Author name: Edwin Lee

Ready to appoint a DPO in Malaysia? See our step-by-step DPO-as-a-Service process on dpomalaysia.my! Read Our Guide As Malaysia strengthens its legal framework for data privacy and cyber security with the Personal Data Protection (Amendment) Act 2024 (PDPA) and Cyber Security Act 2024 (CSA), Malaysian organisations assessing their compliance obligations may be unsure if they need both a Data Protection Officer (DPO) and a Cyber Security Officer (CSO).  Below, we have broken down the legal requirement, roles, responsibilities, and qualifications for both positions so you can determine which your organisation must appoint.  Legal requirement  As expressly outlined in Section 12A of the PDPA and supported by official DPO guideline, as of 2025, it is mandatory for organisations in Malaysia to appoint a DPO if they:   In contrast, the CSA 2024 does not expressly mandate the appointment of a Chief Security Officer (CSO) or Chief Information Security Officer (CISO). However, designated NCII entities are subject to a wide range of cybersecurity obligations and as a result, may benefit from appointing a designated CSO or similar role as a practical measure to ensure compliance with the CSA 2024.   Defining “NCII entity”: “NCII entity” means any government entity or person that owns or operates NCII. “NCII” means a computer or computer system in which if it is disrupted or destroyed, it will result to a detrimental effect to the delivery of service relating to the security, defence, foreign relations, economy, public health, public safety, public order or the ability of the government to carry out its functions effectively.   Roles and responsibilities  The table below summarises the key differences between the two roles:  Aspect  Data Protection Officer (DPO)  Chief Security Officer (CSO)   Primary Mandate  Oversee compliance with data protection laws including to ensure lawful processing of personal data and manage personal data breaches.   Develop and enforce cyber security strategies, ensure system security, manage cyber risks and respond to cyber threats.   Key Regulator  Personal Data Protection Commissioner (“PDPC”)  National Cyber Security Agency (“NACSA”)   Roles  Acts as liaison to PDPC, supports Data Protection Impact Assessments, monitors compliance, and manages breach notifications.   Leads the incident response for cyber security attacks and oversees compliance and reporting obligations under CSA 2024.   Focus Area  Personal Data & Privacy Risk  Information Systems & Cyber Threats   Mandatory by Law  Yes  No  Qualifications  While there is some overlap in competencies, each role demands specific expertise:  Data Protection Officer (DPO)  A DPO can be chosen from an internal member or outsourced, and in either case should:  What is a Data Protection Officer? A Data Protection Officer (DPO) is a company employee responsible for ensuring an organisation’s full compliance with the Personal Data Protection Act (PDPA). As of 2025, appointing one is a legal requirement for many businesses in Malaysia. To learn more, read our guides: Outsourcing a DPO in Malaysia In-house vs Outsourced DPO Chief Security Officer (CSO)  While the CSA 2024 does not expressly require organisations to appoint a Chief Security Officer (CSO), appointing such a role is considered a best practice for NCII entities as a CSO plays a key role in ensuring the organisation meets cybersecurity obligations under the CSA 2024.  What to look for in a CSO:  Note: CyberSecurity Malaysia has introduced the Certified Chief Information Security Officer (CCISO) programme. The certification is aligned with international standards and tailored to meet Malaysia’s compliance landscape under the CSA 2024.   Appointment Context: it is highly recommended for organisations designated as the NCII entity. These include sectors deemed essential to national security, economy, public health, or safety, such as banks, telcos, utilities, hospitals, and government-linked entities.  When to appoint both  An organisation can consider appointing both especially if:  Example of when to appoint a DPO and CSO: A Imagine a private hospital that runs a 24/7 emergency ward, stores thousands of electronic medical records (EMRs), and operates a telemedicine platform for remote consultations.  The DPO ensures patients are given proper privacy notices, handles consent for health data sharing, and manages requests for access or correction of patient records, all required under the PDPA.  Meanwhile, the CSO defends the hospital’s infrastructure against threats like ransomware locking critical systems, DDoS attacks on the teleconsultation portal, or unauthorised access to diagnostic devices connected to the network.  While the DPO covers personal data protection, the CSO focuses on cybersecurity, and together they provide the hospital with a truly comprehensive protection against threat actors and mistakes. Can a DPO also serve as CSO?  Technically yes, since there is no express prohibition under the acts against one person serving as both DPO and CSO. However, dual-role arrangements should only be considered if:  However, bear in mind that while both roles support security, they cover distinct subjects, and best practice would be to separate DPO and CSO functions for better oversight and risk management.  Conclusion  Appointing a DPO and a CSO is not a duplication, Where the DPO covers personal data protection, a CSO focuses on cybersecurity, and any organisation with both will enjoy better protection and ability to respond to regulatory expectations. 

With the enforcement of Malaysia’s Personal Data Protection (Amendment) Act 2024 (“PDPA”), Circular of Personal Data Protection Commissioner No. 2/2025, and the Data Breach Notification (DBN) Guideline, Malaysian organisations are now under a stricter legal framework to respond swiftly to personal data breaches.   Below, we explain how organisations can navigate data breach notification obligations with clarity.  Defining “personal data breach”  A personal data breach refers to any event that leads or is likely to lead to the breach, loss, misuse, or unauthorised access of personal data.   According to the DBN Guidelines, common examples include:  These can result from both accidental or deliberate actions and involve internal or external parties.  When a breach must be reported  A personal data breach must be reported only if it causes or is likely to cause “significant harm”.  “Significant harm” includes:  If there is a breach, the organisation should perform a prompt risk impact assessment to determine if the breach meets the threshold of “significant harm”.   Legal duty of Data Controllers to report breaches  Under the PDPA, the legal duty to report a personal data breach lies with the Data Controller (i.e., the party that ultimately uses the personal data), in this case, the organisation.  Even if the breach originates from a third-party who processes personal data on the Data Controller’s behalf (e.g. cloud service provider), the obligation to submit a data breach notification still rests solely with the Data Controller.  Crucially, failure by a third party to inform the Data Controller of a breach does not excuse the latter from notification duties.  To ensure compliance, the organisation should:  Notifying the Commissioner within 72 hours    Once a personal data breach that meets the “significant harm” threshold is discovered, the Data Controller must notify the Personal Data Protection Commissioner:  Complete the official Data Breach Notification (DBN) Form and submit it via:  As all three submission methods are treated the same, digital options are strongly encouraged to avoid missing the 72-hour deadline.  The notification to the Commissioner should also include:  If the 72-hour deadline is missed, a written justification for the delay and supporting documents must accompany the late submission.  Who is point of contact with the Commissioner?  The Data Protection Officer (DPO) will act as the main contact point for the Commissioner in relation to a data breach, but only where appointment is mandatory under Section 12A of the PDPA.   If no DPO is required, the organisation must instead assign a senior representative with sufficient authority and expertise to handle official communications and assist with investigations.  If you’re unsure if a DPO is mandatory for your organisation, we answer it in our full guide to DPO outsourcing in Malaysia. Notifying affected data subjects within 7 days  If there is a likelihood of significant harm to any individual, the affected individual must be notified within 7 days after notifying the Commissioner.   Acceptable notifying methods include:  Content of the notification must include:  Best practices  1. Establish a Data Breach Response Plan  2. Appoint a DPO (If required) or Designate a Responsible Person  3. Maintain a Data Breach Register  4. Conduct Staff Training  Train all employees to:  5. Prepare Notification Formats and Templates  Pre-approved templates help ensure consistency, legal accuracy, and faster response during high-pressure breach scenarios.   6. Review Vendor Agreements  Ensure third-party data processors are contractually bound to:  What is a Data Protection Officer? A Data Protection Officer (DPO) is a company employee responsible for ensuring an organisation’s full compliance with the Personal Data Protection Act (PDPA). As of 2025, appointing one is a legal requirement for many businesses in Malaysia. To learn more, read our guides: Outsourcing a DPO in Malaysia In-house vs Outsourced DPO Non-compliance penalties  Under Section 12B(3) of the PDPA, failure to notify may result in:  Non-compliance may also lead to reputational harm, regulatory scrutiny, and loss of customers’ trust.  Conclusion In our practice, we have seen that the organisations best equipped to manage personal data breaches are those that invest early in the right people, well-defined processes, and clear protocols. When a breach occurs, readiness makes all the difference, not just in compliance, but in preserving stakeholder trust and business continuity.  If you are unsure whether your organisation is truly prepared, now is the time to assess and strengthen your response framework. 

Ready to appoint a DPO in Malaysia? See our step-by-step DPO-as-a-Service process on dpomalaysia.my! Read Our Guide With recent amendments to the Personal Data Protection Act (PDPA) coming into force, Malaysian businesses that meet the threshold for appointing a DPO must now make a strategic decision:  “Should we appoint an internal DPO or outsource the role?”   This article breaks down the key considerations of both models, helping you choose an approach that aligns with your organisation’s structure, risk profile, and compliance obligations.  Clarifying the DPO’s role While there is no formal academic or professional qualification required under the DPO guideline at this moment, a DPO must fulfil certain requirements to qualify for the role:  Whether in-house or outsourced, this ensures they have sufficient competency in data protection law and governance.  Appointing an in-house DPO  Appointing an in‑house DPO means promoting one or more qualified team members to the position.  Why this approach works well:  What to watch out for:  Outsourcing the DPO role  Important note for businesses in Malaysia: Outsourcing the DPO role does not transfer legal responsibility. While tasks may be delegated to an external service provider, the organisation remains fully accountable for ensuring compliance with the PDPA. Outsourcing the DPO role means engaging an external professional firm or sole practitioner.  Why this approach works well:  What to watch out for:  You should ensure your service contracts clearly cover all requirements and scope, making sure both parties are aligned on roles, expectations, and deliverables from the start.    For a deeper dive, see our full guide to DPO outsourcing in Malaysia.  Conclusion  Whatever model you choose (outsourced or in-house), your DPO must be empowered to act, sufficiently resourced, independent in function, and properly registered with the Commissioner.  If you would like assistance, our team is here to help evaluate your position, draft service agreements, and ensure your appointment meets PDPA expectations. Reach out to get started. 

Important note for businesses in Malaysia: Outsourcing the DPO role does not transfer legal responsibility. While tasks may be delegated to an external service provider, the organisation remains fully accountable for ensuring compliance with the PDPA. Starting 1 June 2025, Malaysian businesses that fall under the new Personal Data Protection Act 2025 thresholds must appoint a Data Protection Officer (DPO).   While the most established of organisations may prefer appointing an in‑house DPO, most businesses will find outsourcing this role to seasoned professionals as the more cost‑effective and strategic approach.  As a provider of outsourced DPO services ourselves, we have written this guide to help business decision makers:  Let’s begin.  Ready to appoint a DPO in Malaysia? See our step-by-step DPO-as-a-Service process on dpomalaysia.my! Read Our Guide Clarifying the role of a DPO  To paraphrase guidelines by the Malaysian Department of Personal Data Protection (PDP), a Data Protections Officer is responsible for ensuring the organisation’s total compliance with the PDPA, which means, among other duties:   By law, a DPO must:  In addition, PDPD strongly recommends that a DPO should:  It is a specialised role that demands technical expertise and ethical conduct, and with enforcement starting 1 June 2025, a critical hire for businesses.  Signs you need an outsourced DPO  The first step is to assess if the team has capacity to meet PDPA requirements without outside help. Our in-house vs external DPO comparison provides a deep dive into the subject, but for our readers’ convenience, here are five key indicators your organisation likely benefits from outsourcing the role:  If any of these applies to your organisation, there is a strong argument to outsource your DPO role.  Even if you intend to build in-house DPO capacity in the future, an outsourced DPO can ensure immediate compliance with the June 2025 deadline.  How to properly outsource your DPO role  PDP recommends a minimum DPO appointment term of two years to promote stability, and to effectively outsource this role, your organisation should:  The service contract should clearly define the DPO’s scope of work, service terms, responsibilities, and access to data.  Best practices when outsourcing  To make the most of your outsourced DPO, you can consider these operational best practices:  Best Practice  Explanation  Ensure access to key documents and systems  Provide the DPO with secure but full access to relevant policies, personal data flows, contracts, and the data register so they can perform their role effectively.   Establish clear escalation protocols  Define how and when the DPO will be alerted in the event of a personal data breach or incident.   Schedule regular executive‑level engagement  Hold regular briefings between the DPO and top management to review risk exposure, compliance gaps, and training needs.   Designate internal liaisons  Assign persons from legal, IT, HR, and security departments to coordinate with the DPO, ensuring smooth collaboration and issue resolution.   Conclusion  If your organisation lacks the people, structure, or independence needed to manage a compliant data protection programme internally, outsourcing your DPO is a strategic, risk-managed solution aligned with regulatory expectations.   We can help you draft compliant service agreements and ensure your appointment meets PDPA expectations. Reach out to get started. 

Note: Barring any further amendments to the law, this article should be read in the context of the Bill being passed in its current form as at the time of writing as of 11 July 2024. The Personal Data Protection (Amendment) Act 2024 (“PDPA Amendments in 2024“) is currently at the 1st reading stage in the Malaysian Parliament. It will proceed through further readings and must be approved by both Houses of Parliament before being presented for Royal Assent by His Majesty The Yang di-Pertuan Agong. Therefore, it may take some time before the Bill legally comes into force. Malaysia’s Personal Data Protection Act (PDPA) 2010 (“PDPA”) is set to undergo significant updates aimed at aligning with international standards and strengthening the protection of personal data. Here is an overview of the key proposed changes, comparisons with the current provisions, and our insights on these proposed amendments: Terminology Update Current Position: The term “data user” is used throughout the PDPA. Proposed PDPA Amendments in 2024: The term “data user” will be replaced with the term “data controller”. This proposed amendment aligns Malaysia’s data protection terminology with global standards, such as those used in the General Data Protection Regulation (GDPR), ensuring consistency and facilitating international data protection compliance. New Definitions Current Position: The PDPA currently does not explicitly define “biometric data” or “personal data breach.” Proposed PDPA Amendments in 2024: These amendments aim to provide better clarity in the PDPA, ensuring specific categories of sensitive data and incidents are clearly identified and adequately protected. Enhanced Responsibilities of Data Processors Current Position: Data processors are not explicitly required to comply with the security principle. Proposed PDPA Amendments in 2024: Data processors, who process data on behalf of data controllers, must now comply with the security principle under the PDPA. This amendment requires data processors to implement appropriate technical and organizational measures to protect personal data, thereby ensuring accountability and enhancing overall data protection practices. Increased Penalties Current Position: Penalties for non-compliance include fines up to RM300,000 and imprisonment up to two years. Proposed PDPA Amendments in 2024: The fines for breaches are increased to RM1,000,000, and the maximum imprisonment term is extended to three years. These heightened penalties underscore the seriousness of compliance and aim to deter violations by imposing more severe consequences. Data Protection Officers (DPOs) Current Position: There is no mandatory requirement for the appointment of DPOs. Proposed PDPA Amendments in 2024: Data controllers and processors must appoint one or more DPOs responsible for ensuring compliance with the PDPA. This requirement aligns with international best practices, ensuring that organizations have dedicated personnel to manage and safeguard personal data effectively. Data Breach Notification Current Position: There is no explicit requirement for data breach notifications. Proposed PDPA Amendments in 2024: Data controllers must notify the Personal Data Protection Commissioner of any data breaches as soon as practicable. If the breach causes or is likely to cause significant harm to the data subject, data controllers must notify the affected data subjects promptly. Failure to comply can result in fines up to RM250,000 or imprisonment for up to two years. The form and manner of notification will be further determined by the Personal Data Protection Commissioner. Introducing mandatory data breach notifications ensures timely awareness and response to data breaches. This requirement aligns with international best practices, enhancing transparency and accountability in data protection. Rights to Data Portability Current Position: The PDPA does not currently provide a right to data portability. Proposed PDPA Amendments in 2024: Data subjects can request their personal data to be transferred to another data controller, subject to technical feasibility and compatibility of the data format. This right enhances data subject control over their personal data and facilitates smoother transitions between service providers. Cross-Border Data Transfers Current Position: Section 129 of the PDPA prohibits the transfer of personal data to a place outside Malaysia unless such place is specified by the Minister by notification in the Gazette. No such whitelist has been issued and gazetted thus far. Proposed PDPA Amendments in 2024: Data controllers can transfer personal data to countries that provide adequate protection equivalent to the PDPA. The requirement for the Minister to specify places for data transfers is removed. The amendment shifts the authority from the Minister to the data controller, allowing the data controller to decide on data transfers based on adequacy standards. This change aims to streamline cross-border data flows while ensuring that data transferred internationally is adequately protected. Miscellaneous Amendments Various amendments are proposed to enhance clarity and consistency within the PDPA. These include updates to definitions, procedural changes, and adjustments to ensure the Act remains coherent. Conclusion These Proposed PDPA Amendments in 2024 represent a significant step forward in strengthening Malaysia’s data protection framework. By aligning with international standards and addressing emerging data protection challenges, the amendments aim to provide robust safeguards for personal data and enhance trust in the digital ecosystem. Immediate Action Required Given the significant amendments, it is high time for companies and organizations in Malaysia to look into PDPA compliance seriously. Companies and organizations that already have a PDPA compliance framework will need to update and revise their framework, while those who do not yet have one will need to start implementing these practices within their organization.

Electronic signatures and digital signatures are often used interchangeably to refer to tools for signing digital documents. Traditionally, signing involved physical documents or objects, such as paper signatures or fingerprints, to indicate that the signer had read, understood, and agreed to the document’s content. Today, technology allows for digital signing by affixing a name, mark, or drawing to a softcopy document, known as an electronic signature or digital signature. Although both terms serve similar purposes, they differ significantly in terms of framework, security, and admissibility. Electronic Signature In Malaysia, electronic signatures are governed by the Electronic Commerce Act (ECA). The ECA defines an electronic signature as any letter, character, number, sound, or any other symbol, or any combination thereof, created in an electronic form and adopted by a person as a signature. Essentially, any individual affixing their “name” to a PDF would be considered an electronic signature. The main purpose of the ECA is to recognize electronic messages in commercial transactions. For an electronic signature to be admissible, it must fulfill the following requirements under the ECA: An electronic signature is considered reliable if: If these requirements in Section 9 of the ECA are satisfied, the electronic signature meets legal standards. However, Section 10 of the ECA specifies that certain documents requiring a seal, such as Powers of Attorney, Wills, Trust documents, and Negotiable instruments (like Bank Cheques), are not admissible with an electronic signature unless affixed by a digital signature under the Digital Signature Act 1997. Digital Signature A digital signature provides a higher level of security compared to an electronic signature. While electronic signatures can be easily faked (e.g., person A signing as person B through impersonation), digital signatures offer enhanced profiling of the signer’s identity. The Digital Signature Act (DSA) 1997 defines a digital signature as the transformation (created using the private key corresponding to the signer’s public key) of a message using an asymmetric cryptosystem. This allows a person with the initial message and the signer’s public key to determine if the message has been altered since the transformation. For a digital signature to be legally binding under Section 62 of the DSA, it must meet the following criteria: In Malaysia, recognized digital signature options certified by licensed certification authorities include: Documents signed with digital signatures from these certified authorities have legal binding effects. However, digital signatures from foreign platforms do not hold the same legal validity due to the lack of appropriate certification by Malaysian authorities. Summary In summary, Malaysian law differentiates between electronic signatures and digital signatures. When a seal is required on a document, Section 10 of the ECA mandates that a digital signature is the minimum requirement. Parties should carefully consider the balance between the convenience of electronic signatures and the legal risks associated with potential challenges to their validity. For documents traditionally requiring a seal, using digital signatures or physical signatures might be more prudent to ensure compliance with statutory requirements and legal security.

In the realm of business, intermediaries and brokers play a critical role in connecting buyers and sellers, facilitating transactions, and ensuring smooth negotiations. However, operating as a broker without a formal agreement can lead to misunderstandings, disputes, and potential legal complications. Therefore, it is essential for intermediaries to sign a brokerage agreement to clearly define the terms and conditions of their engagement. This article explores the importance of brokerage agreements, key components to include, and best practices for drafting and executing these agreements. Importance of Brokerage Agreements A brokerage agreement is a legally binding contract between a broker and their client, outlining the scope of services, payment terms, duties, and responsibilities. This agreement is vital for several reasons: Key Components of a Brokerage Agreement When drafting a brokerage agreement, several critical components should be included to ensure it is comprehensive and effective: Best Practices for Drafting and Executing Brokerage Agreements To create an effective brokerage agreement, consider the following best practices: Conclusion For intermediaries and brokers, signing a brokerage agreement is not just a formality but a crucial step in establishing a clear, professional, and legally binding relationship with clients. By defining the terms of engagement, compensation, and responsibilities, a well-crafted brokerage agreement minimizes the risk of disputes and ensures that both parties’ interests are protected. Brokers should invest time and resources into drafting thorough and precise agreements, leveraging legal expertise, and maintaining transparent communication to foster successful and trustworthy business relationships.

We learned that GDPR applies to Malaysian entities if they are either offering goods or services or monitoring the behavior of individuals in the European Union – Article 3 of the GDPR. Although both the PDPA and GDPR aim to protect an individual’s rights over their personal data and focus on a data subject’s “identifiability” or “identification potential” to decide if the data provided constitutes “personal data,” data subjects within the European Union are afforded greater rights. The GDPR is a more comprehensive and stringent data protection law than the PDPA. It gives individuals more control over their personal data and imposes stricter obligations on organizations that process personal data. To keep pace with technological advancements, the Malaysian Personal Data Protection Department (JPDP) is actively considering significant updates to the current PDPA 2010, which is viewed as outdated. Proposed amendments, outlined in the Public Consultation Paper No. 1/2020, represent a transformative shift towards aligning with the European General Data Protection Regulation (GDPR). Notably, one such amendment aims to extend the PDPA’s jurisdiction to cover data users outside Malaysia monitoring Malaysian data, indicating a move towards GDPR-level data protection standards. In this article, we will delve into the distinctions between the PDPA and GDPR. Territorial Scope and Application The GDPR’s application extends beyond commercial interests to encompass various personal data processing activities, including social, educational, and employment contexts. This comprehensive approach contrasts with the PDPA’s focus primarily on commercial transactions, which could leave non-commercial data processing scenarios under-protected. PDPA Aspect GDPR Applicable only in Malaysia.   Focus on personal data in commercial transactions.   Excludes the Federal Government, State Government, and credit reporting businesses. Applications and Territorial Scope Extra-territorial applicability.   Applies to EU member states, with extra-territorial effect, covering data subjects in the EU. Standard of Consent Required The PDPA intertwines consent with data collection purposes but lacks a clear definition of “valid consent,” allowing for “implied consent.” In contrast, the GDPR mandates that consent be “freely given, specific, informed, and unambiguous,” thus providing clearer guidelines for data controllers. PDPA Aspect GDPR Required consent for data processing but not specified in detail.   Must be recorded and maintained. Standard of Consent Required Consent must be actively given.   Consent must be freely given, specific, informed, and unambiguous. Retention of Data Under the PDPA, data users have flexibility in retaining personal data as long as it remains justifiable. However, the lack of a specific timeframe leaves room for interpretation. Conversely, the GDPR empowers data subjects with the right to request data erasure when data is no longer necessary or consent is withdrawn, imposing stricter obligations on data controllers. Authority Over Personal Data The PDPA grants limited rights to data subjects primarily in restricting processing likely to cause damage or distress and for direct marketing purposes. The GDPR, however, confers broader rights, including data portability, erasure, and the ability to object to data processing. PDPA Aspect GDPR Limited rights.   Right to restrict processing when the processing is likely to cause damage or distress.   Right to prevent processing for the purposes of direct marketing. Authority Over Personal Data Confers data subject greater controls over their personal data.   Right to restrict processing.    Right to object to data processing.   Right to data portability.   Right to erasure. Transborder Transfer of Data The PDPA’s cautious approach to cross-border data transfers, requiring ministerial authorization, aims to enhance data security but creates practical challenges. The GDPR facilitates smoother data flows within the EEA, subject to stringent data protection standards for transfers outside the EEA. PDPA Aspect GDPR Not allowed unless the transfer is authorized by the Minister. Transborder Transfer of Data Free flow of personal data within the EEA (European Economic Area).   Strict restrictions on transfers to third countries without an adequacy decision, safeguards, or exceptions. Accountability and Breach Notification While the PDPA allows for voluntary breach reporting, the lack of a mandatory requirement raises transparency concerns. The GDPR’s robust framework includes mandatory breach reporting within 72 hours, appointing Data Protection Officers, and conducting Data Protection Impact Assessments, ensuring higher transparency and accountability. PDPA Aspect GDPR No specific breach notification requirement. Accountability and Breach Mandatory to report breaches.   Appointment of Data Protection Officer.    Conduct Data Protection Impact Assessment.    Privacy by design.    Requires organizations to report data breaches within 72 hours to relevant authorities. Summary The Personal Data Protection Act (PDPA) in Malaysia and the General Data Protection Regulation (GDPR) in the EU have distinct approaches to data protection. While the PDPA primarily addresses commercial transactions, the GDPR offers a comprehensive framework covering various data processing aspects. These differences emphasize the importance of complying with the specific regulations relevant to your organization to ensure data security and compliance in a global context.