BANDAR SERI BEGAWAN – Brunei has enacted the Personal Data Protection Order (PDPO) 2025, empowering individuals to control how private sector organisations collect, use, and disclose their personal data.

This includes the right to be informed about data collection purposes, the ability to opt-in or opt-out, as well as the right to withdraw consent at any time.

Approved in January 2025, the PDPO will be implemented in phases, giving organisations a one-year grace period to fully comply with the legislation.

It aims to establish robust personal data governance and protection within the private sector and non-governmental organisations (NGOs), particularly those handling data for public entities.

What are the key provisions of the PDPO?

• Designation of the Authority for the Information and Communication Technology Industry of Brunei Darussalam (AITI) as the primary authority for personal data protection.

• Establishment of procedures for personal data collection, use, and disclosure.

• Obligations for private sector and NGOs to ensure data accuracy and protection.

• Defined rights for individuals over their personal data.

Addressing the Legislative Council on Thursday, the Minister of Transport and Infocommunications, Pg Dato Shamhary Pg Dato Hj Mustapha, said the PDPO would align Brunei with international data protection standards.

He urged organisations to cultivate a culture of accountability in personal data management in order to minimise the risks of data breaches.

“It is crucial for organisations to assess their current practices, and to establish proper processes before the full enforcement of the PDPO,” he stated.

Minister of Transport and Infocommunications, Pg Dato Shamhary Pg Dato Hj Mustapha, speaks during a Legislative Council meeting on March 6, 2025. Photo: Information Department

While the PDPO applies only to private sector organisations and NGOs, the minister stressed that government entities must also responsibly manage personal data through existing frameworks including the Data Sharing Guidelines, the Official Secrets Act, and the Protective Security Manual.

What the PDPO means for you

For individuals, the new laws provide greater control over personal data, ensuring that the information shared with organisations is accurate, used only for its intended purpose, and that consent can be freely granted or revoked at any time.

For example, if you no longer wish to participate in a store’s loyalty programme, you can withdraw your consent and the company will be required to delete your personal information from their system.

The PDPO also safeguards against data misuse by requiring organisations to follow legally mandated data handling procedures, and implement protocols for managing data breaches.

Additionally, the PDPO includes a crucial obligation for private sector companies: they must appoint at least one Data Protection Officer responsible for ensuring compliance with the law.

To support this, AITI has launched capacity-building initiatives, including the Competency Programme for Data Protection Officers, which leads to certification as a Certified Information Privacy Manager (CIPM).

A new Personal Data Practitioner Course is planned for mid-2025, and a Competency Framework for Data Protection Officers is also being developed.

AITI is also developing other resources, including advisory guidelines, infographics, FAQs, and videos, to assist organisations with compliance.

In a statement issued on Friday, AITI said that the PDPO is a key part of supporting Brunei’s digital transformation.

“The Order is intended to create a safe and secure environment, which will enhance the credibility of organisations both nationally and internationally.

“It will facilitate trusted cross-border data flows and contribute to the development of the digital economy with the potential to elevate more foreign direct investment, as well as regional and international trade to Brunei Darussalam.”