PDPA Compliance Checklist for Malaysian SMEs: 2026 Edition
The Malaysian data protection landscape changed materially in 2025 when the Personal Data Protection (Amendment) Act 2024 came into force on 1 January 2025, followed by the operative provisions on mandatory Data Protection Officer appointment and mandatory data breach notification from June 2025. By 2026, every Malaysian business that handles personal data has to engage with these rules, not as theory but as live compliance obligations with real penalties.
This is the 2026 PDPA compliance checklist for Malaysian SMEs. It walks through the seven Data Protection Principles, the new mandatory Data Protection Officer (DPO) appointment requirement, the mandatory data breach notification regime, the cross-border data transfer rules, the cumulative penalty exposure under the amended Act, and an operational checklist any Malaysian SME holding personal data should be able to tick off.
The article is for SME founders, finance leads, IT managers and the newly-appointed DPOs of Malaysian businesses. For the broader breach-insurance picture, see our PDPA-focused breach insurance guide and PDPA amendments guide. For the cyber insurance product reference, see our cyber insurance guide.
Need to lock in PDPA compliance and the cyber cover that responds when something goes wrong?
We help Malaysian SMEs map their compliance position against the 2024 Amendment Act and put the right cyber and PDPA breach cover in place. See SME business insurance.
What Changed in 2024 and Took Effect in 2025
The Personal Data Protection (Amendment) Act 2024 came into force on 1 January 2025, with the more operative provisions, specifically mandatory DPO appointment and mandatory data breach notification, taking effect in June 2025. The amendments materially expand both the obligations and the penalties under the original PDPA 2010.
| Change | What It Means |
|---|---|
| Mandatory DPO appointment | Data controllers and data processors must appoint at least one Data Protection Officer, regardless of business size, from June 2025 |
| Mandatory data breach notification | Data breaches must be notified to the Personal Data Protection Commissioner as soon as practicable; affected data subjects must be notified where significant harm is caused or likely |
| Stricter penalties | Maximum fine for breaches of Data Protection Principles raised from RM300,000 to RM1,000,000; maximum imprisonment from 2 to 3 years; failure to notify breach can attract fines up to RM250,000 and/or up to 2 years imprisonment |
| Data portability rights | Data subjects have new rights to request transfer of their personal data between controllers in commonly-used formats |
| Cross-border transfer reform | The "whitelist" of approved jurisdictions for personal data export has been abolished and replaced with a principles-based approach |
| Direct obligations on data processors | Data processors (not just controllers) now have direct compliance obligations |
| "Personal data" terminology | "Data user" terminology updated to "data controller" to align with international standards |
Verify current operative provisions, guidelines and gazetted commencement dates directly with the Personal Data Protection Department (Jabatan Perlindungan Data Peribadi, JPDP) before relying on a specific figure or date. The Department's website is the authoritative source.
Who Has to Comply
The PDPA applies to any person who processes (or has control over, or authorises the processing of) personal data in respect of commercial transactions. In practice, that is essentially every Malaysian business that collects, uses, stores or shares personal data of customers, employees, vendors or partners.
Specifically, the obligations apply to:
- Data controllers (formerly "data users"), businesses determining the purpose and means of processing personal data
- Data processors, businesses processing personal data on behalf of a data controller (e.g., cloud service providers, payroll providers, marketing platforms, CRM vendors)
- Both Malaysian-incorporated and foreign businesses that process personal data in Malaysia or in connection with a Malaysian commercial transaction
The Seven Data Protection Principles
The original PDPA 2010 is structured around seven Data Protection Principles. The 2024 amendments did not abolish these; they tightened obligations around them.
| Principle | What It Requires |
|---|---|
| 1. General Principle | Personal data may only be processed with consent (subject to defined exceptions) and only for lawful purposes |
| 2. Notice and Choice | Data subjects must be given notice (in English and Bahasa Malaysia) describing the personal data being collected, the purposes, and their rights |
| 3. Disclosure | Personal data must not be disclosed without consent or other lawful basis, and only to parties identified in the notice |
| 4. Security | Data controllers must take practical steps to protect personal data from loss, misuse, modification, unauthorised access, alteration or destruction |
| 5. Retention | Personal data must not be kept longer than necessary for the purpose it was collected |
| 6. Data Integrity | Personal data must be accurate, complete, not misleading and kept up to date |
| 7. Access | Data subjects must have a right of access to and correction of their personal data |
Non-compliance with any of these principles can now attract a maximum fine of RM1,000,000 (raised from RM300,000) and/or up to 3 years imprisonment.
Mandatory DPO Appointment
From June 2025, both data controllers and data processors are required to appoint at least one Data Protection Officer (DPO), regardless of business size.
| DPO Requirement | What It Means |
|---|---|
| At least one DPO per organisation | Larger organisations or those processing sensitive data may need more than one |
| Demonstrable skills and expertise | DPO must demonstrate prescribed skills, qualities and expertise in data protection |
| Language proficiency | Proficient in Malay and English |
| Internal or outsourced | DPO can be an in-house employee or an outsourced service provider |
| Notification to Commissioner | DPO appointment and business contact information must be notified to the PDP Commissioner within 21 days of appointment |
| Reporting line | DPO should report to top management and have appropriate independence |
Mandatory Data Breach Notification
From June 2025, data controllers must notify the Personal Data Protection Commissioner of a personal data breach as soon as practicable. Where the breach causes or is likely to cause significant harm, data subjects must also be notified.
- Initial notification to Commissioner. As soon as practicable after the controller has reason to believe a breach has occurred.
- Phased information. If full information is not available at initial notification, the remaining information may be submitted in phases, no later than 30 days from the initial notification.
- Notification to affected data subjects. Required where the breach causes or is likely to cause significant harm. Must include the contact details of the DPO or relevant contact person.
- Penalty for non-notification. Fine up to RM250,000 and/or imprisonment up to 2 years.
The operational implication is significant: a Malaysian SME that experiences a breach in 2026 has hours and days to act, not weeks. Pre-built incident response is no longer optional. For the 72-hour playbook, see our data breach response plan guide.
Cross-Border Data Transfer
The pre-amendment regime relied on a "whitelist" of approved jurisdictions for personal data export. The 2024 Amendment Act has abolished the whitelist in favour of a principles-based approach. Data controllers must now ensure that personal data transferred outside Malaysia has substantially similar protection as under the Malaysian PDPA, or rely on other defined bases (such as data subject consent for specific transfers).
Guidelines on cross-border transfer have been issued by the Personal Data Protection Department. Always verify the current guideline text and any updates directly with JPDP before structuring a cross-border data flow.
Penalty Exposure: The Cumulative Picture
| Breach | Maximum Penalty (per current amendments) |
|---|---|
| Breach of any of the 7 Data Protection Principles | Fine up to RM1,000,000 and/or imprisonment up to 3 years |
| Failure to notify Commissioner of a data breach | Fine up to RM250,000 and/or imprisonment up to 2 years |
| Failure to appoint a DPO (where required) | Separate penalty applies; refer to current Act text |
| Other compliance failures | Various penalties apply under specific provisions |
These figures are the maximum fines under the amended Act as of writing. Always verify the current penalty schedule with JPDP. Aggregated across multiple breaches affecting many data subjects, the exposure can be material.
The 2026 SME Compliance Checklist
| Item | Status |
|---|---|
| Data inventory: documented list of personal data categories processed, purposes, retention periods | ☐ |
| Privacy notice: published in English and Bahasa Malaysia, covers all required disclosures | ☐ |
| Consent mechanisms: clear, specific, unambiguous consent capture for non-exempted processing | ☐ |
| DPO appointed: in-house or outsourced, with appropriate skills, notified to Commissioner within 21 days of appointment | ☐ |
| Data breach response plan: documented, role-mapped, includes Commissioner notification pathway | ☐ |
| Security controls: appropriate technical and organisational measures (access control, encryption, MFA, logging) | ☐ |
| Vendor / processor contracts: data processing terms with all processors, reflecting current Act requirements | ☐ |
| Cross-border transfer mapping: list of countries data flows to, assessed against current guidelines | ☐ |
| Data subject rights process: documented procedures for access, correction, withdrawal, portability requests | ☐ |
| Retention policy: documented retention periods aligned to Principle 5 | ☐ |
| Staff training: PDPA awareness training for all staff handling personal data | ☐ |
| Cyber insurance with PDPA response cover: in place and current | ☐ |
| Annual compliance review: scheduled and documented | ☐ |
Already appointed a DPO but not sure your cyber cover responds to the new regime?
Cyber insurance with PDPA response cover absorbs the cost of notification, regulator engagement, legal advice and the reputational management around a breach. We can review your current cover against the amended Act. See cyber insurance guide.
Common Compliance Gaps in 2026
| Gap | Why It Matters | Fix |
|---|---|---|
| No DPO appointed | Direct non-compliance with mandatory provision | Appoint internal or outsourced DPO; notify Commissioner |
| No breach response plan | "As soon as practicable" notification is impossible without a plan | Document plan; brief staff; test annually |
| Stale privacy notice | Notice does not reflect current processing or new data subject rights | Review and republish; align EN and BM versions |
| Whitelisted-jurisdictions cross-border thinking | Whitelist abolished; current rules are principles-based | Reassess all overseas data flows against current guidelines |
| No vendor data processing terms | Processors have direct obligations now; controllers should reflect this in contracts | Update vendor contracts with current data protection terms |
| No staff training | Front-line staff handle personal data without awareness of obligations | Annual training; new-hire onboarding includes PDPA module |
| No cyber insurance | A breach with mandatory notification can cost six figures in response alone | Cyber policy with PDPA response component |
FAQ
When did the PDPA Amendment Act 2024 come into force?
The Personal Data Protection (Amendment) Act 2024 came into force on 1 January 2025. The operative provisions on mandatory Data Protection Officer appointment and mandatory data breach notification took effect in June 2025.
Does my SME need to appoint a DPO?
Yes. Both data controllers and data processors are required to appoint at least one Data Protection Officer, regardless of business size, from June 2025. Verify the current operative position with JPDP.
What are the penalties for breach of Data Protection Principles?
The maximum fine for breaches of the Data Protection Principles has been raised from RM300,000 to RM1,000,000, and the maximum term of imprisonment from 2 to 3 years under the 2024 amendments. Verify with the current Act text.
What is the penalty for failing to notify a data breach?
Failure to notify the Commissioner of a data breach can attract a fine of up to RM250,000 and/or imprisonment of up to 2 years.
How quickly must I notify the Commissioner of a breach?
As soon as practicable after the data controller has reason to believe a breach has occurred. If full information is not available at initial notification, remaining information may be submitted in phases, no later than 30 days from the initial notification.
When do I have to notify data subjects?
Where the breach causes or is likely to cause significant harm to data subjects, they must be notified, with contact details of the DPO or relevant contact person provided.
Can the DPO be outsourced?
Yes. A DPO can be an in-house employee or an outsourced service provider. The DPO must meet the prescribed skills, qualities and expertise requirements and be proficient in Malay and English.
What about the whitelist for cross-border data transfer?
The whitelist of approved jurisdictions has been abolished under the 2024 amendments. Cross-border transfers are now governed by a principles-based approach: data must have substantially similar protection in the destination jurisdiction, or rely on other defined bases. Cross-border transfer guidelines have been issued by JPDP.
Do data processors have direct obligations now?
Yes. Under the 2024 amendments, data processors (not just data controllers) have direct compliance obligations. This is a notable shift from the pre-amendment regime.
What about data subject rights?
Data subjects have rights of access, correction, withdrawal of consent (where consent was the basis), and a new right of data portability for personal data transfer between controllers in commonly-used formats.
How does cyber insurance interact with PDPA compliance?
Cyber insurance can cover the financial cost of breach response: regulator engagement, legal advice, notification logistics, forensic investigation, public relations and (where applicable) third-party claims. It does not replace compliance obligations but it absorbs the cost when compliance is tested by a real incident.
Where do I get the most current PDPA guidance?
Always consult the Personal Data Protection Department (Jabatan Perlindungan Data Peribadi, JPDP) directly. The Department's website is the authoritative source for current Act text, regulations and guidelines.
Contingent Conclusion
PDPA compliance in 2026 is materially different from PDPA compliance in 2024. Mandatory DPO appointment, mandatory breach notification, principles-based cross-border transfer, direct obligations on data processors, and a meaningfully heavier penalty regime mean the Malaysian SME's data-protection posture has to be live, documented and operationally tested.
The well-run 2026 SME has the DPO appointed and notified, the breach response plan documented and rehearsed, the privacy notice current, vendor contracts updated, and cyber insurance with PDPA response in place. The cost of getting there is modest; the cost of an unmanaged breach is not.
Contingent helps Malaysian businesses find the right coverage for their specific risks. Whether you're comparing options or need a second opinion on existing cover, our team can help.
Get a quote · or WhatsApp us directly
Disclaimer: This article provides general guidance on Personal Data Protection Act compliance in Malaysia as of May 2026, reflecting the Personal Data Protection (Amendment) Act 2024 provisions in force from 1 January 2025 and the operative DPO and breach notification provisions from June 2025. Statute text, regulations, guidelines and penalty schedules are amended from time to time. Verify current provisions with the Personal Data Protection Department (JPDP) before relying on a specific figure or date. This is not legal advice. Always consult a qualified legal advisor for compliance decisions affecting your specific business.
