Share
Personal Data Protection Act (PDPA)
The Personal Data Protection Act 2010 (PDPA) is Malaysia’s primary legislation regulating the processing of personal data in commercial transactions. The PDPA (Amendment) Act 2024 introduces significant updates to align Malaysia’s data protection framework with international standards and best practices, strengthening accountability, transparency, and the protection of individual privacy rights.
Key Amendments Include:
Personal Data Protection (Amendments) Act 2024 updates
Effective 1 June 2025, the PDPA (Amendment) Act 2024 will come into force, introducing significant new compliance requirements for organizations in Malaysia. Under the amended framework, organizations that process large volumes of personal or sensitive data, or engage in regular and systematic monitoring of individuals, will be required to appoint a Data Protection Officer (DPO).
The DPO plays a pivotal role in ensuring compliance with the PDPA. Key responsibilities include advising management on data protection obligations, overseeing internal compliance practices, conducting data protection impact assessments, and serving as the primary point of contact with the Personal Data Protection Commissioner.
Organizations must also formally notify the Commissioner of their DPO appointment and publish a dedicated DPO contact email address—for example, on their corporate website or other public communication channels. These measures are intended to enhance transparency, strengthen accountability, and build public confidence in how organizations manage personal data.
Under the PDP (Amendment) Act 2024, the appointment of a DPO is mandatory for organizations that meet any one of the following criteria:
The appointed DPO may be an internal employee or an external consultant, provided they meet the following qualifications:
In addition, the new amendment introduces a Data Breach Notification framework under the PDPA, requiring the organizations to promptly report personal data breaches. The organizations must:
The term “significant harm” under the amended PDPA is defined broadly to include potential risks such as financial loss, identity theft, reputational damage, or loss of access to essential services. Organizations are also required to maintain a data breach register for a minimum of two years, documenting key details such as the nature of the breach, types of data affected, actions taken, and remedial measures implemented.
The introduction of mandatory data breach notification requirements aligns Malaysia’s data protection framework with global privacy standards, reinforcing the need for organizations to adopt a proactive, transparent, and accountable approach in managing data security incidents.
Conclusion
The new amendments to Malaysia’s PDPA represent a significant milestone in strengthening the nation’s data governance framework. These reforms reflect the government’s commitment to safeguarding privacy and data security in a rapidly evolving digital economy, while emphasizing the critical role of businesses in managing personal data responsibly.
For organizations, these changes extend beyond regulatory compliance—they offer an opportunity to build trust, enhance internal controls, and adopt future-ready strategies for responsible data management.
