ELP Logo
PDPA-Compliant Marketing In Malaysia Customer Database Security & Governance Risks

PDPA-Compliant Marketing In Malaysia: Customer Database Security & Governance Risks

Table of Contents

FYI!

This article is the third of a series of pieces on PDPA compliance for marketing processes in Malaysia. Click to read Part 1: PDPA and Marketing in Malaysia and Part 2: Individual Rights Under the PDPA.

As marketing databases grow and campaigns become more automated, businesses in Malaysia face a second layer of PDPA risk: How personal data is stored, shared, retained, and governed over time. 

This article focuses on the operational and organisational obligations that arise once marketing data is collected. 

Security of data in marketing databases 

Under the Security Principle in Section 9 of the PDPA, businesses must take practical steps to protect personal data from loss, misuse, modification, unauthorised or accidental access or disclosure

As marketing operations often involve multiple systems, teams, and external parties, databases are a common source of personal data security incidents, especially when: 

  • customer contact lists are shared with multiple agencies or vendors 
  • access to CRM or email marketing tools is not properly restricted 
  • personal data is exported, downloaded, or transferred without adequate controls; or 
  • outdated or inactive databases are left unsecured 

Therefore, legally insulating security practices for marketing data include: 

  • access to marketing databases is limited to authorised personnel only 
  • role-based access controls are applied to CRM and marketing platforms 
  • personal data shared with marketing agencies is limited to what is strictly necessary 
  • vendors and agencies implement appropriate technical and organisational security measures; and 
  • personal data is not casually exported or stored on unsecured devices or personal accounts 

Retention of personal data for marketing 

Under the Retention Principle in Section 10 of the PDPA, personal data must not be kept longer than is necessary for the purpose for which it was collected.  

It further requires data controller to take reasonable steps to ensure personal data is destroyed or permanently deleted once it is no longer required, and in a marketing context, while some businesses may prefer to retain customer data “just in case” it may be useful for future campaigns, such blanket retention is not permitted under the PDPA. 

Where a data subject has opted out of direct marketing or withdrawn consent, the personal data should be deleted, unless there is another lawful purpose for retention. 

As the PDPA does not prescribe a fixed retention period. businesses may determine it based on their operational and legal requirements and document them in internal policies or data governance frameworks. 

Data accuracy and integrity 

Under the PDPA’s Data Integrity Principle (Section 11), businesses are required to take reasonable steps to ensure that personal data processed is accurate, complete, not misleading and kept up-to-date. 

In a marketing context, data accuracy issues commonly arise where: 

  • outdated contact details are reused for new campaigns; 
  • opt-out or withdrawal of consent records are not properly updated across systems; or 
  • multiple databases are used without proper synchronisation. 

To mitigate these risks, businesses should: 

  • regularly review and cleanse marketing contact lists 
  • ensure opt-out and consent withdrawal records are promptly and consistently updated across all marketing systems; and 
  • avoid reusing legacy or imported contact lists without verifying data accuracy. 

Use of third-party marketers 

Many organisations outsource marketing to external agencies or rely on third-party platforms. In these arrangements, personal data is often shared with external parties for marketing execution. 

Under the PDPA: 

  • the organisation remains the data controller 
  • marketing agencies typically act as data processors 

Although data processors also have obligations under the PDPA to safeguard personal data entrusted to them, responsibility and accountability under the PDPA ultimately remain with the organisation.  

To manage risk, businesses should: 

  • put in place written agreements with marketing agencies and service providers 
  • clearly define the permitted scope and purposes of data processing 
  • impose confidentiality and security obligations 
  • restrict onward disclosure or reuse of personal data; and 
  • require assistance with opt-out requests, withdrawal of consent, and data deletion 

Outsourcing marketing execution does not outsource PDPA responsibility. 

Requirement to appoint a Data Protection Officer (DPO) 

Businesses that carry out extensive marketing activities should also consider whether they are required to appoint a Data Protection Officer (DPO) under the PDPA. Businesses that process personal data on a large scale (i.e., processing personal data of 20,000 or more data subjects) will be required to appoint a DPO. 

In practice, many marketing-driven businesses reach or exceed this threshold without realising it. Marketing databases often contain thousands of customer records, and when combined with: 

  • employee personal data; 
  • vendor and supplier contact details; and 
  • prospect or lead databases stored in CRM systems, 

the total volume of personal data processed by the businesses may easily meet the threshold for mandatory DPO appointment. 

Internal governance and staff training 

Marketing teams typically have broad access to customer data and campaign tools, making internal governance and staff training critical. Businesses should ensure that personnel involved in marketing activities understand: 

  • when personal data may be used for marketing purposes; 
  • how consent, opt-out, and withdrawal requests must be handled; 
  • restrictions on exporting, sharing, or reusing marketing databases; and 
  • the consequences of non-compliance under the PDPA. 

Additionally, where a Data Protection Officer has been appointed, marketing teams should have a clear escalation path for PDPA-related questions or issues. 

Let ELP be your PDPA legal advisors 

A PDPA-compliant marketing strategy should incorporate security controls, retention principle, vendor governance, and organisational accountability alongside consent and opt-out mechanisms. 

If your organisation requires assistance assessing marketing-related PDPA risks, reviewing data retention practices, or evaluating DPO appointment obligations, feel free to reach out for a consultation. 

Picture of Wong Shen Ming
Wong Shen Ming
Shen Ming is a corporate and commercial lawyer who is deeply committed to supporting her clients in achieving their business goals. Specialising in commercial and employment law, she demonstrates her expertise by crafting and reviewing various types of commercial agreements. View her full profile here.
shen-ming-casual

Wong Shen Ming

Shen Ming is a corporate and commercial lawyer who is deeply committed to supporting her clients in achieving their business goals. Specialising in commercial and employment law, she demonstrates her expertise by crafting and reviewing various types of commercial agreements.

View her full profile here.

Linkedin

Let us know how we can support your business

Drop us a message and let us better understand your needs. Get your first consultation within 24-hours.
Share this article:
Post might interest you:
ABOUT THE AUTHOR

Wong Shen Ming

A Quick Guide To 5050 Profit Sharing Agreements

A Quick Guide To 50/50 Profit Sharing Agreements

Unlike referral fees or revenue-sharing, a true 50/50 profit-sharing arrangement is a collaboration where both parties share ownership and profits on the same terms.  While appealing in theory, this approach

Want more content like this?

Drop us your email and be the first to know when we have more informative contents on the latest legal updates, just like this one.

ELP Logo

A boutique corporate & commercial law firm in Kuala Lumpur.

FREE Legal Updates

Sign up for our newsletter to get the latest updates, happenings and goodies!
We don't spam, promise.
Global Chamber of Business Leaders logo - Light

 © Copyright 2025, Edwin Lee & Partners (Reg No.: 000020008633)

Edwin Lee & Partners is a Malaysian law firm registered with the Malaysian Bar and is regulated under the Legal Profession Act 1976. 
Click here to see our certificate of registration

Responsibilities of Executor:

  • Apply for and extract the grant of probate.
  • Make arrangements for the funeral of the deceased.
  • Collect and make an accurate inventory of the deceased’s assets.
  • Settling the debts and obligations of the deceased.
  • Distributing the assets.

Note for Digital Executor:
If you wish to leave your digital assets to certain people in your Will, there are important steps that need to be taken to ensure that your wishes can be carried out:

  • Keep a note of specific instructions on how to access your username and password of your digital asset.
  • You are advised to store these private and confidential information in a USB stick, password management tool or write them down.
  • Please inform your executor or a trusted person of the whereabouts of the tools so that they will have access to your digital asset.