Articles

With the Personal Data Protection (Amendment) Act 2024 (“PDPA”) and the new Cyber Security Act 2024 (“CSA 2024”) in force, organisations are now subject to complementary but distinct notification obligations under two legal regimes:   In this article, we break down the differences between Data Breach Notification (DBN) under the PDPA and Cyber Security Incident Reporting under the CSA 2024.  Quick comparison  Aspect  Personal Data Breach  Cyber Security Incident  Definition  Any event or incident that leads or is likely to lead to the breach, loss, misuse, or unauthorised access of personal data  An act or activity carried out on or through a computer or computer system, without lawful authority, that jeopardises or adversely affects its cyber security   Source of breach  Accidental or deliberate; can involve internal or external parties  Cyber threat actor(s) or unauthorised computer activity   Regulated under  Personal Data Protection Act (PDPA)   Cyber Security Act 2024 (CSA 2024)  Threshold  Likely to cause “significant harm” to individuals  Incident involving or affecting National Critical Information Infrastructure (NCII)   Regulator  Personal Data Protection Commissioner (“PDPC”)   National Cyber Security Agency (“NACSA”)  Mandatory by Law  Yes  Yes  Legal triggers and reporting thresholds  Data breach reporting  Under the PDPA (Section 12B), Circular of Personal Data Protection Commissioner No. 2/2025, and Data Breach Notification (DBN) Guideline, a data breach must be reported if it causes or is likely to cause “significant harm”.   If the organisation determines a breach does not cause or is not likely to cause significant harm, then notification is not mandatory.  However, for regulatory review purposes, it is strongly recommended to document the internal assessment process, including the basis for non-notification decision, risk evaluation findings, and any supporting documents or mitigation steps.   Cyber Security Incident reporting  Under the CSA 2024 (Section 23) and the Cyber Security (Notification of Cyber Security Incident) Regulations 2024, Cyber Security Incidents must be reported immediately when it comes to the knowledge of the NCII Entity that a cyber security incident in respect of the NCII has occurred or might have occurred.   Even suspected incidents must be reported within the prescribed time and manner (as set by regulations).  Under the CSA 2024, only entities classified as NCII are legally required to report cybersecurity incidents. However, non-NCII entities may also voluntarily report incidents.  Notification timeline and channels  Reporting Obligation  PDPA 2024 (Data Breach)  CSA 2024 (Cyber Security Incident)  Notified to  PDPC   The Chief Executive of NACSA and the relevant NCII sector lead    Notification   As soon as practicable (within 72 hours of becoming aware of the incident)  Immediate notification submit initial report within 6 hours of becoming aware of the incident    Method  By electronic means (i.e., email) or by hardcopy submission   By electronic means  Notification to Affected Individuals  Within 7 days of PDPC notification (if there is “significant harm”)  Currently no express obligation under the CSA 2024    Reporting Format  DBN Form    Via email to [email protected], submit necessary information via National Cyber Coordination and Command Center System    Supplementary Info  Update PDPC if more details become available    Within 14 days of the notification and further updates from time to time  Coordinating dual notifications  Incidents involving system compromise and personal data loss need dual notification, in which case:  To enhance coordination and minimise compliance risks, we recommend:  Enforcement and penalties  Failure to notify the relevant agency of an incident carries the following potential penalties.  PDPA   CSA 2024  Fine up to RM250,000, imprisonment up to 2 years, or both.     Fine up to RM500,000, imprisonment up to 10 years, or both.    Non-compliance may also trigger further investigations, compliance audits, and reputational harm.  Practical takeaways   Based on our experience assisting clients with breach response, we offer the following practical steps to manage the situation effectively:  Conclusion  With both the PDPA and the CSA 2024 in full effect, the distinction lies in the focus: PDPA protects individuals, while the CSA governs cybersecurity risks and incident response.   In practice, the lines often blur. That’s why we help clients build integrated response frameworks that account for both legal regimes, timelines, and regulators.  If you are unsure whether your organisation’s protocols are up to date, or whether you are designated as NCII, now is the time to review and reinforce your governance framework. 

Ready to appoint a DPO in Malaysia? See our step-by-step DPO-as-a-Service process on dpomalaysia.my! Read Our Guide As Malaysia strengthens its legal framework for data privacy and cyber security with the Personal Data Protection (Amendment) Act 2024 (PDPA) and Cyber Security Act 2024 (CSA), Malaysian organisations assessing their compliance obligations may be unsure if they need both a Data Protection Officer (DPO) and a Cyber Security Officer (CSO).  Below, we have broken down the legal requirement, roles, responsibilities, and qualifications for both positions so you can determine which your organisation must appoint.  Legal requirement  As expressly outlined in Section 12A of the PDPA and supported by official DPO guideline, as of 2025, it is mandatory for organisations in Malaysia to appoint a DPO if they:   In contrast, the CSA 2024 does not expressly mandate the appointment of a Chief Security Officer (CSO) or Chief Information Security Officer (CISO). However, designated NCII entities are subject to a wide range of cybersecurity obligations and as a result, may benefit from appointing a designated CSO or similar role as a practical measure to ensure compliance with the CSA 2024.   Defining “NCII entity”: “NCII entity” means any government entity or person that owns or operates NCII. “NCII” means a computer or computer system in which if it is disrupted or destroyed, it will result to a detrimental effect to the delivery of service relating to the security, defence, foreign relations, economy, public health, public safety, public order or the ability of the government to carry out its functions effectively.   Roles and responsibilities  The table below summarises the key differences between the two roles:  Aspect  Data Protection Officer (DPO)  Chief Security Officer (CSO)   Primary Mandate  Oversee compliance with data protection laws including to ensure lawful processing of personal data and manage personal data breaches.   Develop and enforce cyber security strategies, ensure system security, manage cyber risks and respond to cyber threats.   Key Regulator  Personal Data Protection Commissioner (“PDPC”)  National Cyber Security Agency (“NACSA”)   Roles  Acts as liaison to PDPC, supports Data Protection Impact Assessments, monitors compliance, and manages breach notifications.   Leads the incident response for cyber security attacks and oversees compliance and reporting obligations under CSA 2024.   Focus Area  Personal Data & Privacy Risk  Information Systems & Cyber Threats   Mandatory by Law  Yes  No  Qualifications  While there is some overlap in competencies, each role demands specific expertise:  Data Protection Officer (DPO)  A DPO can be chosen from an internal member or outsourced, and in either case should:  What is a Data Protection Officer? A Data Protection Officer (DPO) is a company employee responsible for ensuring an organisation’s full compliance with the Personal Data Protection Act (PDPA). As of 2025, appointing one is a legal requirement for many businesses in Malaysia. To learn more, read our guides: Outsourcing a DPO in Malaysia In-house vs Outsourced DPO Chief Security Officer (CSO)  While the CSA 2024 does not expressly require organisations to appoint a Chief Security Officer (CSO), appointing such a role is considered a best practice for NCII entities as a CSO plays a key role in ensuring the organisation meets cybersecurity obligations under the CSA 2024.  What to look for in a CSO:  Note: CyberSecurity Malaysia has introduced the Certified Chief Information Security Officer (CCISO) programme. The certification is aligned with international standards and tailored to meet Malaysia’s compliance landscape under the CSA 2024.   Appointment Context: it is highly recommended for organisations designated as the NCII entity. These include sectors deemed essential to national security, economy, public health, or safety, such as banks, telcos, utilities, hospitals, and government-linked entities.  When to appoint both  An organisation can consider appointing both especially if:  Example of when to appoint a DPO and CSO: A Imagine a private hospital that runs a 24/7 emergency ward, stores thousands of electronic medical records (EMRs), and operates a telemedicine platform for remote consultations.  The DPO ensures patients are given proper privacy notices, handles consent for health data sharing, and manages requests for access or correction of patient records, all required under the PDPA.  Meanwhile, the CSO defends the hospital’s infrastructure against threats like ransomware locking critical systems, DDoS attacks on the teleconsultation portal, or unauthorised access to diagnostic devices connected to the network.  While the DPO covers personal data protection, the CSO focuses on cybersecurity, and together they provide the hospital with a truly comprehensive protection against threat actors and mistakes. Can a DPO also serve as CSO?  Technically yes, since there is no express prohibition under the acts against one person serving as both DPO and CSO. However, dual-role arrangements should only be considered if:  However, bear in mind that while both roles support security, they cover distinct subjects, and best practice would be to separate DPO and CSO functions for better oversight and risk management.  Conclusion  Appointing a DPO and a CSO is not a duplication, Where the DPO covers personal data protection, a CSO focuses on cybersecurity, and any organisation with both will enjoy better protection and ability to respond to regulatory expectations. 

With the enforcement of Malaysia’s Personal Data Protection (Amendment) Act 2024 (“PDPA”), Circular of Personal Data Protection Commissioner No. 2/2025, and the Data Breach Notification (DBN) Guideline, Malaysian organisations are now under a stricter legal framework to respond swiftly to personal data breaches.   Below, we explain how organisations can navigate data breach notification obligations with clarity.  Defining “personal data breach”  A personal data breach refers to any event that leads or is likely to lead to the breach, loss, misuse, or unauthorised access of personal data.   According to the DBN Guidelines, common examples include:  These can result from both accidental or deliberate actions and involve internal or external parties.  When a breach must be reported  A personal data breach must be reported only if it causes or is likely to cause “significant harm”.  “Significant harm” includes:  If there is a breach, the organisation should perform a prompt risk impact assessment to determine if the breach meets the threshold of “significant harm”.   Legal duty of Data Controllers to report breaches  Under the PDPA, the legal duty to report a personal data breach lies with the Data Controller (i.e., the party that ultimately uses the personal data), in this case, the organisation.  Even if the breach originates from a third-party who processes personal data on the Data Controller’s behalf (e.g. cloud service provider), the obligation to submit a data breach notification still rests solely with the Data Controller.  Crucially, failure by a third party to inform the Data Controller of a breach does not excuse the latter from notification duties.  To ensure compliance, the organisation should:  Notifying the Commissioner within 72 hours    Once a personal data breach that meets the “significant harm” threshold is discovered, the Data Controller must notify the Personal Data Protection Commissioner:  Complete the official Data Breach Notification (DBN) Form and submit it via:  As all three submission methods are treated the same, digital options are strongly encouraged to avoid missing the 72-hour deadline.  The notification to the Commissioner should also include:  If the 72-hour deadline is missed, a written justification for the delay and supporting documents must accompany the late submission.  Who is point of contact with the Commissioner?  The Data Protection Officer (DPO) will act as the main contact point for the Commissioner in relation to a data breach, but only where appointment is mandatory under Section 12A of the PDPA.   If no DPO is required, the organisation must instead assign a senior representative with sufficient authority and expertise to handle official communications and assist with investigations.  If you’re unsure if a DPO is mandatory for your organisation, we answer it in our full guide to DPO outsourcing in Malaysia. Notifying affected data subjects within 7 days  If there is a likelihood of significant harm to any individual, the affected individual must be notified within 7 days after notifying the Commissioner.   Acceptable notifying methods include:  Content of the notification must include:  Best practices  1. Establish a Data Breach Response Plan  2. Appoint a DPO (If required) or Designate a Responsible Person  3. Maintain a Data Breach Register  4. Conduct Staff Training  Train all employees to:  5. Prepare Notification Formats and Templates  Pre-approved templates help ensure consistency, legal accuracy, and faster response during high-pressure breach scenarios.   6. Review Vendor Agreements  Ensure third-party data processors are contractually bound to:  What is a Data Protection Officer? A Data Protection Officer (DPO) is a company employee responsible for ensuring an organisation’s full compliance with the Personal Data Protection Act (PDPA). As of 2025, appointing one is a legal requirement for many businesses in Malaysia. To learn more, read our guides: Outsourcing a DPO in Malaysia In-house vs Outsourced DPO Non-compliance penalties  Under Section 12B(3) of the PDPA, failure to notify may result in:  Non-compliance may also lead to reputational harm, regulatory scrutiny, and loss of customers’ trust.  Conclusion In our practice, we have seen that the organisations best equipped to manage personal data breaches are those that invest early in the right people, well-defined processes, and clear protocols. When a breach occurs, readiness makes all the difference, not just in compliance, but in preserving stakeholder trust and business continuity.  If you are unsure whether your organisation is truly prepared, now is the time to assess and strengthen your response framework. 

Ready to appoint a DPO in Malaysia? See our step-by-step DPO-as-a-Service process on dpomalaysia.my! Read Our Guide With recent amendments to the Personal Data Protection Act (PDPA) coming into force, Malaysian businesses that meet the threshold for appointing a DPO must now make a strategic decision:  “Should we appoint an internal DPO or outsource the role?”   This article breaks down the key considerations of both models, helping you choose an approach that aligns with your organisation’s structure, risk profile, and compliance obligations.  Clarifying the DPO’s role While there is no formal academic or professional qualification required under the DPO guideline at this moment, a DPO must fulfil certain requirements to qualify for the role:  Whether in-house or outsourced, this ensures they have sufficient competency in data protection law and governance.  Appointing an in-house DPO  Appointing an in‑house DPO means promoting one or more qualified team members to the position.  Why this approach works well:  What to watch out for:  Outsourcing the DPO role  Important note for businesses in Malaysia: Outsourcing the DPO role does not transfer legal responsibility. While tasks may be delegated to an external service provider, the organisation remains fully accountable for ensuring compliance with the PDPA. Outsourcing the DPO role means engaging an external professional firm or sole practitioner.  Why this approach works well:  What to watch out for:  You should ensure your service contracts clearly cover all requirements and scope, making sure both parties are aligned on roles, expectations, and deliverables from the start.    For a deeper dive, see our full guide to DPO outsourcing in Malaysia.  Conclusion  Whatever model you choose (outsourced or in-house), your DPO must be empowered to act, sufficiently resourced, independent in function, and properly registered with the Commissioner.  If you would like assistance, our team is here to help evaluate your position, draft service agreements, and ensure your appointment meets PDPA expectations. Reach out to get started. 

Important note for businesses in Malaysia: Outsourcing the DPO role does not transfer legal responsibility. While tasks may be delegated to an external service provider, the organisation remains fully accountable for ensuring compliance with the PDPA. Starting 1 June 2025, Malaysian businesses that fall under the new Personal Data Protection Act 2025 thresholds must appoint a Data Protection Officer (DPO).   While the most established of organisations may prefer appointing an in‑house DPO, most businesses will find outsourcing this role to seasoned professionals as the more cost‑effective and strategic approach.  As a provider of outsourced DPO services ourselves, we have written this guide to help business decision makers:  Let’s begin.  Ready to appoint a DPO in Malaysia? See our step-by-step DPO-as-a-Service process on dpomalaysia.my! Read Our Guide Clarifying the role of a DPO  To paraphrase guidelines by the Malaysian Department of Personal Data Protection (PDP), a Data Protections Officer is responsible for ensuring the organisation’s total compliance with the PDPA, which means, among other duties:   By law, a DPO must:  In addition, PDPD strongly recommends that a DPO should:  It is a specialised role that demands technical expertise and ethical conduct, and with enforcement starting 1 June 2025, a critical hire for businesses.  Signs you need an outsourced DPO  The first step is to assess if the team has capacity to meet PDPA requirements without outside help. Our in-house vs external DPO comparison provides a deep dive into the subject, but for our readers’ convenience, here are five key indicators your organisation likely benefits from outsourcing the role:  If any of these applies to your organisation, there is a strong argument to outsource your DPO role.  Even if you intend to build in-house DPO capacity in the future, an outsourced DPO can ensure immediate compliance with the June 2025 deadline.  How to properly outsource your DPO role  PDP recommends a minimum DPO appointment term of two years to promote stability, and to effectively outsource this role, your organisation should:  The service contract should clearly define the DPO’s scope of work, service terms, responsibilities, and access to data.  Best practices when outsourcing  To make the most of your outsourced DPO, you can consider these operational best practices:  Best Practice  Explanation  Ensure access to key documents and systems  Provide the DPO with secure but full access to relevant policies, personal data flows, contracts, and the data register so they can perform their role effectively.   Establish clear escalation protocols  Define how and when the DPO will be alerted in the event of a personal data breach or incident.   Schedule regular executive‑level engagement  Hold regular briefings between the DPO and top management to review risk exposure, compliance gaps, and training needs.   Designate internal liaisons  Assign persons from legal, IT, HR, and security departments to coordinate with the DPO, ensuring smooth collaboration and issue resolution.   Conclusion  If your organisation lacks the people, structure, or independence needed to manage a compliant data protection programme internally, outsourcing your DPO is a strategic, risk-managed solution aligned with regulatory expectations.   We can help you draft compliant service agreements and ensure your appointment meets PDPA expectations. Reach out to get started. 

One question we often get when assisting clients with investment deals, exits, and restructuring is whether they need a Share Subscription or Purchase Agreement.  While both agreements deal with shares, they serve different purposes and are subsequently used in different scenarios.  Share Subscription Agreement  When a company issues new shares and sells them directly to an investor, a Share Subscription Agreement (SSA) is used to set out the:   Typical use cases include fundraising rounds, capital injection by existing shareholders, onboarding a strategic partner, or the formation of joint ventures.  The end result is that a company receives fresh capital, an investor becomes a new shareholder, and the SSA keeps both parties aligned and happy.  Share Purchase Agreement  A Share Purchase Agreement (SPA) is used when an existing shareholder sells their shares to another party and needs a document to set out the:  SPAs are used during the sale of a founder’s stake, buyouts, share transfers, and most times where share ownership changes but the company’s share capital remains.  Side-by-side comparison  Aspect  SSA  SPA  Source of shares  New shares issued by the company  Existing shares sold by a shareholder  Funds go to  The company  The selling shareholder  Share capital  Increases  Unchanged  Purpose  Capital raising  Change in ownership  Typical parties  Company & investor  Seller & buyer  Use case  Fundraising, capital injection  M&A, exits, secondary sales  Governing documents  Companies Act 2016,  Sections 75 & 76  Contract law (with Companies Act compliance for share transfer)  Final thoughts  Whether you are onboarding a new investor, transferring equity, or exiting a business, the right agreement ensures clarity, compliance, and alignment of expectations.   If you are planning a share transaction, we recommend ensuring that your documentation accurately reflects the nature of the deal.