smartenterprisewisdom

Accutive Security

HID + Accutive Security Phishing Resistant Authentication Webinar

Malaysia: The Personal Data Protection Act

« Back to Glossary Index

Overview of Malaysia’s Personal Data Protection Act (PDPA)

The Personal Data Protection Act (PDPA) in Malaysia is a comprehensive data protection law that regulates the processing of personal data by individuals and organizations. The law was enacted in 2010 and came into effect in 2013, with the aim of ensuring the protection of personal data in the country. Recent updates to Malaysia’s PDPA law increased the responsibilities for organizations handling personal data as well as the penalties for non-compliance.

What Qualifies as Personal Data under Malaysia’s PDPA?

Under the PDPA, personal data refers to any information that can identify an individual, either directly or indirectly. This includes information such as name, address, contact details, identification number, photographs and financial information.

Who Must Comply?

The PDPA applies to any individual or organization that processes personal data in Malaysia, regardless of whether they are based in Malaysia or overseas. This means that foreign companies that process personal data of Malaysian individuals are also subject to the law.

Core Obligations for Data Controllers

The PDPA sets out several obligations for individuals and organizations that process personal data. These include obtaining consent from individuals before collecting, using or disclosing their personal data, and ensuring that personal data is accurate and up to date.

The law also requires individuals and organizations to implement appropriate security measures to protect personal data from unauthorized access, use or disclosure. This includes implementing physical, technical and organizational security measures, such as encryption and access controls.

Key 2024–2025 Amendments

Malaysia’s Personal Data Protection (Amendment) Act 2024 introduces significant new duties and higher penalties that will be phased in during 2025: 

  • Direct obligations on data processors (effective 1 April 2025)
  • Revised definitions of “personal data” and “sensitive personal data”

  • Higher fines—up to RM 1 million or, for certain offences, RM 2 million and/or two years’ imprisonment

  • Mandatory appointment of a Data Protection Officer (DPO)

  • Breach-notification duty to both the Commissioner and affected data subjects

  • New right of data portability for individuals

  • Personal data breach is now defined as “any breach, loss, misuse or unauthorised access of personal data.”

Cross-Border Data Transfers

On 29 April 2025, the Cross-Border Personal Data Transfer Guidelines (CBPDT) took effect, replacing the old “white-list” mechanism. A data controller must now meet at least one of the conditions in Section 129 PDPA—such as obtaining explicit consent or ensuring comparable protection in the destination country—before transferring data outside Malaysia.

Avoiding the transfer of Malaysian sensitive data outside of Malaysia is advised to ensure compliance. If the original sensitive personal data is not required, masked data with preserved data relationships and referential integrity can be utilized in its place.

Data-Subject Rights

Under the PDPA, individuals have the right to access and correct their personal data held by an organization, and to withdraw their consent for the processing of their personal data. They also have the right to file a complaint with the Malaysian Personal Data Protection Commissioner if they believe that their personal data has been mishandled.

New for 2025: the Amendment Act adds a statutory right to data portability, enabling individuals to request that their personal data be transmitted to another data controller where technically feasible.

Enforcement and Penalties

Failure to comply with the PDPA can result in significant penalties, including fines and imprisonment. Organizations can be fined up to RM 500,000 (approximately USD 120,000) for a first offence, and up to RM 1 million (approximately USD 240,000) for subsequent offences— with higher ceilings and custodial sentences introduced by the 2024 amendments.

Why Compliance Matters

The Personal Data Protection Act (PDPA) in Malaysia is a crucial piece of legislation that provides individuals with control over their personal data and regulates the processing of personal data by organizations. As more and more data is generated and processed in today’s digital age—and with new processor duties, breach-notification requirements and cross-border transfer rules now in force—compliance with the PDPA is essential for any organization that processes personal data in Malaysia.

In addition to the stringent penalties and sanctions for non-compliance, organizations also face the risk of a costly data breach. According to IBM, the average cost of a data breach in the ASEAN region, which includes Malaysia, reached an all-time high of RM 16.2 Million (or $3.45 Million USD) in 2024. Unfortunately, most data breaches occur when sensitive data is moved out of secure, production environments to lower environments. That is why it is crucially important to use masked or synthetic data for all activities in non-secure environments, such as development, testing, analytics, and external sharing.

 

 

Download this Resource