Skip to main content

Updates to Malaysia’s Personal Data Protection Act 2010 (PDPA)

 

Malaysia’s Personal Data Protection Act 2010 (PDPA) has undergone significant updates through the Personal Data Protection (Amendment) Act 2024. These changes are intended to modernise Malaysia’s data protection framework, strengthen individual rights, and align local laws with international data protection standards such as the GDPR.

Below is a simple overview of the key updates and what they mean for organisations and individuals.

1. Updated Terminology and Definitions

One of the major changes is the modernisation of terms used in the Act:

  • “Data User” is replaced with “Data Controller”, aligning with global data protection terminology.
  • Biometric data (such as fingerprints and facial recognition data) is now expressly classified as sensitive personal data.
  • A new definition of “personal data breach” has been introduced.
  • The definition of personal data now excludes data relating to deceased persons.

These updates provide clearer guidance and reduce ambiguity in interpretation.

2. Increased Responsibility for Data Processors

Previously, the PDPA mainly imposed obligations on data users/controllers. Under the amendments:

  • Data processors (third parties processing data on behalf of controllers) are now directly subject to the Security Principle.
  • Data processors can be held legally accountable if they fail to protect personal data adequately.

This change ensures stronger protection throughout the data processing chain.

3. Mandatory Personal Data Breach Notification

For the first time, the PDPA introduces a mandatory data breach notification requirement:

  • Data controllers must notify the Personal Data Protection Commissioner if a breach causes or is likely to cause significant harm.
  • Affected individuals must also be informed.

This improves transparency and allows individuals to take protective action quickly.

4. Appointment of a Data Protection Officer (DPO)

Organisations are now required to appoint a Data Protection Officer (DPO):

  • The DPO is responsible for monitoring PDPA compliance.
  • This role strengthens internal governance and accountability for personal data protection.

5. Introduction of Data Portability Rights

Individuals are now granted a right to data portability, allowing them to:

  • Request the transfer of their personal data from one data controller to another,
  • Subject to technical feasibility and compatibility.

This empowers individuals and promotes competition and innovation.

6. Changes to Cross-Border Data Transfers

The previous “whitelist” approach has been removed. Personal data may now be transferred outside Malaysia if:

  • The receiving country has laws substantially similar to Malaysia’s PDPA, or
  • The destination provides an adequate level of protection for personal data.

This offers greater flexibility for international business operations.

7. Higher Penalties for Non-Compliance

Penalties under the PDPA have been significantly increased:

  • Fines of up to RM1,000,000
  • Imprisonment of up to 3 years
  • Or both

The higher penalties reflect the seriousness of data protection obligations.

8. New Guidelines and Stronger Enforcement

The Personal Data Protection Commissioner is expected to issue new guidelines covering areas such as:

  • Data breach management
  • DPO responsibilities
  • Data portability
  • Privacy by design
  • Cross-border data transfers

These guidelines will help organisations better understand and comply with the updated law.

Why These Changes Matter

The amendments to the PDPA strengthen consumer trust, enhance accountability for organisations, and bring Malaysia closer to international data protection standards. Businesses that handle personal data should review their policies, contracts, and security measures to ensure compliance with the updated requirements.

Conclusion

The updates to Malaysia’s PDPA mark a major step forward in protecting personal data in the digital age. Organisations that act early to comply will reduce legal risks, improve trust, and demonstrate responsible data management practices.

 

Labels:

Comments

Post a Comment

Popular posts from this blog

Key Regulatory Compliance Updates for Malaysia’s Banking Sector (2025)

As Malaysia continues to strengthen its financial ecosystem, 2025 brings several key regulatory updates that banks and financial institutions must prioritize. Bank Negara Malaysia (BNM), is rolling out targeted reforms to address rising risks, digital innovation, and global sustainability standards. Here’s a concise summary of the major changes shaping compliance in Malaysia’s banking industry this year. 🛡️ 1. Strengthening Internal Compliance Functions BNM has issued updated guidance on how financial institutions should structure and maintain their compliance functions. The focus is on: Independent compliance units with direct reporting lines to senior management and the board Clear accountability frameworks to manage regulatory risks Proactive monitoring and reporting of potential compliance breaches These enhancements are part of BNM’s broader aim to promote a culture of integrity and governance within financial institutions. 🌍 2. Climate Risk Disclosure and ESG Integration En...
Post a Comment
Read more

Malaysia’s Latest AML Reforms: What Compliance Professionals Need to Know (2024–2025)

  As the global financial landscape evolves, Malaysia continues to refine its Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) framework to stay ahead of illicit threats. In 2024 and 2025, significant regulatory updates have been introduced by Bank Negara Malaysia (BNM), reflecting the country’s strong commitment to safeguarding financial integrity and aligning with global standards set by the Financial Action Task Force (FATF). In this post, we highlight the most important AML/CFT developments compliance teams should be aware of — from new requirements around proliferation financing to enhanced expectations on beneficial ownership transparency. 🧠 1. Proliferation Financing Now a Core Compliance Focus One of the most impactful changes is the formal inclusion of proliferation financing (PF) in Malaysia’s AML/CFT policy documents. Financial institutions (FIs), non-bank financial institutions (NBFIs), and designated non-financial businesses and professions (DNFB...
Post a Comment
Read more

History of the PDPA in Malaysia

📜 The Evolution of Malaysia’s Personal Data Protection Act (PDPA) In an age where data is currency, Malaysia’s journey toward robust personal data protection began well before the global spotlight turned to privacy rights. Here’s how the PDPA came to life — and where it’s headed. 🔹 1. Laying the Groundwork (Early 2000s – 2010) Long before personal data became a global concern, Malaysia had already started to recognize the risks of unregulated data usage. Laws like the  Computer Crimes Act 1997  and the  Electronic Commerce Act 2006  addressed elements of cybersecurity and digital transactions, but there was no dedicated framework for safeguarding personal data. Seeing the rise of e-commerce, social media, and digital services, the government began drafting legislation to regulate how personal information is collected, used, stored, and shared — particularly in the private sector. 📅 2. The PDPA is Passed (2010) The result of these efforts...
Post a Comment
Read more