For businesses in Malaysia that fall under the PDPA’s prescribed categories, registration as a data controller (previously known as “data user”) is mandatory, and failure can result in fines of up to RM500,000, imprisonment up to three years or both.
Having completed the process on behalf of our clients, we have prepared a step-by-step guide to walk you through the process, from checking if you need to register to what happens after receiving your certificate.
Let’s begin.
Who must register as data controller
If your business falls into any of these categories, registration is mandatory regardless of the size of your organisation or the volume of personal data processed.
| Sector | Details |
| Communication | Licensed under the Communications and Multimedia Act 1998 and Postal Services Act 2012 |
| Banking and Financial Services | Licensed bank, Islamic bank, and development financial institution |
| Insurance | Licensed insurer and takaful operator |
| Health | Hospitals, private medical or dental clinics, pharmacies |
| Tourism & Hospitality | Licensed tour operator, travel agent or tourist guide |
| Transportation | Airlines such as MAS, AirAsia |
| Education | Higher education institution, private school |
| Direct Selling | Licensed under the Direct Sales and Anti-Pyramid Scheme Act 1993 |
| Services | Legal, audit, accountancy, engineering, architecture, private employment agency |
| Real Estate | Licensed housing developer |
| Utilities | Water and electricity suppliers such as TNB |
| Pawnbrokers | Licensed under the Pawnbrokers Act 1972 |
| Moneylender | Licensed under the Moneylenders Act 1951 |
Businesses outside these prescribed classes are not required to register but remain fully subject to the PDPA’s seven data protection principles.
5-step registration process
Once you have confirmed that your organisation falls within the prescribed class, the next step is to formally register as a data controller.
1. Create organisation account
The first step is to access the official SPDP registration portal and create an account for your organisation. During this process, you will be required to select the relevant prescribed class of data controller and provide your company’s particulars.
Step 2: Log in to registration portal
Once your account has been created, log in to the registration portal. From the main page, select the “Log Masuk SPDP” option to access the system and proceed with your application.
Upon first login, you will typically be required to change your password.
Step 3: Finalise registration application
After logging into the SPDP system, you may proceed to initiate your registration application by completing the prescribed form and providing the required information.
When completing the application, take note of the following:
- Registration validity period: You may select the duration of your Certificate of Registration (one year or two years). The applicable fee will vary depending on the selected validity period.
- Branch information: If your organisation operates through multiple branches, you should include the details of all relevant branches in the application.
Ensure that all information submitted is accurate and complete, as incomplete or inconsistent information may result in delays or requests for further clarification by the Commissioner.
The information required under items 2 to 5 should be clearly and specifically provided. These are materially the same disclosures that are required to be reflected in your privacy notice or privacy policy under the PDPA.
Supporting documents: It is advisable to attach relevant licences or regulatory approvals to substantiate that your organisation falls within the prescribed class of data users, together with a company profile outlining your business activities. This may facilitate the review and approval process.
Step 4: Submit the application
Once all required information and supporting documents have been completed and uploaded, you may proceed to submit the application.
Upon submission, the application will be received and processed by the Department (JPDP).
If the application is approved, you must make payment within the timeframe specified in the approval email. Failure to do so within the stipulated period may result in the application being cancelled, in which case a fresh application will need to be submitted.
If you have further questions on registration requirements, you may refer to PDP official FAQs or reach out to them at [email protected].
Step 5: Download and display the certificate
Upon successful payment, you will be able to download the Certificate of Registration. You should display the certificate at a conspicuous place at your principal place of business.
Where applicable, a certified copy of the certificate should also be displayed at each branch. This is a statutory requirement under the PDPA regulations. Failure to comply with this requirement may constitute an offence and expose the organisation to penalties.
Post-registration monitoring, renewal & updates
Registration is not a one-off exercise. You must continuously monitor the registration status and ensure ongoing compliance with PDPA requirements.
- Renewal of registration: track the validity period of your Certificate of Registration and submit a renewal application before its expiry.
- Change of particulars: If there are any changes to the particulars in your Certificate of Registration, you are required to notify the Commissioner and apply for an update to the certificate.
Failure to notify such changes or to renew the registration in a timely manner constitute an offence. As such, organisations should implement an internal compliance mechanism to ensure that renewal deadlines and any changes in particulars are properly tracked and addressed.
Non-compliance penalties
Registration under the PDPA is actively enforced by the authorities and organisations across various sectors have been issued compounds for failure to register as a data controller, typically in the range of RM10,000, and in certain cases up to RM30,000!
These enforcement actions demonstrate that regulators do not distinguish between large corporations and smaller businesses. If your organisation falls within a prescribed class of data controllers, failure to register exposes the business to real financial and legal consequences.
More importantly, registration is only one aspect of compliance. Organisations must also ensure that their actual data processing practices, internal policies, and privacy notices are aligned with the PDPA requirements.
Achieve PDPA compliance in 90 days with ELP
If your business requires assistance in reviewing data protection practices, preparing privacy notices, or developing PDPA compliance frameworks, our team at ELP can help ensure your organisation’s data handling practices align with the requirements of the PDPA.
