Properly trained DPOs are essential to maintaining compliance with personal data protection laws and protecting the organisation’s reputation. As personal data protection enforcement becomes more robust, DPO training quality will increasingly determine a DPO’s effectiveness.
On 21 July 2025, the Personal Data Protection Commissioner (“Commissioner”) introduced a Management of DPO Training Service Providers Guideline (“Guideline”) (https://www.pdp.gov.my/ppdpv1/en/management-of-data-protection-officer-dpo-training-service-providers-guideline-2/) to set out expectations for DPO Training Service Providers (“Training Providers”) and a prospective recognition system for the oversight of Training Providers that offer DPO-related courses.
This move reflects the Commissioner’s commitment and focus in ensuring that DPOs are properly equipped, competent, and supported to perform their duties under the Personal Data Protection Act 2010 and its amendment (“Act”).
This Guideline should be read together with the following guidelines to form a holistic framework to standardise DPO competency, training quality, and professional development across all sectors:-
- DPO Competency Guideline (https://www.pdp.gov.my/ppdpv1/en/data-protection-officer-dpo-competency-guideline-2/) ; and
- DPO Professional Development Pathway & Training Roadmap (https://www.pdp.gov.my/ppdpv1/en/data-protection-officer-dpo-professional-development-pathway-training-roadmap-2/).
Below are some points distilled from the Guideline to help businesses better select a DPO training provider and training programme.
Selecting A DPO Training Provider
Pending the Commissioner providing formal certification or recognition of training providers, a business can use the Guideline to self-assess and select DPO training providers which can demonstrate their capacity, infrastructure, and capability to deliver effective DPO training programmes.
A. Qualified Trainers with Practical Expertise
Trainers must not only have theoretical knowledge of personal data protection and information security but also hands-on experience. They should be able to translate legal and technical concepts into practical steps that businesses can apply.
B. Delivery Capability and Infrastructure
Training Providers should have the appropriate infrastructure to support effective delivery of training programmes. Training may be conducted in-person, virtually, or in blended formats. However, the chosen method must suit the course objectives and the participants’ learning objectives.
C. Structured Participant Assessment
Training programmes must assess participants’ understanding through structured mechanisms to ensure they can apply the knowledge in practice, not merely understand the theory. Assessment mechanisms should align with the intended learning outcomes relevant to the responsibilities of a DPO under the Act.
D. Quality Assurance and Continuous Improvement
Training content must be accurate and regularly updated to reflect changes in laws, guidelines, and industry practices. Training Providers must also collect participant feedback and use it to improve course design and delivery.
Selecting A DPO Training Programme
When selecting a DPO training programme, business should assess whether the content equips the appointed DPOs with the competencies required to carry out their responsibilities effectively.
The Guideline helpfully sets out that any DPO training programme should comprehensively cover these five core areas:
|
Competency Area |
Key Learning Objectives |
|
Legal & Regulatory Knowledge |
In-depth understanding of the Act and relevant personal data protection laws and practices. |
|
Operational & Risk Awareness |
Knowledge of organisational operations and personal data processing activities (including identify and managing related personal data processing risks). |
|
Professional Conduct & Organisational Influence |
Building a personal data protection culture and emphases on integrity, corporate governance, professional and ethical standards. |
|
Scope of DPO Responsibilities |
|
|
Independence & Resource Awareness |
Understanding DPO independence principles and the importance of having sufficient resources to perform the functions effectively. |
Conclusion
With the help of this Guideline, businesses can now better select their DPO Training Providers and trainers to be better positioned to manage regulatory scrutiny and build a culture of responsible personal data management.
***
This article was written by Jocelyn Lier (Associate) from Donovan & Ho’s corporate practice.
Our corporate practice group advises on corporate acquisitions, restructuring exercises, joint venture arrangements, shareholder agreements, employee share options and franchise businesses, Malaysia start-up founders and can assist with venture capital funds in Seed, Series A & B funding rounds. Feel free to contact us if you have any queries.
