The Personal Data Protection Act (PDPA) 2010 has been enforced with increasing seriousness in Malaysia. With the amended Act now in force and the Department of Personal Data Protection (JPDP) actively investigating complaints, Malaysian businesses can no longer afford to treat data protection as optional.
What is PDPA Malaysia?
The Personal Data Protection Act 2010 (Act 709) governs the collection, processing, storage and use of personal data in commercial transactions in Malaysia. It applies to any organisation that handles personal data of Malaysian individuals in the course of business.
The PDPA Amendment Act 2023 introduced mandatory data breach notification within 72 hours, increased penalties, and removed the previous exemption for certain government-linked entities. If you reviewed your PDPA compliance before 2023, you need to review it again.
Who Must Comply?
You must comply if your business collects or processes any of the following:
- Customer names, IC numbers, phone numbers or email addresses
- Employee personal data including payroll information
- Financial data such as credit card or bank account details
- Health or medical information
- Any data that can be used to identify an individual
This covers virtually every Malaysian business with customers or employees. There is no minimum company size exemption for PDPA.
The 7 PDPA Principles Every Business Must Follow
General Principle
Personal data may only be processed with the data subject’s consent and for a lawful purpose.
Notice and Choice Principle
Individuals must be informed of what data is collected and given the choice to consent or refuse.
Disclosure Principle
Data may only be disclosed to third parties for the purpose it was originally collected.
Security Principle
Practical steps must be taken to protect personal data from loss, misuse, modification and unauthorised access.
Retention Principle
Personal data must not be kept longer than necessary for its purpose.
Data Integrity Principle
Reasonable steps must be taken to ensure personal data is accurate, complete, not misleading and up to date.
Access Principle
Individuals have the right to access and correct their own personal data upon request.
Penalties for Non-Compliance
PDPA Compliance Checklist for Malaysian SMEs
- Appoint a Data Protection Officer (DPO) or assign responsibility clearly
- Conduct a data audit to map what personal data you collect and where it is stored
- Update your privacy policy to reflect current data practices
- Implement consent mechanisms on all data collection forms (website, physical forms)
- Establish a data breach response plan with 72-hour notification procedure
- Encrypt personal data at rest and in transit
- Restrict access to personal data to only those who need it
- Define and enforce data retention and deletion policies
- Train staff on data handling procedures and social engineering risks
- Review all third-party vendors who handle your customer data
PDPA vs ISO 27001 – Do You Need Both?
PDPA is a legal requirement. ISO 27001 is an internationally recognised information security management standard that, when implemented, demonstrates you take data protection seriously beyond the legal minimum. Many larger corporate clients and government-linked companies now require their vendors and partners to be ISO 27001 certified or at minimum, ISO 27001 readiness assessed.
Cybergate assists businesses with ISO 27001 gap assessment, risk register development, policy documentation and control implementation to prepare for formal certification. This also covers a large portion of PDPA technical requirements simultaneously.