by Kevin Koh, Business Development Director of Straits Interactive (Malaysia)
The amendments to the Personal Data Protection Act (PDPA) 2010, which came into force in mid-2025, represent the most comprehensive statutory overhaul of Malaysia’s data privacy framework since its inception.
The legislative update introduces stringent enforcement mechanisms, escalating statutory penalties to a maximum fine of RM1 million and/or imprisonment for up to three years. Furthermore, it imposes strict compliance mandates, including the compulsory designation of Data Protection Officers (DPOs) and obligatory data breach notifications.
While these legislative enhancements establish a more robust data governance framework, they impose substantial compliance and administrative burdens on organisations, with small and medium-sized enterprises (SMEs) disproportionately impacted by the associated financial expenditures.
The New Amendments: Key Focus Areas of Malaysia’s New PDPA Clauses
Originally enacted in 2010, the PDPA underwent significant legislative amendments passed by the Malaysian Senate in 2024 to address vulnerabilities introduced by emerging technologies. These provisions were enforced via a phased, three-stage implementation framework in the first half of 2025.
A summary of the primary statutory enhancements is as follows:
Mandatory Designation of a Data Protection Officer (DPO): Under the revised provisions, Data Controllers and Data Processors are legally compelled to designate a DPO if their operations involve processing the personal data of over 20,000 data subjects, processing sensitive personal data (expressly including biometric data) of over 10,000 data subjects, or the routine monitoring of individuals. This significantly expands the scope of the mandate, which was previously restricted to specific sectors such as banking, insurance, and healthcare.
Statutory Data Breach Notification (DBN) Framework: Data Controllers are now subject to a strict statutory duty to notify the Commissioner "as soon as practicable". For breaches reasonably likely to result in significant harm—such as physical or financial detriment, or unlawful data misuse—notification to the Commissioner must occur within 72 hours. Additionally, mandatory notification to affected data subjects must be executed within seven days of the initial regulatory report.
Direct Statutory Liability for Data Processors: Data Processors are now bound by direct legal obligations to secure and safeguard personal data against unauthorised access, leakage, or misuse. Failure to ensure such protections exposes processors to direct legal liability, marking a fundamental shift from the pre-2025 framework, in which sole statutory liability rested with the Data Controller (formerly defined as the Data User).
Right to Data Portability: Data subjects are granted the statutory right to mandate the direct transmission of their personal data from one Data Controller to another, thereby augmenting the subject's autonomy and jurisdictional control over their personal information.
Deregulation of Cross-Border Data Transfers: The amended PDPA formally abolishes the prior "whitelist" regime, which restricted international data transfers strictly to jurisdictions approved by the Minister. Regulatory oversight has been decentralised to Data Controllers, who are authorised to execute cross-border transfers provided they conduct a formal Transfer Impact Assessment (TIA) and implement the requisite precautionary safeguards.
Stakeholder Impacts and Sentiments
The implementation of these statutory enhancements is critical in mitigating escalating cybersecurity vulnerabilities. The 2024 IBM Cost of a Data Breach Report quantified the average corporate data breach at RM3.2 million, a financial exposure that the updated regulatory framework seeks to actively minimise.
At a macroeconomic level, the legislation enforces an elevated standard of corporate compliance, establishing a collective fiduciary responsibility across organisational hierarchies to guard against breaches. Legal friction has also been reduced due to the deregulation of cross-border transfers.
However, the stringent regulatory mandates—encompassing DPO appointments, specialised training, legal counsel, and technological infrastructure—impose a severe financial strain on smaller enterprises. According to the March 2026 FMM Business Conditions Survey, 33% of enterprises anticipate profit margin contractions directly attributable to these compliance expenditures. To offset these statutory compliance costs, eligible entities may leverage capacity-building initiatives such as the HRDC Corp grant to upskill personnel in data protection.
2026 and Beyond: Upcoming PDPA Guidelines
The regulatory framework is expected to continue expanding, with supplementary compliance guidelines commencing on 30 April 2026 to target advanced data processing methodologies:
1. Automated Decision-Making and Profiling (ADMP): The guidelines impose rigorous oversight on autonomous algorithmic processing. Organisations are legally mandated to implement review protocols by specially trained human personnel, enhance transparency disclosures regarding customer data use, and provide robust, accessible opt-out mechanisms for data subjects.
2. Data Protection Impact Assessments (DPIA): A DPIA is a mandatory statutory requirement for "high-risk" processing activities, strictly defined as operations involving the personal data of over 20,000 individuals, sensitive personal data of over 10,000 individuals, or activities governed by the ADMP. Submissions must strictly adhere to the mandatory Describe-Evaluate-Identify-Consider-Assess (DEICA) framework, with each assessment maintaining a statutory validity period of two years.
3. Data Protection by Design (DPbD): This framework necessitates the institutionalisation of privacy safeguards throughout the entire operational lifecycle, from initial system design to final decommissioning. Compliance is evaluated against four statutory pillars: proactiveness (anticipatory risk identification), end-to-end protection, transparency over data use, and user-centric system design.
Looking forward, the Malaysian government is actively formulating a Digital Trust and Data Security Strategy 2026-2030.
In parallel, statutory provisions are being drafted to elevate the Personal Data Protection Department from a subsidiary agency to an independent data commission. This institutional restructuring will grant the Commission expanded jurisdictional authority over broader data governance and ethical AI deployment, cementing Malaysia's commitment to rigorous and compliant data stewardship.
Sources: DLA Piper, Skrine Advocates and Solicitors (Dec 2024), One Asia Lawyers, Mayer Brown, Rajah & Tann Asia, Skrine Advocates and Solicitors (May 2025), Future of Privacy Forum, Federation of Malaysian Manufacturing, PwC Malaysia, Federation of Malaysian Manufacturing (Business Conditions Survey), F1000 Research, Skrine Advocates and Solicitors (Dec 2025), Department of Personal Data Protection (ADMP), Department of Personal Data Protection (DPIA), Department of Personal Data Protection (DPbD), Malaysia-China Insight
