Author name: Edwin Lee

With the Personal Data Protection (Amendment) Act 2024 (“PDPA”) and the new Cyber Security Act 2024 (“CSA 2024”) in force, organisations are now subject to complementary but distinct notification obligations under two legal regimes:   In this article, we break down the differences between Data Breach Notification (DBN) under the PDPA and Cyber Security Incident Reporting under the CSA 2024.  Quick comparison  Aspect  Personal Data Breach  Cyber Security Incident  Definition  Any event or incident that leads or is likely to lead to the breach, loss, misuse, or unauthorised access of personal data  An act or activity carried out on or through a computer or computer system, without lawful authority, that jeopardises or adversely affects its cyber security   Source of breach  Accidental or deliberate; can involve internal or external parties  Cyber threat actor(s) or unauthorised computer activity   Regulated under  Personal Data Protection Act (PDPA)   Cyber Security Act 2024 (CSA 2024)  Threshold  Likely to cause “significant harm” to individuals  Incident involving or affecting National Critical Information Infrastructure (NCII)   Regulator  Personal Data Protection Commissioner (“PDPC”)   National Cyber Security Agency (“NACSA”)  Mandatory by Law  Yes  Yes  Legal triggers and reporting thresholds  Data breach reporting  Under the PDPA (Section 12B), Circular of Personal Data Protection Commissioner No. 2/2025, and Data Breach Notification (DBN) Guideline, a data breach must be reported if it causes or is likely to cause “significant harm”.   If the organisation determines a breach does not cause or is not likely to cause significant harm, then notification is not mandatory.  However, for regulatory review purposes, it is strongly recommended to document the internal assessment process, including the basis for non-notification decision, risk evaluation findings, and any supporting documents or mitigation steps.   Cyber Security Incident reporting  Under the CSA 2024 (Section 23) and the Cyber Security (Notification of Cyber Security Incident) Regulations 2024, Cyber Security Incidents must be reported immediately when it comes to the knowledge of the NCII Entity that a cyber security incident in respect of the NCII has occurred or might have occurred.   Even suspected incidents must be reported within the prescribed time and manner (as set by regulations).  Under the CSA 2024, only entities classified as NCII are legally required to report cybersecurity incidents. However, non-NCII entities may also voluntarily report incidents.  Notification timeline and channels  Reporting Obligation  PDPA 2024 (Data Breach)  CSA 2024 (Cyber Security Incident)  Notified to  PDPC   The Chief Executive of NACSA and the relevant NCII sector lead    Notification   As soon as practicable (within 72 hours of becoming aware of the incident)  Immediate notification submit initial report within 6 hours of becoming aware of the incident    Method  By electronic means (i.e., email) or by hardcopy submission   By electronic means  Notification to Affected Individuals  Within 7 days of PDPC notification (if there is “significant harm”)  Currently no express obligation under the CSA 2024    Reporting Format  DBN Form    Via email to [email protected], submit necessary information via National Cyber Coordination and Command Center System    Supplementary Info  Update PDPC if more details become available    Within 14 days of the notification and further updates from time to time  Coordinating dual notifications  Incidents involving system compromise and personal data loss need dual notification, in which case:  To enhance coordination and minimise compliance risks, we recommend:  Enforcement and penalties  Failure to notify the relevant agency of an incident carries the following potential penalties.  PDPA   CSA 2024  Fine up to RM250,000, imprisonment up to 2 years, or both.     Fine up to RM500,000, imprisonment up to 10 years, or both.    Non-compliance may also trigger further investigations, compliance audits, and reputational harm.  Practical takeaways   Based on our experience assisting clients with breach response, we offer the following practical steps to manage the situation effectively:  Conclusion  With both the PDPA and the CSA 2024 in full effect, the distinction lies in the focus: PDPA protects individuals, while the CSA governs cybersecurity risks and incident response.   In practice, the lines often blur. That’s why we help clients build integrated response frameworks that account for both legal regimes, timelines, and regulators.  If you are unsure whether your organisation’s protocols are up to date, or whether you are designated as NCII, now is the time to review and reinforce your governance framework. 

Ready to appoint a DPO in Malaysia? See our step-by-step DPO-as-a-Service process on dpomalaysia.my! Read Our Guide As Malaysia strengthens its legal framework for data privacy and cyber security with the Personal Data Protection (Amendment) Act 2024 (PDPA) and Cyber Security Act 2024 (CSA), Malaysian organisations assessing their compliance obligations may be unsure if they need both a Data Protection Officer (DPO) and a Cyber Security Officer (CSO).  Below, we have broken down the legal requirement, roles, responsibilities, and qualifications for both positions so you can determine which your organisation must appoint.  Legal requirement  As expressly outlined in Section 12A of the PDPA and supported by official DPO guideline, as of 2025, it is mandatory for organisations in Malaysia to appoint a DPO if they:   In contrast, the CSA 2024 does not expressly mandate the appointment of a Chief Security Officer (CSO) or Chief Information Security Officer (CISO). However, designated NCII entities are subject to a wide range of cybersecurity obligations and as a result, may benefit from appointing a designated CSO or similar role as a practical measure to ensure compliance with the CSA 2024.   Defining “NCII entity”: “NCII entity” means any government entity or person that owns or operates NCII. “NCII” means a computer or computer system in which if it is disrupted or destroyed, it will result to a detrimental effect to the delivery of service relating to the security, defence, foreign relations, economy, public health, public safety, public order or the ability of the government to carry out its functions effectively.   Roles and responsibilities  The table below summarises the key differences between the two roles:  Aspect  Data Protection Officer (DPO)  Chief Security Officer (CSO)   Primary Mandate  Oversee compliance with data protection laws including to ensure lawful processing of personal data and manage personal data breaches.   Develop and enforce cyber security strategies, ensure system security, manage cyber risks and respond to cyber threats.   Key Regulator  Personal Data Protection Commissioner (“PDPC”)  National Cyber Security Agency (“NACSA”)   Roles  Acts as liaison to PDPC, supports Data Protection Impact Assessments, monitors compliance, and manages breach notifications.   Leads the incident response for cyber security attacks and oversees compliance and reporting obligations under CSA 2024.   Focus Area  Personal Data & Privacy Risk  Information Systems & Cyber Threats   Mandatory by Law  Yes  No  Qualifications  While there is some overlap in competencies, each role demands specific expertise:  Data Protection Officer (DPO)  A DPO can be chosen from an internal member or outsourced, and in either case should:  What is a Data Protection Officer? A Data Protection Officer (DPO) is a company employee responsible for ensuring an organisation’s full compliance with the Personal Data Protection Act (PDPA). As of 2025, appointing one is a legal requirement for many businesses in Malaysia. To learn more, read our guides: Outsourcing a DPO in Malaysia In-house vs Outsourced DPO Chief Security Officer (CSO)  While the CSA 2024 does not expressly require organisations to appoint a Chief Security Officer (CSO), appointing such a role is considered a best practice for NCII entities as a CSO plays a key role in ensuring the organisation meets cybersecurity obligations under the CSA 2024.  What to look for in a CSO:  Note: CyberSecurity Malaysia has introduced the Certified Chief Information Security Officer (CCISO) programme. The certification is aligned with international standards and tailored to meet Malaysia’s compliance landscape under the CSA 2024.   Appointment Context: it is highly recommended for organisations designated as the NCII entity. These include sectors deemed essential to national security, economy, public health, or safety, such as banks, telcos, utilities, hospitals, and government-linked entities.  When to appoint both  An organisation can consider appointing both especially if:  Example of when to appoint a DPO and CSO: A Imagine a private hospital that runs a 24/7 emergency ward, stores thousands of electronic medical records (EMRs), and operates a telemedicine platform for remote consultations.  The DPO ensures patients are given proper privacy notices, handles consent for health data sharing, and manages requests for access or correction of patient records, all required under the PDPA.  Meanwhile, the CSO defends the hospital’s infrastructure against threats like ransomware locking critical systems, DDoS attacks on the teleconsultation portal, or unauthorised access to diagnostic devices connected to the network.  While the DPO covers personal data protection, the CSO focuses on cybersecurity, and together they provide the hospital with a truly comprehensive protection against threat actors and mistakes. Can a DPO also serve as CSO?  Technically yes, since there is no express prohibition under the acts against one person serving as both DPO and CSO. However, dual-role arrangements should only be considered if:  However, bear in mind that while both roles support security, they cover distinct subjects, and best practice would be to separate DPO and CSO functions for better oversight and risk management.  Conclusion  Appointing a DPO and a CSO is not a duplication, Where the DPO covers personal data protection, a CSO focuses on cybersecurity, and any organisation with both will enjoy better protection and ability to respond to regulatory expectations. 

With the enforcement of Malaysia’s Personal Data Protection (Amendment) Act 2024 (“PDPA”), Circular of Personal Data Protection Commissioner No. 2/2025, and the Data Breach Notification (DBN) Guideline, Malaysian organisations are now under a stricter legal framework to respond swiftly to personal data breaches.   Below, we explain how organisations can navigate data breach notification obligations with clarity.  Defining “personal data breach”  A personal data breach refers to any event that leads or is likely to lead to the breach, loss, misuse, or unauthorised access of personal data.   According to the DBN Guidelines, common examples include:  These can result from both accidental or deliberate actions and involve internal or external parties.  When a breach must be reported  A personal data breach must be reported only if it causes or is likely to cause “significant harm”.  “Significant harm” includes:  If there is a breach, the organisation should perform a prompt risk impact assessment to determine if the breach meets the threshold of “significant harm”.   Legal duty of Data Controllers to report breaches  Under the PDPA, the legal duty to report a personal data breach lies with the Data Controller (i.e., the party that ultimately uses the personal data), in this case, the organisation.  Even if the breach originates from a third-party who processes personal data on the Data Controller’s behalf (e.g. cloud service provider), the obligation to submit a data breach notification still rests solely with the Data Controller.  Crucially, failure by a third party to inform the Data Controller of a breach does not excuse the latter from notification duties.  To ensure compliance, the organisation should:  Notifying the Commissioner within 72 hours    Once a personal data breach that meets the “significant harm” threshold is discovered, the Data Controller must notify the Personal Data Protection Commissioner:  Complete the official Data Breach Notification (DBN) Form and submit it via:  As all three submission methods are treated the same, digital options are strongly encouraged to avoid missing the 72-hour deadline.  The notification to the Commissioner should also include:  If the 72-hour deadline is missed, a written justification for the delay and supporting documents must accompany the late submission.  Who is point of contact with the Commissioner?  The Data Protection Officer (DPO) will act as the main contact point for the Commissioner in relation to a data breach, but only where appointment is mandatory under Section 12A of the PDPA.   If no DPO is required, the organisation must instead assign a senior representative with sufficient authority and expertise to handle official communications and assist with investigations.  If you’re unsure if a DPO is mandatory for your organisation, we answer it in our full guide to DPO outsourcing in Malaysia. Notifying affected data subjects within 7 days  If there is a likelihood of significant harm to any individual, the affected individual must be notified within 7 days after notifying the Commissioner.   Acceptable notifying methods include:  Content of the notification must include:  Best practices  1. Establish a Data Breach Response Plan  2. Appoint a DPO (If required) or Designate a Responsible Person  3. Maintain a Data Breach Register  4. Conduct Staff Training  Train all employees to:  5. Prepare Notification Formats and Templates  Pre-approved templates help ensure consistency, legal accuracy, and faster response during high-pressure breach scenarios.   6. Review Vendor Agreements  Ensure third-party data processors are contractually bound to:  What is a Data Protection Officer? A Data Protection Officer (DPO) is a company employee responsible for ensuring an organisation’s full compliance with the Personal Data Protection Act (PDPA). As of 2025, appointing one is a legal requirement for many businesses in Malaysia. To learn more, read our guides: Outsourcing a DPO in Malaysia In-house vs Outsourced DPO Non-compliance penalties  Under Section 12B(3) of the PDPA, failure to notify may result in:  Non-compliance may also lead to reputational harm, regulatory scrutiny, and loss of customers’ trust.  Conclusion In our practice, we have seen that the organisations best equipped to manage personal data breaches are those that invest early in the right people, well-defined processes, and clear protocols. When a breach occurs, readiness makes all the difference, not just in compliance, but in preserving stakeholder trust and business continuity.  If you are unsure whether your organisation is truly prepared, now is the time to assess and strengthen your response framework. 

Ready to appoint a DPO in Malaysia? See our step-by-step DPO-as-a-Service process on dpomalaysia.my! Read Our Guide With recent amendments to the Personal Data Protection Act (PDPA) coming into force, Malaysian businesses that meet the threshold for appointing a DPO must now make a strategic decision:  “Should we appoint an internal DPO or outsource the role?”   This article breaks down the key considerations of both models, helping you choose an approach that aligns with your organisation’s structure, risk profile, and compliance obligations.  Clarifying the DPO’s role While there is no formal academic or professional qualification required under the DPO guideline at this moment, a DPO must fulfil certain requirements to qualify for the role:  Whether in-house or outsourced, this ensures they have sufficient competency in data protection law and governance.  Appointing an in-house DPO  Appointing an in‑house DPO means promoting one or more qualified team members to the position.  Why this approach works well:  What to watch out for:  Outsourcing the DPO role  Important note for businesses in Malaysia: Outsourcing the DPO role does not transfer legal responsibility. While tasks may be delegated to an external service provider, the organisation remains fully accountable for ensuring compliance with the PDPA. Outsourcing the DPO role means engaging an external professional firm or sole practitioner.  Why this approach works well:  What to watch out for:  You should ensure your service contracts clearly cover all requirements and scope, making sure both parties are aligned on roles, expectations, and deliverables from the start.    For a deeper dive, see our full guide to DPO outsourcing in Malaysia.  Conclusion  Whatever model you choose (outsourced or in-house), your DPO must be empowered to act, sufficiently resourced, independent in function, and properly registered with the Commissioner.  If you would like assistance, our team is here to help evaluate your position, draft service agreements, and ensure your appointment meets PDPA expectations. Reach out to get started. 

Important note for businesses in Malaysia: Outsourcing the DPO role does not transfer legal responsibility. While tasks may be delegated to an external service provider, the organisation remains fully accountable for ensuring compliance with the PDPA. Starting 1 June 2025, Malaysian businesses that fall under the new Personal Data Protection Act 2025 thresholds must appoint a Data Protection Officer (DPO).   While the most established of organisations may prefer appointing an in‑house DPO, most businesses will find outsourcing this role to seasoned professionals as the more cost‑effective and strategic approach.  As a provider of outsourced DPO services ourselves, we have written this guide to help business decision makers:  Let’s begin.  Ready to appoint a DPO in Malaysia? See our step-by-step DPO-as-a-Service process on dpomalaysia.my! Read Our Guide Clarifying the role of a DPO  To paraphrase guidelines by the Malaysian Department of Personal Data Protection (PDP), a Data Protections Officer is responsible for ensuring the organisation’s total compliance with the PDPA, which means, among other duties:   By law, a DPO must:  In addition, PDPD strongly recommends that a DPO should:  It is a specialised role that demands technical expertise and ethical conduct, and with enforcement starting 1 June 2025, a critical hire for businesses.  Signs you need an outsourced DPO  The first step is to assess if the team has capacity to meet PDPA requirements without outside help. Our in-house vs external DPO comparison provides a deep dive into the subject, but for our readers’ convenience, here are five key indicators your organisation likely benefits from outsourcing the role:  If any of these applies to your organisation, there is a strong argument to outsource your DPO role.  Even if you intend to build in-house DPO capacity in the future, an outsourced DPO can ensure immediate compliance with the June 2025 deadline.  How to properly outsource your DPO role  PDP recommends a minimum DPO appointment term of two years to promote stability, and to effectively outsource this role, your organisation should:  The service contract should clearly define the DPO’s scope of work, service terms, responsibilities, and access to data.  Best practices when outsourcing  To make the most of your outsourced DPO, you can consider these operational best practices:  Best Practice  Explanation  Ensure access to key documents and systems  Provide the DPO with secure but full access to relevant policies, personal data flows, contracts, and the data register so they can perform their role effectively.   Establish clear escalation protocols  Define how and when the DPO will be alerted in the event of a personal data breach or incident.   Schedule regular executive‑level engagement  Hold regular briefings between the DPO and top management to review risk exposure, compliance gaps, and training needs.   Designate internal liaisons  Assign persons from legal, IT, HR, and security departments to coordinate with the DPO, ensuring smooth collaboration and issue resolution.   Conclusion  If your organisation lacks the people, structure, or independence needed to manage a compliant data protection programme internally, outsourcing your DPO is a strategic, risk-managed solution aligned with regulatory expectations.   We can help you draft compliant service agreements and ensure your appointment meets PDPA expectations. Reach out to get started. 

Note: Barring any further amendments to the law, this article should be read in the context of the Bill being passed in its current form as at the time of writing as of 11 July 2024. The Personal Data Protection (Amendment) Act 2024 (“PDPA Amendments in 2024“) is currently at the 1st reading stage in the Malaysian Parliament. It will proceed through further readings and must be approved by both Houses of Parliament before being presented for Royal Assent by His Majesty The Yang di-Pertuan Agong. Therefore, it may take some time before the Bill legally comes into force. Malaysia’s Personal Data Protection Act (PDPA) 2010 (“PDPA”) is set to undergo significant updates aimed at aligning with international standards and strengthening the protection of personal data. Here is an overview of the key proposed changes, comparisons with the current provisions, and our insights on these proposed amendments: Terminology Update Current Position: The term “data user” is used throughout the PDPA. Proposed PDPA Amendments in 2024: The term “data user” will be replaced with the term “data controller”. This proposed amendment aligns Malaysia’s data protection terminology with global standards, such as those used in the General Data Protection Regulation (GDPR), ensuring consistency and facilitating international data protection compliance. New Definitions Current Position: The PDPA currently does not explicitly define “biometric data” or “personal data breach.” Proposed PDPA Amendments in 2024: These amendments aim to provide better clarity in the PDPA, ensuring specific categories of sensitive data and incidents are clearly identified and adequately protected. Enhanced Responsibilities of Data Processors Current Position: Data processors are not explicitly required to comply with the security principle. Proposed PDPA Amendments in 2024: Data processors, who process data on behalf of data controllers, must now comply with the security principle under the PDPA. This amendment requires data processors to implement appropriate technical and organizational measures to protect personal data, thereby ensuring accountability and enhancing overall data protection practices. Increased Penalties Current Position: Penalties for non-compliance include fines up to RM300,000 and imprisonment up to two years. Proposed PDPA Amendments in 2024: The fines for breaches are increased to RM1,000,000, and the maximum imprisonment term is extended to three years. These heightened penalties underscore the seriousness of compliance and aim to deter violations by imposing more severe consequences. Data Protection Officers (DPOs) Current Position: There is no mandatory requirement for the appointment of DPOs. Proposed PDPA Amendments in 2024: Data controllers and processors must appoint one or more DPOs responsible for ensuring compliance with the PDPA. This requirement aligns with international best practices, ensuring that organizations have dedicated personnel to manage and safeguard personal data effectively. Data Breach Notification Current Position: There is no explicit requirement for data breach notifications. Proposed PDPA Amendments in 2024: Data controllers must notify the Personal Data Protection Commissioner of any data breaches as soon as practicable. If the breach causes or is likely to cause significant harm to the data subject, data controllers must notify the affected data subjects promptly. Failure to comply can result in fines up to RM250,000 or imprisonment for up to two years. The form and manner of notification will be further determined by the Personal Data Protection Commissioner. Introducing mandatory data breach notifications ensures timely awareness and response to data breaches. This requirement aligns with international best practices, enhancing transparency and accountability in data protection. Rights to Data Portability Current Position: The PDPA does not currently provide a right to data portability. Proposed PDPA Amendments in 2024: Data subjects can request their personal data to be transferred to another data controller, subject to technical feasibility and compatibility of the data format. This right enhances data subject control over their personal data and facilitates smoother transitions between service providers. Cross-Border Data Transfers Current Position: Section 129 of the PDPA prohibits the transfer of personal data to a place outside Malaysia unless such place is specified by the Minister by notification in the Gazette. No such whitelist has been issued and gazetted thus far. Proposed PDPA Amendments in 2024: Data controllers can transfer personal data to countries that provide adequate protection equivalent to the PDPA. The requirement for the Minister to specify places for data transfers is removed. The amendment shifts the authority from the Minister to the data controller, allowing the data controller to decide on data transfers based on adequacy standards. This change aims to streamline cross-border data flows while ensuring that data transferred internationally is adequately protected. Miscellaneous Amendments Various amendments are proposed to enhance clarity and consistency within the PDPA. These include updates to definitions, procedural changes, and adjustments to ensure the Act remains coherent. Conclusion These Proposed PDPA Amendments in 2024 represent a significant step forward in strengthening Malaysia’s data protection framework. By aligning with international standards and addressing emerging data protection challenges, the amendments aim to provide robust safeguards for personal data and enhance trust in the digital ecosystem. Immediate Action Required Given the significant amendments, it is high time for companies and organizations in Malaysia to look into PDPA compliance seriously. Companies and organizations that already have a PDPA compliance framework will need to update and revise their framework, while those who do not yet have one will need to start implementing these practices within their organization.

Electronic signatures and digital signatures are often used interchangeably to refer to tools for signing digital documents. Traditionally, signing involved physical documents or objects, such as paper signatures or fingerprints, to indicate that the signer had read, understood, and agreed to the document’s content. Today, technology allows for digital signing by affixing a name, mark, or drawing to a softcopy document, known as an electronic signature or digital signature. Although both terms serve similar purposes, they differ significantly in terms of framework, security, and admissibility. Electronic Signature In Malaysia, electronic signatures are governed by the Electronic Commerce Act (ECA). The ECA defines an electronic signature as any letter, character, number, sound, or any other symbol, or any combination thereof, created in an electronic form and adopted by a person as a signature. Essentially, any individual affixing their “name” to a PDF would be considered an electronic signature. The main purpose of the ECA is to recognize electronic messages in commercial transactions. For an electronic signature to be admissible, it must fulfill the following requirements under the ECA: An electronic signature is considered reliable if: If these requirements in Section 9 of the ECA are satisfied, the electronic signature meets legal standards. However, Section 10 of the ECA specifies that certain documents requiring a seal, such as Powers of Attorney, Wills, Trust documents, and Negotiable instruments (like Bank Cheques), are not admissible with an electronic signature unless affixed by a digital signature under the Digital Signature Act 1997. Digital Signature A digital signature provides a higher level of security compared to an electronic signature. While electronic signatures can be easily faked (e.g., person A signing as person B through impersonation), digital signatures offer enhanced profiling of the signer’s identity. The Digital Signature Act (DSA) 1997 defines a digital signature as the transformation (created using the private key corresponding to the signer’s public key) of a message using an asymmetric cryptosystem. This allows a person with the initial message and the signer’s public key to determine if the message has been altered since the transformation. For a digital signature to be legally binding under Section 62 of the DSA, it must meet the following criteria: In Malaysia, recognized digital signature options certified by licensed certification authorities include: Documents signed with digital signatures from these certified authorities have legal binding effects. However, digital signatures from foreign platforms do not hold the same legal validity due to the lack of appropriate certification by Malaysian authorities. Summary In summary, Malaysian law differentiates between electronic signatures and digital signatures. When a seal is required on a document, Section 10 of the ECA mandates that a digital signature is the minimum requirement. Parties should carefully consider the balance between the convenience of electronic signatures and the legal risks associated with potential challenges to their validity. For documents traditionally requiring a seal, using digital signatures or physical signatures might be more prudent to ensure compliance with statutory requirements and legal security.

In the realm of business, intermediaries and brokers play a critical role in connecting buyers and sellers, facilitating transactions, and ensuring smooth negotiations. However, operating as a broker without a formal agreement can lead to misunderstandings, disputes, and potential legal complications. Therefore, it is essential for intermediaries to sign a brokerage agreement to clearly define the terms and conditions of their engagement. This article explores the importance of brokerage agreements, key components to include, and best practices for drafting and executing these agreements. Importance of Brokerage Agreements A brokerage agreement is a legally binding contract between a broker and their client, outlining the scope of services, payment terms, duties, and responsibilities. This agreement is vital for several reasons: Key Components of a Brokerage Agreement When drafting a brokerage agreement, several critical components should be included to ensure it is comprehensive and effective: Best Practices for Drafting and Executing Brokerage Agreements To create an effective brokerage agreement, consider the following best practices: Conclusion For intermediaries and brokers, signing a brokerage agreement is not just a formality but a crucial step in establishing a clear, professional, and legally binding relationship with clients. By defining the terms of engagement, compensation, and responsibilities, a well-crafted brokerage agreement minimizes the risk of disputes and ensures that both parties’ interests are protected. Brokers should invest time and resources into drafting thorough and precise agreements, leveraging legal expertise, and maintaining transparent communication to foster successful and trustworthy business relationships.