The Personal Data Protection Act (PDPA) 2010, or Act 709, is Malaysia's primary data privacy law. It regulates how organisations collect, use, and store personal data in commercial transactions, and binds any business — local or foreign — that processes the personal data of people in Malaysia. Since the Personal Data Protection (Amendment) Act 2024 took effect through 2025, it also mandates 72-hour data breach notification and the appointment of a Data Protection Officer.
For years, PDPA compliance was something many Malaysian businesses treated as paperwork. That changed in 2025. The amendments to Act 709 introduced real obligations with real deadlines, and penalties that now reach individual decision-makers, not just the company. This guide explains what the PDPA requires, what the 2024 amendments changed, and how to bring your organisation into compliance.
Parliament passed the PDPA in 2010 and enforced it from 2013, but for over a decade the law required no breach reporting and named no one accountable for data protection. The Personal Data Protection (Amendment) Act 2024 closed those gaps. According to Baker McKenzie, the amendment came into force in stages during 2025, with the headline obligations, mandatory breach notification and mandatory DPO appointment, taking effect on 1 June 2025.
The practical effect is that data protection is now an operational duty with fixed timelines, not a policy document filed away. The Personal Data Protection Commissioner reinforced this by issuing implementation guidelines on 25 February 2025 covering exactly how DPO appointment and breach notification should work, the official source for the amendment text.
Personal data is any information that relates to an identified or identifiable individual and is processed in a commercial transaction. In practice this covers names, identity card (MyKad) numbers, contact details, location data, financial records, and any data that can be linked back to a specific person.
The law applies to a data controller (the organisation that decides why and how data is processed, previously called "data user" before the 2024 amendment) and, increasingly, to data processors acting on their behalf. The Act exempts only the Federal and State Governments. Crucially, the PDPA still reaches foreign companies: if your business is based outside Malaysia but processes the personal data of people in Malaysia, you are within scope.
The PDPA is built on seven data protection principles. Every compliance obligation traces back to one of them. The table below summarises each, drawing on the text of Act 709 published by the Department of Personal Data Protection.
| Principle | What it requires |
|---|---|
| 1. General | Process personal data only with the individual's consent and for a lawful, directly related purpose. |
| 2. Notice & Choice | Tell individuals, in writing, in English and Malay, why their data is collected, who it may be disclosed to, and their right to access and correct it. |
| 3. Disclosure | Do not disclose personal data for any purpose other than the one it was collected for, without consent. |
| 4. Security | Take practical steps to protect data from loss, misuse, unauthorised access, modification, or disclosure. |
| 5. Retention | Keep personal data only as long as needed for its purpose, then destroy or anonymise it. |
| 6. Data Integrity | Keep personal data accurate, complete, not misleading, and up to date. |
| 7. Access | Give individuals the right to access and correct their personal data on request. |
The Amendment Act is the most important PDPA development since the law was first enforced. Four changes matter most to businesses:
Data controllers must now notify the Personal Data Protection Commissioner of a breach as soon as practicable, and within 72 hours of becoming aware of it. Where the breach is likely to cause significant harm, the controller must notify affected individuals too. Per DLA Piper, failure to notify carries a fine of up to RM250,000 and/or up to two years' imprisonment.
From 1 June 2025, both data controllers and data processors must appoint at least one DPO accountable for PDPA compliance. The Commissioner's guidelines set out who qualifies and when the appointment must be registered.
The amendment added a right to data portability and brought biometric data (such as fingerprints and facial recognition) explicitly under the definition of sensitive personal data, according to law firm Mayer Brown.
The Commissioner issued new cross-border transfer guidelines in 2025, replacing the old "whitelist" approach with a framework based on whether the destination country offers comparable protection or adequate safeguards are in place.
Act 709 makes breaching any of the seven principles an offence, punishable by a fine of up to RM300,000, up to two years' imprisonment, or both. The newer breach-notification and DPO obligations carry their own penalties: up to RM250,000 and two years' imprisonment for failure to report a breach. Because the 2024 amendment extends liability to data processors and named officers, "the IT vendor handles it" is no longer a defence.
Compliance is a programme, not a one-off project. The steps below map directly to the seven principles and the 2024 obligations:
That last point is where most compliance programmes quietly fail. You can write every policy correctly and still suffer a reportable breach because one employee clicked a phishing link. This is why human risk management platforms like SiberMate run recurring security awareness training, turning the Security Principle from a policy line into measured staff behaviour. Technical controls protect the perimeter; trained people protect the data inside it.
Yes. Any individual or organisation that processes personal data in commercial transactions must comply with Act 709. Only the Federal and State Governments are exempt.
General, Notice and Choice, Disclosure, Security, Retention, Data Integrity, and Access. Together they govern how personal data must be collected, used, secured, and made accessible to the individual.
Breaching any of the seven principles can attract a fine of up to RM300,000, up to two years' imprisonment, or both. Failing to report a data breach can add a further fine of up to RM250,000 and two years' imprisonment.
From 1 June 2025, yes. Both data controllers and data processors must appoint at least one DPO accountable for PDPA compliance, following the Commissioner's February 2025 guidelines.
Yes. If your organisation processes the personal data of individuals in Malaysia, the PDPA applies regardless of where your business is located.
Read also: