissioner evaluative discretion to form an opinion on whether non-compliance is ongoing or systemic.

Crucially, Section 108(1)(b) extends enforcement beyond isolated breaches and captures structural deficiencies in compliance systems, particularly where organisational practices indicate an inability to prevent future violations.

Importantly, the legal force of an enforcement notice is reinforced by Section 108(8) of the Personal Data Protection Act 2010 Malaysia, which provides that failure to comply with an enforcement notice constitutes a criminal offence. This significantly elevates the enforcement mechanism beyond administrative compliance, as it creates a criminal liability trigger at the stage of non-compliance with the Commissioner’s directive rather than at the stage of the underlying PDPA breach itself.

Accordingly, Section 108 operates as a graduated enforcement mechanism:

1. an initial investigation and determination of non-compliance or likely recurrence;
2. issuance of an enforcement notice requiring corrective action; and
3. escalation to criminal liability under Section 108(8) if the notice is ignored.

This escalation structure strengthens the practical significance of DPIAs. Where a DPIA is not conducted in high-risk processing scenarios, this may contribute to a finding of likely contravention under Section 108(1)(b), resulting in an enforcement notice. Once issued, non-compliance with that notice exposes the organisation to criminal sanctions under Section 108(8), thereby transforming what begins as a governance deficiency into a potential offence through continued non-compliance.

In this way, the PDPA enforcement framework operates not only as a mechanism for regulatory correction but also as a compliance escalation ladder, where failure to adopt preventive measures such as DPIAs may ultimately contribute to criminal exposure if enforcement directions are disregarded.

DPIA in Malaysia: From Statutory Silence to Regulatory Centrality

Unlike the General Data Protection Regulation and comparable regimes in jurisdictions such as the UK, Philippines, etc., the PDPA does not expressly mandate DPIAs. However, recent developments, including the Personal Data Protection Amendment Act 2024 Malaysia, reflect a shift toward enhanced accountability and risk-based regulation.

Within this framework, the DPIA Guideline plays a central role by: identifying high-risk processing scenarios, setting risk thresholds for when DPIAs are expected, and prescribing structured risk identification and mitigation processes.

Although formally a guideline, it functions as an authoritative articulation of what constitutes adequate compliance under the PDPA, particularly in relation to the Security Principle.

Soft Law with Hard Consequences

The DPIA Guideline operates as soft law but produces increasingly hard regulatory effects in three ways:

First, it gives substantive meaning to the Security Principle’s requirement to take “practical steps,” particularly by framing DPIAs as part of necessary risk mitigation in high-risk contexts. Second, compliance or non-compliance with the guideline becomes evidence of due diligence or systemic weakness in enforcement proceedings. Third, it signals the Commissioner’s regulatory expectations, thereby shaping compliance behaviour even without formal legislative force.

As a result, DPIAs are transitioning from optional best practice into a normative benchmark of responsible data governance.

DPIA Non-Compliance and Section 108

The interaction between DPIA expectations and Section 108 is most significant under limb (b), which concerns likelihood of recurrence.

Where an organisation undertakes high-risk processing without conducting a DPIA, it fails to identify and mitigate foreseeable risks. This may indicate:

• inadequate governance structures,
• weak internal controls, and
• systemic non-compliance with PDPA principles.

Such deficiencies may indirectly lead to breaches of the Security, General, or Data Integrity Principles. Even if no breach has yet occurred, the absence of a DPIA may justify the inference that future contraventions are likely, satisfying the threshold under Section 108(1)(b).

Comparative Insight

Internationally, DPIAs are widely recognised as a core element of modern data protection frameworks. Under the General Data Protection Regulation, DPIAs are mandatory for high-risk processing, with non-compliance constituting a direct breach. The United Kingdom adopts a similar approach through the UK Data Protection Act 2018, reinforced by regulatory guidance from the Information Commissioner’s Office.

More flexible systems, such as Singapore’s Personal Data Protection Act 2012 Singapore and Canada’s Personal Information Protection and Electronic Documents Act, do not always impose DPIAs as strict legal requirements but nonetheless embed them as essential compliance expectations.

Across these jurisdictions, a consistent pattern emerges: DPIAs function either as formal legal obligations or de facto governance standards, reflecting a global shift toward preventive, risk-based regulation.

Critical Evaluation

Despite these developments, the reliance on a guideline-based framework raises concerns regarding legal certainty and the boundary between interpretation and legislation. There is a risk that soft law instruments may effectively operate as quasi-binding obligations without parliamentary enactment.

However, this concern is mitigated by the structure of Section 108 itself. Its broad “likely to continue or be repeated” threshold inherently accommodates risk-based regulatory indicators, allowing the Commissioner to rely on DPIA non-compliance as evidence of systemic weakness rather than as an independent breach.

Conclusion

In conclusion, failure to conduct a DPIA does not constitute an explicit statutory breach under the Personal Data Protection Act 2010 Malaysia. However, the introduction of the DPIA Guideline has fundamentally reshaped compliance expectations by embedding DPIAs within the framework of responsible data governance.

Where high-risk processing is undertaken without a DPIA, the Commissioner may reasonably infer systemic deficiencies amounting to a likely or recurring contravention, thereby justifying enforcement action under Section 108.

Ultimately, Malaysia’s PDPA is increasingly characterised not only by formal statutory obligations but also by evolving regulatory expectations. In this environment, DPIAs have become central to assessing compliance, reflecting a broader shift from formal legality to functional accountability in data protection enforcement.

Author:
Prof. Abu Bakar Munir
Co-Founder APPDI