Author name: Edwin Lee

How mishandling personal data can lead to fines up to RM1 million, prison sentences, and crippling business disruption.

Our tried and tested four-step approach to deliver full PDPA compliance to organisations of all sizes and industries in Malaysia.

This FAQ brings together the most common questions we have heard directly from SME founders, entrepreneurs, and business owners navigating Malaysia’s data protection landscape.   Whether you are new to PDPA or reviewing how your business handles personal data, this guide breaks down the essentials in a clear and practical format.  What is the PDPA?  The Personal Data Protection Act 2010 (PDPA) is Malaysia’s law that governs how businesses collect, use, process, store, and share personal data in commercial transaction.    The PDPA was amended via the Personal Data Protection (Amendment) Act 2024 which introduced key changes to enforcement, increased penalties, data protection officer, data breach notification, and cross-border transfer requirements.  For more information, read our breakdown of the PDPA amendments.  Who does it apply to?  The PDPA applies to:  It doesn’t apply to:  What are the seven PDPA principles?  These seven principles set the standard for how personal data should be handled responsibly:  For an in-depth look at applying these principles, see our framework on PDPA compliance. What is considered “personal data”?  Any information that identifies or can identify an individual, directly or indirectly, including:   What is considered “sensitive personal data”?  Sensitive personal data is a special category of personal data that includes:  This type of data requires extra care because of its sensitive nature.  Do I need consent before collecting personal data?  Yes.   Consent is one of the key legal requirements under the PDPA and sensitive personal data requires explicit consent (for example: a clearly expressed and documented).  What are examples of valid consent?  Since there are many possible ways to get consent, just make sure that the method you use is:  Here are some common examples of valid consent that meet the above requirements:  What must a privacy notice include?  Your privacy notice is how you show transparency and should clearly explain:  The privacy notice should be provided in both Bahasa Malaysia and English to ensure compliance with the PDPA.  As a reference, the PDP Department has provided a sample privacy notice template.  Where should a privacy notice be displayed?  Your privacy notice should be clearly displayed at the point where personal data is collected. For example: your website, registration forms, premises, and any customer touchpoints that involve collecting personal data.   What rights do data subjects have?  Under the PDPA, data subjects (individuals) have the right to:  How long can I keep personal data?  Under the Retention Principle, personal data should only be kept for as long as necessary to fulfil the original purpose for which it was collected.   Once it’s no longer needed, you should delete or anonymise it securely.  To manage this effectively, your organisation can establish a personal data retention policy.   How can I let individuals access / correct their data?  Under the Access Principle, individuals (data subjects) have the right to access and correct their personal data. To meet this obligation, your organisation should:  Can I share personal data with third parties?  Yes, but make sure you have:  Can I transfer personal data overseas?  Cross-border transfers are allowed under the PDPA, provided:   What’s expected under the Security Principle?  Organisations must take practical and reasonable steps to protect personal data from:  Common steps may include:  Technical Measures  Strong passwords Two-factor authentication (2FA) Data encryption (in transit and at rest) Secure cloud infrastructure with firewalls  Organisational Measures  Role-based access control regular audits and access reviews  Physical Measures  Restricted physical access to servers or sensitive files Secure disposal of physical records  How do I ensure data integrity?  To comply with the Data Integrity Principle as defined by the PDPA, organisations must ensure that personal data is:  Is there a breach notification requirement under the PDPA?  Yes. The organisation should notify the incident where the breach causes or is likely to cause significant harm. You should:  Check out our step-by-step guide to handling data breach notifications in Malaysia. Do I need to appoint a Data Protection Officer?  Yes, but only if your organisation:  If your organisation does not fall under these classes, appointing a DPO is not compulsory.   What is a Data Protection Officer? A Data Protection Officer (DPO) is a company employee responsible for ensuring an organisation’s full compliance with the Personal Data Protection Act (PDPA). As of 2025, appointing one is a legal requirement for many businesses in Malaysia. To learn more, read our guides: Outsourcing a DPO in Malaysia In-house vs Outsourced DPO What internal policies should I have?  To embed PDPA compliance in your organisation, consider these:  Start small and scale based on your size and risk exposure.  What are penalties for not complying with the PDPA?  Under the PDPA, penalties vary by offence but can be as high as:  Conclusion  We are here to make PDPA compliance practical, not painful. Whether it’s crafting your privacy notice, running internal audits, or training your team, contact us to get started.  For further reading, we recommend checking out the official FAQ by the Personal Data Protection Department.