Key Takeaway
- The PDPA governs how businesses process personal data in commercial transactions in Malaysia.
- 2025 updates introduced mandatory Data Breach Notification and Data Protection Officer (DPO) obligations (key provisions in force 1 June 2025).
- Penalties for breaching the PDPA principles now reach up to RM1,000,000 and/or 3 years’ imprisonment; some offences have different caps (e.g., failure to register: up to RM500,000/3 years; DBN breaches: up to RM250,000/2 years).
- Every business handling personal data must follow the seven PDPA principles.
- Real compliance starts with clear privacy notices, secure systems, and regular staff training tailored to your audience.
The Personal Data Protection Act (PDPA) governs how businesses in Malaysia collect, use, and protect personal information. In 2025, updates to the Act make compliance even more critical, especially for organisations storing customer data digitally or online.
If your business collects names, emails, or phone numbers through a website or Google Form, you’re very likely a data controller under the PDPA (private-sector, commercial context).
The problem? Many don’t realise they’re legally bound by PDPA until it’s too late.
But what is PDPA and why does it matter? Well, let the best digital PR agency answer that and more as we break down this often overlooked legal compliance Malaysia businesses face.
What Is the PDPA and Who Must Comply?
The Personal Data Protection Act (PDPA) 2010 (Act 709) regulates the processing of personal data in commercial transactions within Malaysia.
In short, it protects individuals’ privacy by setting clear duties for anyone who collects, stores, or uses personal data for business purposes.
If your business collects customer information through:
- online order forms,
- membership or loyalty systems,
- digital marketing sign-ups, or
- HR recruitment portals,
Then you are a data user under the Act.
The PDPA applies to all private-sector organisations operating in Malaysia, regardless of size. Public authorities are exempt, but all other commercial entities, including sole proprietors and partnerships, must comply.
Source: Department of Personal Data Protection Malaysia, PDP.gov.my)
What Changed Under PDPA in 2025?
The 2024 Amendment Act, enforced through PDP Circular No. 1/2025 and No. 2/2025, introduces the most significant updates since PDPA’s launch.
1. Mandatory Data Breach Notification
- Organisations must report any personal-data breach that risks individuals’ rights to the PDP Commissioner.
- Notifications should be made as soon as practicable, following the PDP’s guideline window (typically within 72 hours of awareness).
- If significant harm to individuals is likely, inform affected individuals without undue delay and no later than 7 days after notifying the Commissioner.
2. Appointment of a Data Protection Officer (DPO)
Appoint (and register within 21 days) a DPO if you:
- Process personal data of >20,000 data subjects; or
- Process sensitive/financial data of >10,000 data subjects; or
- •Conduct regular and systematic monitoring (behavioural ads, algorithmic recommendations, large-scale CCTV/wearables).
Publish the DPO’s business contact info in your privacy notices/website.
3. Stronger Enforcement and Penalties
- Up to RM1,000,000/3 years for breaches of the PDPA principles
- DBN offences up to RM250,000/2 years
- Failure to register (if required) up to RM500,000/3 years.
- Repeat offenders may face both penalties concurrently.
4. Updated Guidelines and Registration Rules
- PDP is revising 13 registration categories under the Class of Data Users Order 2013.
- Businesses must renew registrations annually and display valid certificates at their premises and websites.
“In December 2024, Malaysia’s National Cyber Security Agency (NACSA) began investigating claims that MyKad data of 17 million Malaysians had been leaked and sold on the dark web” – The Star, Dec 4 2024.
What Are the 7 PDPA Principles?
These seven principles form the backbone of Malaysian data protection. Every compliant organisation must follow them.
Principle | Explanation and Local Example |
1. General | Collect data only for lawful and necessary purposes. A salon should only record contact numbers for appointment scheduling, not unrelated marketing. |
2. Notice & Choice | Inform individuals of data use and obtain consent. Display a bilingual (English + Bahasa) privacy notice at every collection point. |
3. Disclosure | Share data only with authorised or consented parties, for instance, a courier company fulfilling an order. |
4. Security | Protect data from loss, misuse, or unauthorised access through passwords, encryption, and restricted folders. |
5. Retention | Keep data only as long as necessary. Delete customer records after the retention period defined in company policy. |
6. Data Integrity | Ensure information remains accurate and current. Provide staff access to update customer details upon request. |
7. Access | Allow individuals to view and correct their data promptly upon written request. |
Source: Department of Personal Data Protection Malaysia, PDP.gov.my
Read more: A Hacked Malaysian WordPress Website: A Step-by-Step Case Study
Do All Businesses Need to Register as Data Users?
If your business belongs to any of the 13 classes of Data Users specified under the Class of Data Users Order 2013, then yes, you need to register. Examples include:
- Banking & finance
- Communications
- Healthcare
- Education services
- Direct Selling
- Tourism & hospitality
- Real estate management
Basically, any industry that will touch upon customer data. Registration is done through the PDP Online Portal, requires payment of a small fee, and must be renewed annually.
Failure to register or to display the certificate can result in fines of up to RM500,000 or imprisonment for three years.
Source: PDP.gov.my – Registration Regulations 2013.
How to Handle a Data Breach
Data breaches are becoming alarmingly common in Malaysia, testing every business’s cybersecurity resilience in the face of phishing scams, ransomware, and AI-driven fraud attempts.
“According to MyCERT, Malaysia recorded 195 data-breach incidents in Q1 2025, a 29 % increase compared to the previous quarter” – The Star, 2025
These incidents highlight why Malaysia’s PDP Circular No. 1/2025 now makes data-breach reporting mandatory.
6-Step Playbook for Malaysian Companies
Contain the breach
Disconnect affected servers, laptops, or systems immediately and revoke any compromised credentials. Isolation limits further data exposure.
Assess the impact
Identify which data sets were compromised, such as NRIC, email, or payment information, and estimate the number of individuals affected.
Record the details
Maintain a Breach Log noting time detected, source of compromise, and corrective actions. These records are vital during PDP investigations.
Notify the PDP
Report the breach using the official PDP notification form within the required timeframe. Include impact assessment, mitigation steps, and evidence of containment.
Inform affected individuals
When personal or financial harm is likely, contact those impacted with guidance on monitoring bank activity, resetting passwords, and avoiding scams.
Review and improve
Conduct an internal security audit, update software patches, and train employees on phishing and data-handling protocols.
Common PDPA Mistakes Malaysian Businesses Still Make
Even with PDPA in effect for over a decade, many businesses still misunderstand how compliance works in practice.
The issue is rarely bad intent, it’s misalignment between legal requirements and day-to-day operations. Remember, this is a consumer rights issue.
Copy-pasting foreign privacy templates
Many companies adopt templates from overseas frameworks like the EU’s GDPR or Australia’s Privacy Act. The result: policies full of terms (like “Data Controller” or “processing bases”) that have no standing under Malaysia’s PDPA.
Treating data collection as “the more, the better”
Retailers and startups often over-collect customer details, birthdays, addresses, or IC numbers, even when not needed.
Under the General and Notice Principles, this counts as excessive processing.
Collect only what you genuinely need to provide your service. “Just in case” collection is a liability, not a safeguard.
Forgetting Malaysia’s multilingual reality
Transparency means accessibility.
Yet, many firms publish privacy notices solely in English. Under PDPA’s spirit, notices should be clear, readable, and where appropriate, bilingual (English + Bahasa Malaysia) so all customers can understand consent and usage terms.
Never deleting what they collect
Data retention is one of PDPA’s most ignored principles. Businesses keep CVs, invoices, and contact lists long after they serve their purpose.
If an old file leaks, it’s still your responsibility. Create and enforce a retention schedule defining how long each data category is stored before secure deletion.
Skipping staff training and awareness
Policies fail where people do. Untrained employees are the top cause of accidental disclosures, from emailing files to the wrong recipient to clicking phishing links.
The PDP recommends annual refresher training. A 30-minute workshop can prevent a RM500,000 penalty.
Why PDPA Compliance Builds Business Trust
When your clients know their data is handled responsibly, they are more likely to share accurate details, renew subscriptions, and recommend your services.
After all, nobody likes a scam call, not even when you have Truecaller installed on your phone.
Clear policies, proper registration, and transparent privacy notices demonstrate professionalism that attracts both customers and partners.
At PRESS, we offer website design services that go beyond just looking nice. We also make sure your site is secure, that means SSL encryption, compliant data-capture forms, and privacy notices written for Malaysian law, not copied from abroad.
So work with us! And we can make sure your website is safe, compliant and visible online.
Disclaimer: This article is for general information on Malaysia’s PDPA only and does not constitute legal advice, please consult qualified counsel or official JPDP guidance for your specific situation.
Source:
- JPDP — Circular No. 1/2025: Data Breach Notification (DBN)
- JPDP — Guidelines on Data Breach Notification (DBN)
- Baker McKenzie — PDPA Amendment Act 2024 to come into force
- Future of Privacy Forum — Malaysia’s new data protection frameworks (2025) (overview of DPO thresholds, DBN timing, cross-border/TIA).
- The Star — NACSA probes alleged MyKad leak of 17M records (Dec 4, 2024).
Frequently Asked Questions About PDPA in Malaysia
What does PDPA stand for?
PDPA stands for Personal Data Protection Act 2010, Malaysia’s main privacy law regulating personal-data processing.
Who Enforces PDPA In Malaysia?
The Department of Personal Data Protection (JPDP/PDP) under the Ministry of Digital.
Does PDPA Apply To Small Businesses?
Yes. Any organisation that collects or stores personal data for commercial purposes must comply.
What Are The Penalties For Violating PDPA?
Fines up to RM 500,000 and imprisonment of three years, depending on the offence.
Do I Need A Data Protection Officer (DPO)?
Required if your company handles large volumes of personal data or belongs to a registered data-user class.
Can Malaysian Businesses Transfer Customer Data Overseas?
Yes, under the 2025 CBPDT Guideline, conduct a Transfer Impact Assessment (TIA) to ensure the destination provides protection substantially similar to the PDPA. Consent and other safeguards ( SCCs, BCRs) remain available. The prior “whitelist” approach has been replaced.
