Malaysia is entering a new era of regulatory oversight in data protection and cybersecurity. With the enactment of the Personal Data Protection (Amendment) Act 2024 and often referred to by businesses as part of the broader Cybersecurity Act 2024 landscape, organisations operating in Malaysia must fundamentally reassess how they collect, process, store, and protect personal data. For businesses, this is not merely a compliance update. It is a structural shift that directly affects governance, cybersecurity investment, operational accountability, vendor management, and incident response readiness. The amended law introduces stricter obligations, broader accountability, higher penalties, and new rights for individuals—bringing Malaysia closer to global data protection standards.
Cyber incidents today are no longer just technical problems handled by IT teams behind the scenes. Data breaches, ransomware, insider misuse, and weaknesses in third-party vendors can directly disrupt operations, halt services, erode customer trust, and trigger serious financial and legal consequences. For many businesses, a single cyber incident can now affect revenue, reputation, and long-term viability at the same time. This reality has pushed cybersecurity from an operational concern into a core business risk.
Recognising these growing threats, the Malaysian government amended the Personal Data Protection Act 2010 through the Personal Data Protection (Amendment) Act 2024, which was passed in July 2024 and received Royal Assent in October 2024. The amendment strengthens accountability, introduces clearer obligations, and aligns Malaysia’s data protection framework more closely with international standards. It reflects a clear policy shift: organisations are expected to actively manage data protection and cybersecurity risks, not merely react after incidents occur.
For businesses in Malaysia, this reform raises the bar for how cybersecurity and data protection are governed across the organisation. Compliance is no longer limited to policies or technical controls—it now requires leadership involvement, structured governance, stronger oversight of vendors, and readiness to respond transparently when incidents happen. In short, the Cybersecurity Act 2024 signals that data protection maturity is becoming a baseline expectation for doing business in Malaysia, not a competitive differentiator.
Read: BYOD Policy: Maintaining Productivity Without Compromising Security
One of the most significant changes introduced under the Cybersecurity Act 2024 is the replacement of the term “data user” with “data controller.” This shift is more than a change in wording. It aligns Malaysia’s regulatory framework with global data protection standards such as the GDPR and clearly defines who holds responsibility for personal data. A data controller is now explicitly recognised as the party that determines the purpose and means of processing personal data, making accountability more direct and harder to delegate away. For businesses, this change has clear and practical implications:
In practice, this places boards, executives, and business unit leaders firmly within the scope of responsibility, signalling that data protection is a leadership issue and not just an IT or compliance function.
Previously, data processors often operated behind the scenes with limited direct legal accountability, as most compliance obligations rested with data users. Under the Cybersecurity Act 2024, this position changes materially. Data processors, entities that process personal data on behalf of data controllers are now explicitly required to comply with the Security Principle under Section 9 of the amended Act and may face penalties if they fail to do so. This elevates data processors from a supporting role to a regulated party with clear legal responsibilities. For businesses, the implications are wide-ranging:
As a result, cybersecurity due diligence across the supply chain becomes a critical component of compliance, governance, and overall business risk management.
One of the clearest operational requirements under the Cybersecurity Act 2024 is the mandatory appointment of a Data Protection Officer (DPO). Both data controllers and data processors are now required to appoint one or more DPOs responsible for overseeing compliance with the Act and acting as the primary liaison with the Personal Data Protection Commissioner. This signals a clear expectation that data protection must be actively governed, not handled informally or on an ad hoc basis. What businesses need to understand:
For many organisations, this requirement goes beyond a simple appointment. It often necessitates new governance structures, clearer role definitions, and formal reporting lines to ensure the DPO can operate effectively and independently.
Under the previous PDPA, organisations were not explicitly required to notify authorities or individuals when a data breach occurred. The Cybersecurity Act 2024 changes this approach by introducing mandatory breach notification obligations, representing a major shift in how incidents must be handled and communicated. If a data controller has reason to believe that a personal data breach has occurred, they must:
Failure to comply may result in fines of up to RM250,000, imprisonment, or both. As a result, incident response plans can no longer remain informal or untested. Detection, escalation, internal decision-making, and external reporting timelines must be clearly defined. Cybersecurity incidents are now directly linked to regulatory exposure, making speed, transparency, and preparedness critical success factors.
The amendment explicitly classifies biometric data, such as facial recognition data, fingerprints, and behavioural identifiers as sensitive personal data. This reflects growing concerns over the misuse of biometric technologies and the long-term impact of biometric data breaches, which are often irreversible. This change is especially relevant for businesses using:
Because biometric data is now considered sensitive, organisations must apply stronger security controls, stricter access limitations, and enhanced governance. In many cases, this will require reviewing existing systems, vendors, and internal policies to ensure compliance.
For the first time, individuals in Malaysia are granted the right to data portability, allowing them to request that their personal data be transferred directly to another data controller, subject to technical feasibility and data format compatibility. This represents a meaningful shift toward greater consumer control over personal data. For businesses, this means:
While this change encourages competition, transparency, and consumer empowerment, it also requires operational readiness and coordination across technical, legal, and business teams.
The Cybersecurity Act 2024 removes the previous whitelist regime for cross-border data transfers. Instead, businesses may transfer personal data to countries with adequate data protection laws, provided appropriate safeguards are implemented. This offers greater flexibility for international business operations and regional data flows. Key considerations for businesses include:
While the regime is more flexible, it places greater responsibility on organisations to justify and manage cross-border data transfer risks in a structured and defensible manner.
The amended Act significantly increases penalties for non-compliance. Breaches of personal data protection principles may now result in fines of up to RM1 million and imprisonment for up to three years, signalling a much tougher enforcement stance. For businesses, this fundamentally changes the risk calculus:
The message from regulators is clear: weak data protection is no longer tolerated as a cost of doing business.
The Cybersecurity Act 2024 makes it clear that compliance is not solely a legal or IT responsibility. It is an organisation-wide obligation that requires leadership commitment, cross-functional coordination, and sustained execution. Immediate actions businesses in Malaysia should consider include:
Taken together, these steps help organisations move beyond reactive compliance and build a more resilient, trustworthy, and future-ready cybersecurity posture.
Read: The Benefits of Cybersecurity Awareness Training for Company Employees
The Cybersecurity Act 2024 is not merely a compliance obligation, but an opportunity for businesses in Malaysia to strengthen trust, resilience, and competitiveness. Achieving this goes beyond policies and technology alone, it requires strong governance, continuous employee awareness, and real risk reduction driven by everyday behaviour across the organisation.
This is where SiberMate plays a critical role. SiberMate empowers organisations through a Human Risk Management platform that builds strong security awareness and shapes safer everyday behaviour. By reducing human-driven cyber risk and reinforcing consistent security practices, SiberMate helps organisations defend their digital environment and establish a resilient, trusted foundation—powered by people as the first line of defence.