PDPA Malaysia Amendments 2026 Guide: What Your Business Must Do Now
Malaysia's Personal Data Protection Act 2010 (PDPA) got its most significant overhaul in over a decade. The Personal Data Protection (Amendment) Act 2024 rolled out in three phases between January and June 2025, and the changes affect virtually every business that handles personal data in commercial transactions.
This guide explains what changed, what it means for your business, and the specific steps you need to take to stay compliant.
This guide covers:
- The key PDPA 2024 amendments and when they took effect
- Mandatory breach notification: the 72-hour rule
- Data Protection Officer (DPO) requirements and thresholds
- New penalty framework (fines up to RM1 million)
- Cross-border data transfer changes
- How cyber insurance fits into your PDPA compliance strategy
- A practical compliance checklist
What Is the PDPA and Who Does It Apply To?
The Personal Data Protection Act 2010 is Malaysia's primary legislation governing the processing of personal data in commercial transactions. It was enacted in 2010, came into force in November 2013, and is enforced by the Personal Data Protection Commissioner (PDPC) under the Ministry of Digital.
Personal data under the PDPA means any information that can identify an individual directly or indirectly. That includes names, IC numbers, email addresses, phone numbers, financial records, photographs, and, as of the 2024 amendments, biometric data such as fingerprints and facial scans.
The PDPA applies to any person or organisation that processes personal data in the course of commercial transactions. It does not currently apply to federal and state government entities or non-commercial activities such as those by charities, political parties, or non-profit organisations.
| PDPA Applies To | PDPA Does Not Apply To |
|---|---|
| Private companies processing customer, employee, or supplier data | Federal and state government entities |
| E-commerce businesses collecting user information | Non-commercial activities (charities, NGOs) |
| Professional services firms handling client data | Data of deceased individuals (as of 2024 amendment) |
| Healthcare providers, clinics, dental practices | Personal or domestic processing |
| Any business with employees in Malaysia (employee data counts) |
If you're running an SME in Malaysia and you collect names, emails, IC numbers, or payment details from customers or staff, the PDPA applies to you.
The Seven Data Protection Principles
The PDPA is built on seven principles that govern how personal data must be handled. Every amendment and enforcement action traces back to these principles. A breach of any one of them can now result in fines up to RM1 million.
| Principle | What It Requires |
|---|---|
| General Principle | Process personal data only with consent and for lawful purposes |
| Notice and Choice | Inform individuals about why you're collecting their data, who it may be shared with, and give them a choice |
| Disclosure | Do not disclose personal data to third parties without consent or legal basis |
| Security | Take practical steps to protect personal data from loss, misuse, and unauthorised access |
| Retention | Don't keep personal data longer than necessary. Destroy it properly when no longer needed |
| Data Integrity | Keep personal data accurate, complete, and up to date |
| Access | Individuals have the right to access their personal data and request corrections |
What Changed: The 2024 Amendment Timeline
The PDPA amendments came into effect in three phases. All are now in force.
| Phase | Effective Date | Key Changes |
|---|---|---|
| Phase 1 | January 2025 | Administrative changes, procedural updates |
| Phase 2 | April 2025 | Terminology updated ("data controller" replaces "data user"), biometric data classified as sensitive personal data, new cross-border transfer rules, maximum fines tripled to RM1 million |
| Phase 3 | June 2025 | Mandatory DPO appointment, mandatory data breach notification within 72 hours, right to data portability, data processor liability for Security Principle |
Mandatory Data Breach Notification: The 72-Hour Rule
Before June 2025, the PDPA had no mandatory requirement to report data breaches. That's changed completely.
Under the new Section 12B, if you have reason to believe a personal data breach has occurred and it causes or is likely to cause "significant harm" to affected individuals, you must:
| Action | Deadline | Details |
|---|---|---|
| Notify the PDPC | Within 72 hours of becoming aware | Written reasons required if notification is late. Must include details of the breach, data affected, and remedial steps |
| Notify affected individuals | Within 7 days of notifying the PDPC | Only required if the breach is likely to cause significant harm. Must inform individuals of the nature of the breach and recommended protective steps |
| Maintain breach register | Ongoing | All data breaches must be documented and records retained for at least 2 years. Must be available for PDPC inspection on request |
What Counts as "Significant Harm"?
The PDPA and its guidelines recognise the following as significant harm:
| Type of Harm | Example |
|---|---|
| Physical injury | Breach exposes data that could endanger an individual's physical safety |
| Financial loss | Bank account details, credit card information, or financial records leaked |
| Damage to credit record | Identity theft using compromised IC numbers or financial data |
| Loss or damage to property | Compromised security access credentials leading to property loss |
| Misuse for illegal purposes | Stolen personal data used for fraud or impersonation |
| Sensitive personal data compromised | Health records, biometric data, religious beliefs, or political opinions exposed |
Failure to notify the PDPC as required carries a fine of up to RM250,000 or imprisonment for up to 2 years, or both. This penalty applies on top of any fines for the underlying data protection violation itself.
What This Means in Practice
72 hours is not a lot of time. When a breach is detected, you need to simultaneously investigate the scope, contain the damage, assess whether it triggers the notification threshold, prepare the required documentation, and submit it to the PDPC. You can't build this capability from scratch during a crisis.
This is one of the key reasons cyber insurance has become more relevant for Malaysian businesses. Most cyber policies include incident response coverage that provides access to forensic investigators, legal counsel, and breach notification specialists who can help you meet these deadlines.
Mandatory Data Protection Officer (DPO) Appointment
Effective June 2025, certain organisations must appoint a Data Protection Officer. The DPO requirement applies to both data controllers and data processors.
Who Must Appoint a DPO?
You must appoint a DPO if your processing of personal data involves:
| Threshold | Requirement |
|---|---|
| Personal data of 20,000 or more individuals | Must appoint a DPO |
| Sensitive personal data of 10,000 or more individuals | Must appoint a DPO |
| Activities requiring regular and systematic monitoring of personal data | Must appoint a DPO (e.g., behavioural advertising, algorithmic recommendations, CCTV monitoring, telecom network operations) |
DPO Qualification Requirements
| Requirement | Details |
|---|---|
| Residency | Must be physically present in Malaysia for at least 180 days per calendar year, or easily contactable by Malaysian authorities |
| Language | Proficient in both Bahasa Malaysia and English |
| Knowledge | Sound understanding of the PDPA, the organisation's operations, and information technology and data security |
| Reporting line | Must report directly to senior management. Cannot hold responsibilities that conflict with the DPO role |
| Appointment type | Can be an existing employee or an external appointee (outsourced DPO) |
| Registration | Must be registered with the PDPC within 21 days of appointment via the Personal Data Protection System portal (daftar.pdp.gov.my) |
| Contact | A dedicated business email address must be created specifically for the DPO function, separate from personal or other business emails |
Appointing a DPO does not transfer your compliance obligations to that person. The organisation remains responsible for meeting PDPA requirements. The DPO's role is to advise, monitor, and serve as the point of contact with the PDPC and data subjects.
New Penalty Framework
The 2024 amendments significantly increased the financial consequences of non-compliance.
| Offence | Previous Penalty | New Penalty |
|---|---|---|
| Breach of Data Protection Principles (Sections 6-12) | Fine up to RM300,000 and/or 2 years imprisonment | Fine up to RM1,000,000 and/or 3 years imprisonment |
| Failure to notify breach to PDPC | N/A (not previously required) | Fine up to RM250,000 and/or 2 years imprisonment |
| Unlawful collection, processing, or sale of personal data (Section 16) | Fine up to RM500,000 and/or 3 years imprisonment | Fine up to RM500,000 and/or 3 years imprisonment |
| Failure to comply with PDPC enforcement notice | Fine up to RM200,000 and/or 2 years imprisonment | Fine up to RM200,000 and/or 2 years imprisonment |
In March 2025, the PDPC published a list of organisations penalised for non-compliance, signalling a more proactive enforcement stance. Reported fines for violations of data protection principles have ranged from RM12,500 to RM108,000 in recent enforcement actions. The RM1 million maximum now gives the regulator significantly more room to penalise serious violations.
Other Key Changes
Data Processor Liability
Previously, only data controllers (the organisation that determines why and how data is processed) had direct PDPA obligations. Now, data processors (third-party vendors, cloud providers, outsourced service providers) are directly liable for compliance with the Security Principle under Section 9.
If you outsource data processing to a third party and they suffer a security breach, they can be penalised directly. But you're not off the hook either. You need contracts that clearly define data protection responsibilities and hold your processors to the same standards.
Cross-Border Data Transfers
The old "whitelist" regime, where international data transfers were only permitted to countries approved by the Minister, never actually resulted in any countries being gazetted. The new framework replaces this with a more practical approach. Transfers are permitted if the destination jurisdiction has laws "substantially similar" to the PDPA, or if the organisation can demonstrate "adequate" data protection safeguards at the receiving end.
Guidelines on cross-border data transfers were issued on 29 April 2025, providing additional clarity on conducting transfer impact assessments.
Right to Data Portability
Effective June 2025, individuals can request their personal data be transferred to another service provider in a structured, commonly used format. This creates new operational requirements for IT and compliance teams to handle portability requests efficiently.
Biometric Data as Sensitive Personal Data
Biometric data, including fingerprints and facial recognition data, is now classified as sensitive personal data. This means stricter consent requirements and higher security obligations apply. If you use fingerprint scanners for office access or facial recognition for time attendance, these systems now fall under the stricter sensitive data rules.
How Cyber Insurance Fits Your PDPA Compliance Strategy
The PDPA does not require businesses to carry cyber insurance. But the 2024 amendments create financial exposures that cyber insurance is specifically designed to cover.
| PDPA Obligation | What Could Go Wrong | How Cyber Insurance Helps |
|---|---|---|
| Breach notification within 72 hours | You don't have forensic capability to determine breach scope quickly enough | Covers incident response costs including forensic investigators, legal counsel, and breach notification specialists |
| Notification to affected individuals | Costs of notifying thousands of affected customers, plus credit monitoring services | Covers notification costs and credit monitoring for affected individuals |
| Security Principle compliance | A data breach proves your security measures were inadequate; PDPC investigates | Covers regulatory defence costs and fines where insurable by law |
| Business continuity during breach | Systems go offline during investigation and remediation | Covers business interruption losses and extra expenses during recovery |
| Third-party claims | Customers or business partners bring claims for damages resulting from your data breach | Covers defence costs and damages for privacy and network security liability claims |
Think of it this way: the PDPA tells you what you must do. Cyber insurance helps pay for it when things go wrong despite your best efforts. Having both, a compliance framework and financial protection, is the practical approach.
For a deeper look at what cyber policies actually cover and exclude, read our full guide to cyber insurance in Malaysia.
PDPA Compliance Checklist for Malaysian Businesses
Use this checklist to assess your current compliance status against the amended PDPA requirements.
| Requirement | Status |
|---|---|
| Registration: Registered with the PDPC as a data controller (required for certain sectors under the Registration Regulations 2013) | Done / Not Done / N/A |
| Privacy notices: Updated to reflect current data processing purposes, third-party disclosures, and individual rights | Done / Not Done |
| Consent records: Documented evidence of consent for all personal data processing activities | Done / Not Done |
| DPO appointment: If you meet the threshold (20,000+ individuals or 10,000+ sensitive data subjects), a DPO has been appointed and registered with PDPC within 21 days | Done / Not Done / N/A |
| Breach response plan: Written incident response plan covering detection, containment, assessment, PDPC notification within 72 hours, and individual notification within 7 days | Done / Not Done |
| Breach register: System in place to document all data breaches and retain records for minimum 2 years | Done / Not Done |
| Security measures: Technical and organisational measures in place to protect personal data (encryption, access controls, MFA, backups) | Done / Partial / Not Done |
| Data processor contracts: Contracts with third-party processors include data protection obligations aligned with PDPA requirements | Done / Not Done |
| Cross-border transfers: If transferring data outside Malaysia, assessed whether the destination provides adequate protection or substantially similar laws | Done / Not Done / N/A |
| Data portability: Capability to fulfil data portability requests in a structured format | Done / Not Done |
| Staff training: Employees trained on data protection responsibilities and breach reporting procedures | Done / Not Done |
| Retention policy: Data retention schedule in place with procedures for secure destruction of data no longer needed | Done / Not Done |
| Cyber insurance: Evaluated whether cyber insurance coverage is appropriate for your data breach and regulatory exposure | Done / Not Done |
FAQ
What is the PDPA Malaysia?
The Personal Data Protection Act 2010 (PDPA) is Malaysia's primary data protection law. It regulates how personal data is collected, processed, stored, and shared in commercial transactions. Enforced by the Personal Data Protection Commissioner, it applies to all businesses handling personal data of individuals in Malaysia.
When did the PDPA 2024 amendments take effect?
The amendments rolled out in three phases: January 2025 (administrative changes), April 2025 (higher penalties, biometric data classification, new cross-border rules), and June 2025 (mandatory DPO appointment, breach notification, data portability). All phases are now in force.
What is the maximum fine under the amended PDPA?
Fines for breaching the data protection principles increased from RM300,000 to RM1,000,000. The maximum imprisonment term was extended from 2 to 3 years. Separate penalties apply for breach notification failures (up to RM250,000) and other specific offences.
Does my business need to appoint a Data Protection Officer?
Yes, if you process personal data of 20,000 or more individuals, sensitive personal data of 10,000 or more individuals, or conduct regular and systematic monitoring of personal data. The DPO can be an existing employee or an outsourced professional, but must be registered with the PDPC within 21 days of appointment.
What happens if I don't report a data breach within 72 hours?
Failure to comply with the mandatory breach notification requirement carries a fine of up to RM250,000 or imprisonment for up to 2 years, or both. Written reasons must be provided if notification is delayed beyond 72 hours. The breach notification obligation applies when the breach causes or is likely to cause significant harm to affected individuals.
Does the PDPA apply to small businesses?
Yes. The PDPA applies to any person or organisation processing personal data in commercial transactions, regardless of business size. If you collect customer names, emails, IC numbers, or payment details, you're subject to the PDPA. The DPO requirement has a threshold, but the data protection principles apply to all businesses.
Does the PDPA require businesses to have cyber insurance?
No. Cyber insurance is not a PDPA requirement. But the amended penalties and mandatory breach notification create financial exposures that cyber insurance is designed to cover, including incident response costs, notification expenses, regulatory defence, and business interruption losses. Read our cyber insurance guide for details.
What's the difference between the PDPA and GDPR?
Both regulate personal data processing, but they differ in scope and approach. The PDPA applies to commercial transactions in Malaysia, while GDPR covers all data processing in the EU/EEA. The 2024 amendments brought the PDPA closer to GDPR standards by introducing breach notification, DPO requirements, and data portability. Key differences remain: the PDPA doesn't apply to government entities, and GDPR fines can reach up to 4% of global annual turnover.
Can individuals claim compensation for a data breach under the PDPA?
Currently, individuals do not have a direct statutory right to claim compensation under the PDPA for a data breach. The PDPC enforces the Act through fines and imprisonment but does not have authority to order compensation. Affected individuals may pursue civil claims through the courts separately.
Do I need to register my biometric data systems with the PDPC?
The 2024 amendments classify biometric data (fingerprints, facial scans) as sensitive personal data. This means you need explicit consent to collect it, stricter security measures to protect it, and must include it in your data processing records. If your biometric processing meets the DPO threshold, you'll also need a DPO.
Contingent Conclusion
The PDPA 2024 amendments represent a step change in Malaysia's data protection expectations. Higher fines, mandatory breach notification, and DPO requirements mean the cost of non-compliance has increased significantly. For businesses that handle personal data, and that's nearly every business, the question isn't whether to comply but how quickly you can close any gaps.
Compliance reduces your regulatory risk. Cyber insurance provides a financial safety net for when things go wrong despite your best efforts. Both work together.
Contingent helps Malaysian businesses understand and secure cyber insurance coverage that reflects how digital threats actually work, not outdated policy templates.
