A Step-By-Step Guide To Handling Data Breach Notifications In Malaysia 

A Step-By-Step Guide To Handling Data Breach Notifications In Malaysia 

Table of Contents

With the enforcement of Malaysia’s Personal Data Protection (Amendment) Act 2024 (“PDPA”), Circular of Personal Data Protection Commissioner No. 2/2025, and the Data Breach Notification (DBN) Guideline, Malaysian organisations are now under a stricter legal framework to respond swiftly to personal data breaches.  

Below, we explain how organisations can navigate data breach notification obligations with clarity. 

Defining “personal data breach” 

A personal data breach refers to any event that leads or is likely to lead to the breach, loss, misuse, or unauthorised access of personal data.  

According to the DBN Guidelines, common examples include: 

  • sending an email, letter, or form containing personal data to the wrong recipient 
  • misplacing a company-issued laptop containing unencrypted personal data 
  • unauthorised third-party access to personal data held by the organisation 

These can result from both accidental or deliberate actions and involve internal or external parties. 

When a breach must be reported 

A personal data breach must be reported only if it causes or is likely to cause “significant harm”. 

Significant harm” includes: 

  • risk of physical harm, financial loss, negative effect on credit scores, or property damage 
  • potential misuse for illegal purposes 
  • exposure of sensitive personal data (e.g., health, financial, biometric) 
  • risk of identity fraud; or 
  • a breach involving more than 1,000 data subjects (i.e. “significant scale”). 

If there is a breach, the organisation should perform a prompt risk impact assessment to determine if the breach meets the threshold of “significant harm”.  

Legal duty of Data Controllers to report breaches 

Under the PDPA, the legal duty to report a personal data breach lies with the Data Controller (i.e., the party that ultimately uses the personal data), in this case, the organisation. 

Even if the breach originates from a third-party who processes personal data on the Data Controller’s behalf (e.g. cloud service provider), the obligation to submit a data breach notification still rests solely with the Data Controller. 

Crucially, failure by a third party to inform the Data Controller of a breach does not excuse the latter from notification duties. 

To ensure compliance, the organisation should: 

  • contractually require its data processors to promptly report any suspected or confirmed personal data breach; and 
  • ensure cooperation from data processors in assessing and investigating incidents 

Notifying the Commissioner within 72 hours   

Once a personal data breach that meets the “significant harm” threshold is discovered, the Data Controller must notify the Personal Data Protection Commissioner: 

  • as soon as practicable and within 72 hours of becoming aware of the personal data breach 

Complete the official Data Breach Notification (DBN) Form and submit it via: 

  • online portal 
  • email to [email protected], or 
  • hardcopy to 8th Floor, Galeria PjH, Jalan P4W Persiaran Perdana, Presint 4, 62100 W.P Putrajaya 

As all three submission methods are treated the same, digital options are strongly encouraged to avoid missing the 72-hour deadline. 

The notification to the Commissioner should also include: 

  • description of the incident and how it occurred 
  • types of personal data involved 
  • number of data subjects and records affected 
  • assessment of risks or harm caused 
  • containment or mitigation measures taken 
  • contact details of the DPO or responsible officer 
  • chronology of events and suspected root cause 
  • systems involved, estimated records, and impact assessment 

If the 72-hour deadline is missed, a written justification for the delay and supporting documents must accompany the late submission. 

Who is point of contact with the Commissioner? 

The Data Protection Officer (DPO) will act as the main contact point for the Commissioner in relation to a data breach, but only where appointment is mandatory under Section 12A of the PDPA.  

If no DPO is required, the organisation must instead assign a senior representative with sufficient authority and expertise to handle official communications and assist with investigations. 

If you’re unsure if a DPO is mandatory for your organisation, we answer it in our full guide to DPO outsourcing in Malaysia.

Notifying affected data subjects within 7 days 

If there is a likelihood of significant harm to any individual, the affected individual must be notified within 7 days after notifying the Commissioner.  

Acceptable notifying methods include: 

  • email, SMS, direct messaging or postal letter (preferred) 
  • public notice such as via website notice or social media post (only if direct contact is impractical or needs disproportionate efforts such as large number of individuals or outdated contact information) 

Content of the notification must include: 

  • Nature of the breach and what data was affected 
  • Possible consequences to the individual 
  • Steps taken by the organisation 
  • Actions the individual should take 
  • Contact point for enquiries (e.g., DPO) 

Best practices 

1. Establish a Data Breach Response Plan 

  • define roles, escalation procedures, and mitigation protocols 
  • integrate legal, IT, and communications functions 

2. Appoint a DPO (If required) or Designate a Responsible Person 

  • ensure you appoint a DPO if your organisation meets the thresholds under Section 12A PDPA. If not required, assign a senior representative with sufficient knowledge and authority to handle breach-related matters 
  • this individual should be the point of contact and responsible for managing investigations, communications, and follow-up actions 

3. Maintain a Data Breach Register 

  • record all personal data breaches, even those not reported to the Commissioner 
  • keep records for a minimum of 2 years 
  • include detection time, assessment, notification decisions, mitigation efforts 

4. Conduct Staff Training 

Train all employees to: 

  • recognise potential breaches 
  • report incidents promptly within internal escalation timeframes 

5. Prepare Notification Formats and Templates 

Pre-approved templates help ensure consistency, legal accuracy, and faster response during high-pressure breach scenarios.  

6. Review Vendor Agreements 

Ensure third-party data processors are contractually bound to: 

  • notify personal data breaches without delay 
  • cooperate in investigations and containment 

What is a Data Protection Officer?

A Data Protection Officer (DPO) is a company employee responsible for ensuring an organisation’s full compliance with the Personal Data Protection Act (PDPA). As of 2025, appointing one is a legal requirement for many businesses in Malaysia.

To learn more, read our guides:

Non-compliance penalties 

Under Section 12B(3) of the PDPA, failure to notify may result in: 

  • a fine up to RM250,000 
  • imprisonment up to 2 years, or  
  • both 

Non-compliance may also lead to reputational harm, regulatory scrutiny, and loss of customers’ trust. 

Conclusion

In our practice, we have seen that the organisations best equipped to manage personal data breaches are those that invest early in the right people, well-defined processes, and clear protocols.

When a breach occurs, readiness makes all the difference, not just in compliance, but in preserving stakeholder trust and business continuity.  If you are unsure whether your organisation is truly prepared, now is the time to assess and strengthen your response framework. 

Picture of Edwin Lee
Edwin Lee
Edwin is a corporate and technology lawyer. He is also the founder of Edwin Lee & Partners. Edwin has advised a range of companies from technology startups to multinational corporations on a range of matters. In 2020, Edwin was named as a Malaysian Rising Star by Asian Legal Business, a finalist for the Young Lawyer of the Year at the ALB Malaysia Law Awards as well as a lawyer in the annual ALB publication of Asia 40 under 40. View his full profile here.
shen-ming-casual

Wong Shen Ming

Shen Ming is a corporate and commercial lawyer who is deeply committed to supporting her clients in achieving their business goals. Specialising in commercial and employment law, she demonstrates her expertise by crafting and reviewing various types of commercial agreements.

View her full profile here.

Linkedin

Let us know how we can support your business

Contact Us illustration
Talk To Us
Drop us a message and let us better understand your needs. Get your first consultation within 24-hours, absolutely free of charge.

Leave a Comment

Your email address will not be published. Required fields are marked *

Share this article:
Post might interest you:
electronic-signature

Digital Signature and E-Signature

Is electronic signature legally recognised by law? Digital Signature and Electronic signature (E-Sign) may be used interchangeably, to refer a signing tool for signer to sign on a softcopy. Signing

A complete Guide To MOUs For Company Acquisitions

A Quick Guide To MOUs For Company Acquisitions

Company acquisitions sometimes start with a non-binding document to align on key intentions before due diligence and contract drafting.   This non-binding document is known as a Memorandum of Understanding

Want more content like this?

Drop us your email and be the first to know when we have more informative contents on the latest legal updates, just like this one.

ELP_Logo_White_960x200

A boutique corporate & commercial law firm in Kuala Lumpur.

FREE Legal Updates

Sign up for our newsletter to get the latest updates, happenings and goodies!
We don't spam, promise.
Global Chamber of Business Leaders logo - Light

 © Copyright 2025, Edwin Lee & Partners (Reg No.: 000020008633)

Edwin Lee & Partners is a Malaysian law firm registered with the Malaysian Bar and is regulated under the Legal Profession Act 1976. 
Click here to see our certificate of registration

Responsibilities of Executor:

  • Apply for and extract the grant of probate.
  • Make arrangements for the funeral of the deceased.
  • Collect and make an accurate inventory of the deceased’s assets.
  • Settling the debts and obligations of the deceased.
  • Distributing the assets.

Note for Digital Executor:
If you wish to leave your digital assets to certain people in your Will, there are important steps that need to be taken to ensure that your wishes can be carried out:

  • Keep a note of specific instructions on how to access your username and password of your digital asset.
  • You are advised to store these private and confidential information in a USB stick, password management tool or write them down.
  • Please inform your executor or a trusted person of the whereabouts of the tools so that they will have access to your digital asset.