Government requirements for Data Protection Officers (DPO) in Malaysia including core competencies and training suggestions.
The Business Guide To DPO Qualification Requirements In Malaysia Read More »
Depending on the business, you may not need to appoint a DPO at all, or be required to appoint several
Do YOU Need To Appoint A DPO In Malaysia? Read More »
Essentials of Nominee Shareholders’ Agreements in Malaysia, including when you need one and how they protect BOs in trust-based setups.
A Full Guide To Nominee Shareholders’ Agreements In Malaysia Read More »
The essentials of Malaysia’s beneficial ownership (BO) declaration requirements under the Companies Act 2016 and LLP Act 2012.
A Guide To Beneficial Ownership Declaration In Malaysia (Updated For 2025) Read More »
Why an Anti-Bribery & Corruption Policy helps shield your business from corporate liability under Section 17A of the MACC Act.
Though Malaysia’s Whistleblower Protection Act 2010 (with amendments in 2025) provides whistleblowers with certain safeguards, these protections only apply when disclosures are made to enforcement agencies and does not extend to internal company disclosures. As a result, fraud, harassment, bribery, or abuse of power can run rampant in organisations as employees, driven by fear and a lack of confidence in the system, refuse to report offences. A well-designed Whistleblower Policy changes that, empowering everyone from team members to contractors and suppliers to report wrongdoing safely and confidentially. Protections under the Whistleblower Protection Act 2010 When a whistleblower makes a disclosure of improper conduct to an enforcement agency, they may receive protection under the Whistleblower Protection Act 2010, which include: For more details, you can refer to an FAQ by the Legal Affairs Division of the Prime Minister’s Department. Drafting effective whistleblower policies An effective policy will specify the following parts: How it protects your business A well-implemented whistleblower policy protects your business in more ways than one: From policy to culture of integrity A whistleblower policy is only useful if people know it exists, understand it, and feel confident using it. That means companies must go beyond just drafting a document, they also need to embed the policy into everyday awareness, and here’s how you can put it into practice: Convenience To ensure the policy is easily accessible to all stakeholders, it can be: circulated internally via email included in the employee handbook code of conduct on company website (especially for external vendors or partners) Repeated Don’t rely on a one-time announcement. Keep the policy visible and fresh in employees’ minds through regular internal communications such as: email reminders team briefings onboarding kits Train Employees Hold regular briefings or refreshers and make sure employees know: what types of concerns should be reported how the reporting process works what protections they will receive Ready to strengthen your governance? There’s a reason a whistleblowing is on our shortlist of most important SME governance policies: it helps build workplaces where people feel safe speaking up, and where integrity is more than just a value. If you would like guidance on drafting or enhancing your Whistleblower Policy, our team is here to support you. Let’s work together to build a workplace where people feel safe speaking up, and where integrity is more than just a value, it’s part of how you operate.
The Business Guide To Whistleblower Policies In Malaysia Read More »
Good governance starts with the right policies, and so below are six core corporate governance policies that form a strong foundation for legally compliant and morally ethical operations. While not mandatory in every case, they are strongly encouraged as best practices and should be tailored to suit your company’s size, industry, and operational needs. Policy #1: Conflict of Interest Conflicts of interest often arise when personal and business interests overlap. For example: A Conflict of Interest Policy ensures that decisions are made in the company’s best interest by clearly setting expectations for employees, managers, and directors to disclose potential conflicts. What it typically covers: Policy #2: Code of Conduct A Code of Conduct defines what constitutes acceptable and expected behaviour in the workplace. It also provides guidance on issues like workplace harassment, discrimination, use of company resources, and respectful treatment of colleagues and customers. What it typically covers: Policy #3: Anti-Bribery & Corruption Section 17A of the MACC Act specifically holds companies liable if anyone associated with them engages in bribery, even if the company’s directors or management were unaware of it. An Anti-Bribery & Corruption Policy provides a framework for employees and associated parties to identify and avoid unethical conduct. Beyond internal controls, a well-documented and implemented policy may be one of the key elements of your company’s legal defence under Section 17A. What it typically covers: Policy #4: Personal Data Protection Mishandling or failing to safeguard personal data from customers, employees, or other stakeholders can lead to regulatory penalties, lawsuits, loss of customer trust, and reputational damage. A Personal Data Protection Policy sets out clear rules and procedures for collecting, storing, using, and disclosing personal data and helps your company demonstrate accountability and compliance with privacy laws such as the Malaysia’s Personal Data Protection Act (PDPA). What it typically covers: Policy #5: Confidentiality Employees, directors, and contractors often have access to sensitive company information that, without clear rules, could be inadvertently or intentionally disclosed, potentially harming your company’s competitive position or breaching contracts. A Confidentiality Policy clearly defines what information is considered confidential, who is responsible for safeguarding it, and how it must be handled in daily operations. It may also outline the consequences of breaches and reminds employees of their ongoing obligation to maintain confidentiality even after leaving the company. What it typically covers: Policy #6: Whistleblowing A Whistleblower Policy provides a safe, confidential, and protected channel to report suspected wrongdoing such as fraud, bribery, harassment, or other unethical or illegal activities without fear of retaliation. Encouraging early reporting allows the company to address issues before they escalate and demonstrates its commitment to integrity and accountability. What it typically covers: Strengthen your business with good governance Good governance starts with clear, well-implemented policies and these six core policies form the foundation of a strong governance framework and fostering an ethical, accountable culture across your organisation. If you would like guidance on drafting or reviewing these policies for your organisation, we are here to help.
6 Essential Corporate Governance Policies For Malaysian SMEs Read More »
Many SMEs in Malaysia mistakenly view corporate governance as something only large, public-listed companies need to worry about. This often leads to governance being overlooked, exposing businesses to unnecessary risks and costly, avoidable mistakes. In this article, we highlight some of the most common corporate governance mistakes SMEs make, and how you can address them to build a stronger, more resilient business. Mistake #1: Treating governance as a compliance burden In simple terms, corporate governance refers to the framework of policies, processes, and practices that guide how a business is directed and controlled. Beyond mere compliance, good governance means implementing practical measures like: Mistake #2: No clearly defined roles and responsibilities Many SMEs operate with directors, managers, and employees wearing multiple hats, which is normal in a lean business. But without clearly defined roles and accountability, decisions get delayed, tasks are overlooked, and risks go unchecked. How to address it: Mistake #3: Overlooking conflicts of interest In many SMEs, it’s common for directors, managers, and employees to have overlapping personal and business relationships. Failing to disclose and manage these conflicts can damage a company’s credibility, create the perception of bribery or corruption, and even expose you to legal risks. How to address it: Mistake #4: Missing or outdated key policies Many SMEs operate without any formal governance policies, relying instead on informal practices and assumptions. This leaves the business exposed to risks and makes it harder to enforce standards when issues arise. How to address it: Mistake #5: Ignoring legal compliance risks Some SMEs overlook the fact that poor governance can lead to serious legal consequences, including hefty fines, lawsuits, and even imprisonment of company directors or management. This risk isn’t just theoretical. Malaysian laws are increasingly strict on corporate accountability, and areas where SMEs often fall short include: Area SME Shortcomings Anti-Bribery & Corruption Lack of internal controls, anti-bribery policies, staff training, or monitoring mechanisms, leaving the company vulnerable to liability under the MACC Act (Section 17A) Personal Data Protection Collect and store personal data without adequate procedures or safeguards. This mishandling risks data breaches, customer complaints, and non-compliance with the PDPA Workplace Safety Overlook safety assessments, proper equipment, or written procedures, creating unsafe conditions and leaving the company exposed to OSHA inspections and fines Audited Financial Statements Delay or fail to engage auditors or maintain proper records for audit purposes, resulting in late or incomplete financial statements, contravening the Companies Act 2016 How to address it: Strengthen your business with good governance Good governance is more than a compliance exercise, it’s a strategic advantage. By avoiding these common mistakes and putting the right policies and practices in place, you can build a more resilient, ethical, and trustworthy business that inspires confidence among stakeholders. If you are ready to strengthen your governance framework, our team is here to help. We can work with you to draft, review, and implement practical, tailored policies that fit your organisation’s unique needs and protect your business long-term success.
5 Top SME Corporate Governance Mistakes (And How To Fix Them) Read More »
If you’re new to preparing for an investment round or bringing on new shareholders, chances are you’ll come across the term Share Subscription Agreement (“SSA”) for the first time. This document sets out the terms on which an investor agrees to subscribe to new shares and forms the legal backbone of the deal. Most SSAs are built on top of common clauses you should familiarise yourself with, and below, we explain 13 key SSA clauses in what many lawyers are allergic to: Plain English! Let’s begin. Key SSA terms Closing Conditions Sets out what needs to happen before closing (i.e. issuance of shares). Includes delivery of share certificates, payment confirmation, and board resolutions. Confidentiality Prevents either party from disclosing deal terms or sensitive business information. Especially important if commercial or Intellectual Property disclosures were made during negotiation. Conditions Precedent Conditions that must be fulfilled before the subscription completes. Examples: Shareholder or board approval, execution of related agreements (like a Shareholders’ Agreement), due diligence clearance. Covenants Ongoing promises made by the company (or founders) after the agreement is signed. Example: Not issuing further shares without investor consent, maintaining insurance coverage, etc. Governing Law Specifies which country’s laws apply to the agreement. Most Malaysian SSAs are governed by Malaysian law under the Contracts Act 1950. Indemnities Protects the investor from specific losses. Example: If a warranty turns out to be false and causes financial harm, the company must compensate the investor. Non-Compete / Restraint Clauses Protects the investor’s interest by preventing founders from starting or joining a competing business. Common in early-stage deals, usually limited to 1–2 years post-exit. Purchase Price & Payment Terms Outlines the amount payable and how payment will be made. Can be a single payment or split into tranches tied to milestones. Subscription Details Specifies the number, class, and price of the shares being subscribed for. Often includes whether the shares are ordinary or preference shares. Termination Clause Defines when and how either party can walk away before closing. Example: If Conditions Precedent are not fulfilled within 60 days, the SSA automatically terminates or either party has the right to terminate. Tranches Used when the investor is injecting funds in stages. Example: RM500,000 now, another RM500,000 after certain KPIs are met. Warranties and Representations Statements made by the company to reassure the investor. Common warranties: company is duly incorporated, no undisclosed liabilities, all tax filings up to date. Why these clauses matter Each clause in an SSA serves a commercial or legal purpose, and collectively, these terms: At ELP, we have seen how overlooking even a “boilerplate” clause creates problems down the line when unclear share rights, timelines, or warranties cause misunderstandings. Final thoughts If you’re signing or negotiating an SSA, understanding these clauses is essential – remember it’s the legal backbone of a deal, which means neglecting it can cause legal back pain! If you need help, ELP routinely drafts, reviews, and negotiates Share Subscription Agreements for fundraising rounds, capital restructurings, and joint ventures. We make sure terms are not just legally sound, but commercially fair to our clients.
A Glossary Of Key Share Subscription Agreement Terms Read More »
This FAQ brings together the most common questions we have heard directly from SME founders, entrepreneurs, and business owners navigating Malaysia’s data protection landscape. Whether you are new to PDPA or reviewing how your business handles personal data, this guide breaks down the essentials in a clear and practical format. What is the PDPA? The Personal Data Protection Act 2010 (PDPA) is Malaysia’s law that governs how businesses collect, use, process, store, and share personal data in commercial transaction. The PDPA was amended via the Personal Data Protection (Amendment) Act 2024 which introduced key changes to enforcement, increased penalties, data protection officer, data breach notification, and cross-border transfer requirements. For more information, read our breakdown of the PDPA amendments. Who does it apply to? The PDPA applies to: It doesn’t apply to: What are the seven PDPA principles? These seven principles set the standard for how personal data should be handled responsibly: For an in-depth look at applying these principles, see our framework on PDPA compliance. What is considered “personal data”? Any information that identifies or can identify an individual, directly or indirectly, including: What is considered “sensitive personal data”? Sensitive personal data is a special category of personal data that includes: This type of data requires extra care because of its sensitive nature. Do I need consent before collecting personal data? Yes. Consent is one of the key legal requirements under the PDPA and sensitive personal data requires explicit consent (for example: a clearly expressed and documented). What are examples of valid consent? Since there are many possible ways to get consent, just make sure that the method you use is: Here are some common examples of valid consent that meet the above requirements: What must a privacy notice include? Your privacy notice is how you show transparency and should clearly explain: The privacy notice should be provided in both Bahasa Malaysia and English to ensure compliance with the PDPA. As a reference, the PDP Department has provided a sample privacy notice template. Where should a privacy notice be displayed? Your privacy notice should be clearly displayed at the point where personal data is collected. For example: your website, registration forms, premises, and any customer touchpoints that involve collecting personal data. What rights do data subjects have? Under the PDPA, data subjects (individuals) have the right to: How long can I keep personal data? Under the Retention Principle, personal data should only be kept for as long as necessary to fulfil the original purpose for which it was collected. Once it’s no longer needed, you should delete or anonymise it securely. To manage this effectively, your organisation can establish a personal data retention policy. How can I let individuals access / correct their data? Under the Access Principle, individuals (data subjects) have the right to access and correct their personal data. To meet this obligation, your organisation should: Can I share personal data with third parties? Yes, but make sure you have: Can I transfer personal data overseas? Cross-border transfers are allowed under the PDPA, provided: What’s expected under the Security Principle? Organisations must take practical and reasonable steps to protect personal data from: Common steps may include: Technical Measures Strong passwords Two-factor authentication (2FA) Data encryption (in transit and at rest) Secure cloud infrastructure with firewalls Organisational Measures Role-based access control regular audits and access reviews Physical Measures Restricted physical access to servers or sensitive files Secure disposal of physical records How do I ensure data integrity? To comply with the Data Integrity Principle as defined by the PDPA, organisations must ensure that personal data is: Is there a breach notification requirement under the PDPA? Yes. The organisation should notify the incident where the breach causes or is likely to cause significant harm. You should: Check out our step-by-step guide to handling data breach notifications in Malaysia. Do I need to appoint a Data Protection Officer? Yes, but only if your organisation: If your organisation does not fall under these classes, appointing a DPO is not compulsory. What is a Data Protection Officer? A Data Protection Officer (DPO) is a company employee responsible for ensuring an organisation’s full compliance with the Personal Data Protection Act (PDPA). As of 2025, appointing one is a legal requirement for many businesses in Malaysia. To learn more, read our guides: Outsourcing a DPO in Malaysia In-house vs Outsourced DPO What internal policies should I have? To embed PDPA compliance in your organisation, consider these: Start small and scale based on your size and risk exposure. What are penalties for not complying with the PDPA? Under the PDPA, penalties vary by offence but can be as high as: Conclusion We are here to make PDPA compliance practical, not painful. Whether it’s crafting your privacy notice, running internal audits, or training your team, contact us to get started. For further reading, we recommend checking out the official FAQ by the Personal Data Protection Department.
20 FAQs On Malaysia’s PDPA 2010 (Updated For 2024 Amendments) Read More »
Responsibilities of Executor:
Note for Digital Executor:
If you wish to leave your digital assets to certain people in your Will, there are important steps that need to be taken to ensure that your wishes can be carried out: