Malaysia Issues New PDPA Guidelines on ADMP, DPIAs and Data Protection by Design

Malaysia's Personal Data Protection Commissioner issued three new guidelines under the Personal Data Protection Act 2010 (PDPA) on Automated Decision-Making and Profiling (ADMP), Data Protection Impact Assessments (DPIAs), and Data Protection by Design (DPbD). The guidelines aim to strengthen accountability and provide practical guidance for managing higher-risk data processing activities. 

• ADMP: The guideline applies to automated decisions that have significant effects on individuals, such as decisions related to employment, credit, insurance, and education. It requires organisations to ensure transparency, maintain human oversight, and assess the risks associated with profiling and AI-driven decision-making.  

• DPIA: It adopts a risk-based approach and requires organisations to conduct impact assessments for high-risk processing activities, particularly those involving large-scale processing, sensitive data, or automated decision-making. 

• Data Protection by Design: encourages organisations to embed privacy and data protection measures into systems and processes from the outset. It emphasises principles such as data minimisation, transparency, and security throughout the data lifecycle.  

Collectively, the three guidelines signal Malaysia's growing focus on responsible data governance and alignment with global privacy and AI governance standards. They require organisations to build accountability into their systems, assess privacy risks in advance, and maintain proper documentation to demonstrate compliance.  

Source: https://www.asl.com.my/wp-content/uploads/2026/06/Legal-Update-Malaysia-PDPA-guidelines_revised-SDR-format.pdf  

News of the Week 

1. Healthcare Data Breaches Continue to Pose Major Cybersecurity Risks 

Image Credits 

According to the latest statistics published by the HIPAA Journal, healthcare data breaches remain a significant concern in the United States. Although the number of reported breaches declined slightly in 2025, cyber incidents continue to expose vast amounts of sensitive health information. 

Hacking and other IT-related incidents remain the leading cause of healthcare data breaches and account for the majority of reported incidents. The 2024 ransomware attack on Change Healthcare is the largest healthcare data breach on record. The findings indicate that while incidents involving lost or stolen devices have declined, risks arising from ransomware attacks, unauthorised access, and third-party vulnerabilities continue to grow. 

Source: https://www.hipaajournal.com/healthcare-data-breach-statistics/  

2. UIDAI to Phase Out mAadhaar, Introduces New Aadhaar App with Enhanced Privacy Features 

Image credits 

The Unique Identification Authority of India (UIDAI) has announced that the existing mAadhaar application will soon be discontinued and replaced by a redesigned Aadhaar app.  The new app introduces several privacy and security features, including face authentication, QR code-based verification, biometric lock and unlock controls, and consent-based selective data sharing.  

The new platform allows users to share only the information necessary for a particular transaction, reflecting a greater emphasis on data minimisation and user control. The application also supports multiple Aadhaar profiles on a single device and enables certain updates, such as mobile number and address changes, directly through the app. 

Source: https://gulfnews.com/business/banking/india-to-phase-out-maadhaar-as-new-aadhaar-app-takes-over-what-to-know-1.500560534   

3. Grok AI faces backlash for the creation and sharing of Sexual Deepfake images. 

Image credits 

Canada's Privacy Commissioner has concluded that xAI's Grok violated Canada's federal private-sector privacy law by launching an AI-powered image generation tool without adequate safeguards to prevent the creation and sharing of sexualised deepfake images. The findings were released following an investigation that began in January 2026 after reports emerged that Grok was generating and publicly sharing explicit deepfakes of real and identifiable individuals. 

Regulators across the European Union, including authorities in Spain and the Netherlands, have examined the platform's management of explicit AI-generated content. Additionally, Indonesia and Malaysia have restricted access to Grok due to concerns over the generation of sexually explicit AI-created images. In response to these concerns, xAI has reportedly undertaken to implement additional safeguards, including enhanced monitoring of sexualised deepfakes and limitations on the modification of images of real individuals in explicit or revealing contexts. 

Source: https://www.aljazeera.com/economy/2026/6/11/musks-grok-accused-of-violating-canadian-privacy-laws-on-deepfakes  

Want to stay ahead?  

Secure your communications today with a tailored privacy and compliance strategy from Tsaaro.com.