Articles

Many SMEs in Malaysia mistakenly view corporate governance as something only large, public-listed companies need to worry about. This often leads to governance being overlooked, exposing businesses to unnecessary risks and costly, avoidable mistakes.  In this article, we highlight some of the most common corporate governance mistakes SMEs make, and how you can address them to build a stronger, more resilient business.  Mistake #1: Treating governance as a compliance burden  In simple terms, corporate governance refers to the framework of policies, processes, and practices that guide how a business is directed and controlled.   Beyond mere compliance, good governance means implementing practical measures like:   Mistake #2: No clearly defined roles and responsibilities  Many SMEs operate with directors, managers, and employees wearing multiple hats, which is normal in a lean business. But without clearly defined roles and accountability, decisions get delayed, tasks are overlooked, and risks go unchecked.  How to address it:  Mistake #3: Overlooking conflicts of interest  In many SMEs, it’s common for directors, managers, and employees to have overlapping personal and business relationships. Failing to disclose and manage these conflicts can damage a company’s credibility, create the perception of bribery or corruption, and even expose you to legal risks.  How to address it:  Mistake #4: Missing or outdated key policies Many SMEs operate without any formal governance policies, relying instead on informal practices and assumptions. This leaves the business exposed to risks and makes it harder to enforce standards when issues arise.  How to address it:  Mistake #5: Ignoring legal compliance risks  Some SMEs overlook the fact that poor governance can lead to serious legal consequences, including hefty fines, lawsuits, and even imprisonment of company directors or management.   This risk isn’t just theoretical. Malaysian laws are increasingly strict on corporate accountability, and areas where SMEs often fall short include:  Area  SME Shortcomings  Anti-Bribery & Corruption  Lack of internal controls, anti-bribery policies, staff training, or monitoring mechanisms, leaving the company vulnerable to liability under the MACC Act (Section 17A) Personal Data Protection  Collect and store personal data without adequate procedures or safeguards. This mishandling risks data breaches, customer complaints, and non-compliance with the PDPA Workplace Safety  Overlook safety assessments, proper equipment, or written procedures, creating unsafe conditions and leaving the company exposed to OSHA inspections and fines Audited Financial Statements  Delay or fail to engage auditors or maintain proper records for audit purposes, resulting in late or incomplete financial statements, contravening the Companies Act 2016 How to address it:  Strengthen your business with good governance   Good governance is more than a compliance exercise, it’s a strategic advantage. By avoiding these common mistakes and putting the right policies and practices in place, you can build a more resilient, ethical, and trustworthy business that inspires confidence among stakeholders.  If you are ready to strengthen your governance framework, our team is here to help.   We can work with you to draft, review, and implement practical, tailored policies that fit your organisation’s unique needs and protect your business long-term success. 

If you’re new to preparing for an investment round or bringing on new shareholders, chances are you’ll come across the term Share Subscription Agreement (“SSA”) for the first time.  This document sets out the terms on which an investor agrees to subscribe to new shares and forms the legal backbone of the deal.  Most SSAs are built on top of common clauses you should familiarise yourself with, and below, we explain 13 key SSA clauses in what many lawyers are allergic to: Plain English!  Let’s begin.  Key SSA terms  Closing Conditions  Sets out what needs to happen before closing (i.e. issuance of shares).  Includes delivery of share certificates, payment confirmation, and board resolutions.  Confidentiality  Prevents either party from disclosing deal terms or sensitive business information.  Especially important if commercial or Intellectual Property disclosures were made during negotiation.  Conditions Precedent  Conditions that must be fulfilled before the subscription completes.  Examples: Shareholder or board approval, execution of related agreements (like a Shareholders’ Agreement), due diligence clearance.  Covenants  Ongoing promises made by the company (or founders) after the agreement is signed.  Example: Not issuing further shares without investor consent, maintaining insurance coverage, etc.  Governing Law  Specifies which country’s laws apply to the agreement.  Most Malaysian SSAs are governed by Malaysian law under the Contracts Act 1950.  Indemnities  Protects the investor from specific losses.  Example: If a warranty turns out to be false and causes financial harm, the company must compensate the investor.  Non-Compete / Restraint Clauses  Protects the investor’s interest by preventing founders from starting or joining a competing business.  Common in early-stage deals, usually limited to 1–2 years post-exit.  Purchase Price & Payment Terms  Outlines the amount payable and how payment will be made.  Can be a single payment or split into tranches tied to milestones.  Subscription Details  Specifies the number, class, and price of the shares being subscribed for.  Often includes whether the shares are ordinary or preference shares.  Termination Clause  Defines when and how either party can walk away before closing.  Example: If Conditions Precedent are not fulfilled within 60 days, the SSA automatically terminates or either party has the right to terminate.  Tranches  Used when the investor is injecting funds in stages.  Example: RM500,000 now, another RM500,000 after certain KPIs are met.  Warranties and Representations  Statements made by the company to reassure the investor.  Common warranties: company is duly incorporated, no undisclosed liabilities, all tax filings up to date.  Why these clauses matter  Each clause in an SSA serves a commercial or legal purpose, and collectively, these terms:  At ELP, we have seen how overlooking even a “boilerplate” clause creates problems down the line when unclear share rights, timelines, or warranties cause misunderstandings.  Final thoughts  If you’re signing or negotiating an SSA, understanding these clauses is essential – remember it’s the legal backbone of a deal, which means neglecting it can cause legal back pain!  If you need help, ELP routinely drafts, reviews, and negotiates Share Subscription Agreements for fundraising rounds, capital restructurings, and joint ventures.   We make sure terms are not just legally sound, but commercially fair to our clients. 

With the Personal Data Protection (Amendment) Act 2024 (“PDPA”) and the new Cyber Security Act 2024 (“CSA 2024”) in force, organisations are now subject to complementary but distinct notification obligations under two legal regimes:   In this article, we break down the differences between Data Breach Notification (DBN) under the PDPA and Cyber Security Incident Reporting under the CSA 2024.  Quick comparison  Aspect  Personal Data Breach  Cyber Security Incident  Definition  Any event or incident that leads or is likely to lead to the breach, loss, misuse, or unauthorised access of personal data  An act or activity carried out on or through a computer or computer system, without lawful authority, that jeopardises or adversely affects its cyber security   Source of breach  Accidental or deliberate; can involve internal or external parties  Cyber threat actor(s) or unauthorised computer activity   Regulated under  Personal Data Protection Act (PDPA)   Cyber Security Act 2024 (CSA 2024)  Threshold  Likely to cause “significant harm” to individuals  Incident involving or affecting National Critical Information Infrastructure (NCII)   Regulator  Personal Data Protection Commissioner (“PDPC”)   National Cyber Security Agency (“NACSA”)  Mandatory by Law  Yes  Yes  Legal triggers and reporting thresholds  Data breach reporting  Under the PDPA (Section 12B), Circular of Personal Data Protection Commissioner No. 2/2025, and Data Breach Notification (DBN) Guideline, a data breach must be reported if it causes or is likely to cause “significant harm”.   If the organisation determines a breach does not cause or is not likely to cause significant harm, then notification is not mandatory.  However, for regulatory review purposes, it is strongly recommended to document the internal assessment process, including the basis for non-notification decision, risk evaluation findings, and any supporting documents or mitigation steps.   Cyber Security Incident reporting  Under the CSA 2024 (Section 23) and the Cyber Security (Notification of Cyber Security Incident) Regulations 2024, Cyber Security Incidents must be reported immediately when it comes to the knowledge of the NCII Entity that a cyber security incident in respect of the NCII has occurred or might have occurred.   Even suspected incidents must be reported within the prescribed time and manner (as set by regulations).  Under the CSA 2024, only entities classified as NCII are legally required to report cybersecurity incidents. However, non-NCII entities may also voluntarily report incidents.  Notification timeline and channels  Reporting Obligation  PDPA 2024 (Data Breach)  CSA 2024 (Cyber Security Incident)  Notified to  PDPC   The Chief Executive of NACSA and the relevant NCII sector lead    Notification   As soon as practicable (within 72 hours of becoming aware of the incident)  Immediate notification submit initial report within 6 hours of becoming aware of the incident    Method  By electronic means (i.e., email) or by hardcopy submission   By electronic means  Notification to Affected Individuals  Within 7 days of PDPC notification (if there is “significant harm”)  Currently no express obligation under the CSA 2024    Reporting Format  DBN Form    Via email to [email protected], submit necessary information via National Cyber Coordination and Command Center System    Supplementary Info  Update PDPC if more details become available    Within 14 days of the notification and further updates from time to time  Coordinating dual notifications  Incidents involving system compromise and personal data loss need dual notification, in which case:  To enhance coordination and minimise compliance risks, we recommend:  Enforcement and penalties  Failure to notify the relevant agency of an incident carries the following potential penalties.  PDPA   CSA 2024  Fine up to RM250,000, imprisonment up to 2 years, or both.     Fine up to RM500,000, imprisonment up to 10 years, or both.    Non-compliance may also trigger further investigations, compliance audits, and reputational harm.  Practical takeaways   Based on our experience assisting clients with breach response, we offer the following practical steps to manage the situation effectively:  Conclusion  With both the PDPA and the CSA 2024 in full effect, the distinction lies in the focus: PDPA protects individuals, while the CSA governs cybersecurity risks and incident response.   In practice, the lines often blur. That’s why we help clients build integrated response frameworks that account for both legal regimes, timelines, and regulators.  If you are unsure whether your organisation’s protocols are up to date, or whether you are designated as NCII, now is the time to review and reinforce your governance framework. 

Ready to appoint a DPO in Malaysia? See our step-by-step DPO-as-a-Service process on dpomalaysia.my! Read Our Guide As Malaysia strengthens its legal framework for data privacy and cyber security with the Personal Data Protection (Amendment) Act 2024 (PDPA) and Cyber Security Act 2024 (CSA), Malaysian organisations assessing their compliance obligations may be unsure if they need both a Data Protection Officer (DPO) and a Cyber Security Officer (CSO).  Below, we have broken down the legal requirement, roles, responsibilities, and qualifications for both positions so you can determine which your organisation must appoint.  Legal requirement  As expressly outlined in Section 12A of the PDPA and supported by official DPO guideline, as of 2025, it is mandatory for organisations in Malaysia to appoint a DPO if they:   In contrast, the CSA 2024 does not expressly mandate the appointment of a Chief Security Officer (CSO) or Chief Information Security Officer (CISO). However, designated NCII entities are subject to a wide range of cybersecurity obligations and as a result, may benefit from appointing a designated CSO or similar role as a practical measure to ensure compliance with the CSA 2024.   Defining “NCII entity”: “NCII entity” means any government entity or person that owns or operates NCII. “NCII” means a computer or computer system in which if it is disrupted or destroyed, it will result to a detrimental effect to the delivery of service relating to the security, defence, foreign relations, economy, public health, public safety, public order or the ability of the government to carry out its functions effectively.   Roles and responsibilities  The table below summarises the key differences between the two roles:  Aspect  Data Protection Officer (DPO)  Chief Security Officer (CSO)   Primary Mandate  Oversee compliance with data protection laws including to ensure lawful processing of personal data and manage personal data breaches.   Develop and enforce cyber security strategies, ensure system security, manage cyber risks and respond to cyber threats.   Key Regulator  Personal Data Protection Commissioner (“PDPC”)  National Cyber Security Agency (“NACSA”)   Roles  Acts as liaison to PDPC, supports Data Protection Impact Assessments, monitors compliance, and manages breach notifications.   Leads the incident response for cyber security attacks and oversees compliance and reporting obligations under CSA 2024.   Focus Area  Personal Data & Privacy Risk  Information Systems & Cyber Threats   Mandatory by Law  Yes  No  Qualifications  While there is some overlap in competencies, each role demands specific expertise:  Data Protection Officer (DPO)  A DPO can be chosen from an internal member or outsourced, and in either case should:  What is a Data Protection Officer? A Data Protection Officer (DPO) is a company employee responsible for ensuring an organisation’s full compliance with the Personal Data Protection Act (PDPA). As of 2025, appointing one is a legal requirement for many businesses in Malaysia. To learn more, read our guides: Outsourcing a DPO in Malaysia In-house vs Outsourced DPO Chief Security Officer (CSO)  While the CSA 2024 does not expressly require organisations to appoint a Chief Security Officer (CSO), appointing such a role is considered a best practice for NCII entities as a CSO plays a key role in ensuring the organisation meets cybersecurity obligations under the CSA 2024.  What to look for in a CSO:  Note: CyberSecurity Malaysia has introduced the Certified Chief Information Security Officer (CCISO) programme. The certification is aligned with international standards and tailored to meet Malaysia’s compliance landscape under the CSA 2024.   Appointment Context: it is highly recommended for organisations designated as the NCII entity. These include sectors deemed essential to national security, economy, public health, or safety, such as banks, telcos, utilities, hospitals, and government-linked entities.  When to appoint both  An organisation can consider appointing both especially if:  Example of when to appoint a DPO and CSO: A Imagine a private hospital that runs a 24/7 emergency ward, stores thousands of electronic medical records (EMRs), and operates a telemedicine platform for remote consultations.  The DPO ensures patients are given proper privacy notices, handles consent for health data sharing, and manages requests for access or correction of patient records, all required under the PDPA.  Meanwhile, the CSO defends the hospital’s infrastructure against threats like ransomware locking critical systems, DDoS attacks on the teleconsultation portal, or unauthorised access to diagnostic devices connected to the network.  While the DPO covers personal data protection, the CSO focuses on cybersecurity, and together they provide the hospital with a truly comprehensive protection against threat actors and mistakes. Can a DPO also serve as CSO?  Technically yes, since there is no express prohibition under the acts against one person serving as both DPO and CSO. However, dual-role arrangements should only be considered if:  However, bear in mind that while both roles support security, they cover distinct subjects, and best practice would be to separate DPO and CSO functions for better oversight and risk management.  Conclusion  Appointing a DPO and a CSO is not a duplication, Where the DPO covers personal data protection, a CSO focuses on cybersecurity, and any organisation with both will enjoy better protection and ability to respond to regulatory expectations. 

With the enforcement of Malaysia’s Personal Data Protection (Amendment) Act 2024 (“PDPA”), Circular of Personal Data Protection Commissioner No. 2/2025, and the Data Breach Notification (DBN) Guideline, Malaysian organisations are now under a stricter legal framework to respond swiftly to personal data breaches.   Below, we explain how organisations can navigate data breach notification obligations with clarity.  Defining “personal data breach”  A personal data breach refers to any event that leads or is likely to lead to the breach, loss, misuse, or unauthorised access of personal data.   According to the DBN Guidelines, common examples include:  These can result from both accidental or deliberate actions and involve internal or external parties.  When a breach must be reported  A personal data breach must be reported only if it causes or is likely to cause “significant harm”.  “Significant harm” includes:  If there is a breach, the organisation should perform a prompt risk impact assessment to determine if the breach meets the threshold of “significant harm”.   Legal duty of Data Controllers to report breaches  Under the PDPA, the legal duty to report a personal data breach lies with the Data Controller (i.e., the party that ultimately uses the personal data), in this case, the organisation.  Even if the breach originates from a third-party who processes personal data on the Data Controller’s behalf (e.g. cloud service provider), the obligation to submit a data breach notification still rests solely with the Data Controller.  Crucially, failure by a third party to inform the Data Controller of a breach does not excuse the latter from notification duties.  To ensure compliance, the organisation should:  Notifying the Commissioner within 72 hours    Once a personal data breach that meets the “significant harm” threshold is discovered, the Data Controller must notify the Personal Data Protection Commissioner:  Complete the official Data Breach Notification (DBN) Form and submit it via:  As all three submission methods are treated the same, digital options are strongly encouraged to avoid missing the 72-hour deadline.  The notification to the Commissioner should also include:  If the 72-hour deadline is missed, a written justification for the delay and supporting documents must accompany the late submission.  Who is point of contact with the Commissioner?  The Data Protection Officer (DPO) will act as the main contact point for the Commissioner in relation to a data breach, but only where appointment is mandatory under Section 12A of the PDPA.   If no DPO is required, the organisation must instead assign a senior representative with sufficient authority and expertise to handle official communications and assist with investigations.  If you’re unsure if a DPO is mandatory for your organisation, we answer it in our full guide to DPO outsourcing in Malaysia. Notifying affected data subjects within 7 days  If there is a likelihood of significant harm to any individual, the affected individual must be notified within 7 days after notifying the Commissioner.   Acceptable notifying methods include:  Content of the notification must include:  Best practices  1. Establish a Data Breach Response Plan  2. Appoint a DPO (If required) or Designate a Responsible Person  3. Maintain a Data Breach Register  4. Conduct Staff Training  Train all employees to:  5. Prepare Notification Formats and Templates  Pre-approved templates help ensure consistency, legal accuracy, and faster response during high-pressure breach scenarios.   6. Review Vendor Agreements  Ensure third-party data processors are contractually bound to:  What is a Data Protection Officer? A Data Protection Officer (DPO) is a company employee responsible for ensuring an organisation’s full compliance with the Personal Data Protection Act (PDPA). As of 2025, appointing one is a legal requirement for many businesses in Malaysia. To learn more, read our guides: Outsourcing a DPO in Malaysia In-house vs Outsourced DPO Non-compliance penalties  Under Section 12B(3) of the PDPA, failure to notify may result in:  Non-compliance may also lead to reputational harm, regulatory scrutiny, and loss of customers’ trust.  Conclusion In our practice, we have seen that the organisations best equipped to manage personal data breaches are those that invest early in the right people, well-defined processes, and clear protocols. When a breach occurs, readiness makes all the difference, not just in compliance, but in preserving stakeholder trust and business continuity.  If you are unsure whether your organisation is truly prepared, now is the time to assess and strengthen your response framework. 

Ready to appoint a DPO in Malaysia? See our step-by-step DPO-as-a-Service process on dpomalaysia.my! Read Our Guide With recent amendments to the Personal Data Protection Act (PDPA) coming into force, Malaysian businesses that meet the threshold for appointing a DPO must now make a strategic decision:  “Should we appoint an internal DPO or outsource the role?”   This article breaks down the key considerations of both models, helping you choose an approach that aligns with your organisation’s structure, risk profile, and compliance obligations.  Clarifying the DPO’s role While there is no formal academic or professional qualification required under the DPO guideline at this moment, a DPO must fulfil certain requirements to qualify for the role:  Whether in-house or outsourced, this ensures they have sufficient competency in data protection law and governance.  Appointing an in-house DPO  Appointing an in‑house DPO means promoting one or more qualified team members to the position.  Why this approach works well:  What to watch out for:  Outsourcing the DPO role  Important note for businesses in Malaysia: Outsourcing the DPO role does not transfer legal responsibility. While tasks may be delegated to an external service provider, the organisation remains fully accountable for ensuring compliance with the PDPA. Outsourcing the DPO role means engaging an external professional firm or sole practitioner.  Why this approach works well:  What to watch out for:  You should ensure your service contracts clearly cover all requirements and scope, making sure both parties are aligned on roles, expectations, and deliverables from the start.    For a deeper dive, see our full guide to DPO outsourcing in Malaysia.  Conclusion  Whatever model you choose (outsourced or in-house), your DPO must be empowered to act, sufficiently resourced, independent in function, and properly registered with the Commissioner.  If you would like assistance, our team is here to help evaluate your position, draft service agreements, and ensure your appointment meets PDPA expectations. Reach out to get started. 

Important note for businesses in Malaysia: Outsourcing the DPO role does not transfer legal responsibility. While tasks may be delegated to an external service provider, the organisation remains fully accountable for ensuring compliance with the PDPA. Starting 1 June 2025, Malaysian businesses that fall under the new Personal Data Protection Act 2025 thresholds must appoint a Data Protection Officer (DPO).   While the most established of organisations may prefer appointing an in‑house DPO, most businesses will find outsourcing this role to seasoned professionals as the more cost‑effective and strategic approach.  As a provider of outsourced DPO services ourselves, we have written this guide to help business decision makers:  Let’s begin.  Ready to appoint a DPO in Malaysia? See our step-by-step DPO-as-a-Service process on dpomalaysia.my! Read Our Guide Clarifying the role of a DPO  To paraphrase guidelines by the Malaysian Department of Personal Data Protection (PDP), a Data Protections Officer is responsible for ensuring the organisation’s total compliance with the PDPA, which means, among other duties:   By law, a DPO must:  In addition, PDPD strongly recommends that a DPO should:  It is a specialised role that demands technical expertise and ethical conduct, and with enforcement starting 1 June 2025, a critical hire for businesses.  Signs you need an outsourced DPO  The first step is to assess if the team has capacity to meet PDPA requirements without outside help. Our in-house vs external DPO comparison provides a deep dive into the subject, but for our readers’ convenience, here are five key indicators your organisation likely benefits from outsourcing the role:  If any of these applies to your organisation, there is a strong argument to outsource your DPO role.  Even if you intend to build in-house DPO capacity in the future, an outsourced DPO can ensure immediate compliance with the June 2025 deadline.  How to properly outsource your DPO role  PDP recommends a minimum DPO appointment term of two years to promote stability, and to effectively outsource this role, your organisation should:  The service contract should clearly define the DPO’s scope of work, service terms, responsibilities, and access to data.  Best practices when outsourcing  To make the most of your outsourced DPO, you can consider these operational best practices:  Best Practice  Explanation  Ensure access to key documents and systems  Provide the DPO with secure but full access to relevant policies, personal data flows, contracts, and the data register so they can perform their role effectively.   Establish clear escalation protocols  Define how and when the DPO will be alerted in the event of a personal data breach or incident.   Schedule regular executive‑level engagement  Hold regular briefings between the DPO and top management to review risk exposure, compliance gaps, and training needs.   Designate internal liaisons  Assign persons from legal, IT, HR, and security departments to coordinate with the DPO, ensuring smooth collaboration and issue resolution.   Conclusion  If your organisation lacks the people, structure, or independence needed to manage a compliant data protection programme internally, outsourcing your DPO is a strategic, risk-managed solution aligned with regulatory expectations.   We can help you draft compliant service agreements and ensure your appointment meets PDPA expectations. Reach out to get started.