Does PDPA apply to my Malaysian SME?

Yes. The Personal Data Protection Act 2010 applies to any commercial entity in Malaysia that processes personal data — regardless of size. SMEs in e-commerce, professional services, healthcare, education, and tourism are all in scope. The 2024 Amendment Act removes the previous size-based exemption uncertainty and raises penalties to RM 1 million per breach.

What is the PDPA 2024 Amendment Act and when does it take effect?

The Personal Data Protection (Amendment) Act 2024 introduces mandatory breach notification (72 hours to the PDPC), mandatory DPO appointment for certain classes of data controllers, cross-border transfer reform replacing the whitelist regime, and direct data-processor liability. Phased enforcement runs from 1 June 2025 through 2026.

Who must appoint a Data Protection Officer in Malaysia?

Under the 2024 Amendment, DPO appointment is mandatory for data controllers and processors meeting PDPC-prescribed thresholds — including FIs, telcos, healthcare providers, and any organisation processing large volumes of sensitive personal data. nCrypt offers DPO-as-a-Service for Malaysian SMEs that do not need a full-time in-house DPO.

What is the deadline to respond to a PDPA data subject request?

Data controllers must respond to a data access or correction request within 21 days from receipt under Section 30. The 2024 Amendment also adds a data portability right with a 21-day response window. Late or improper responses are a compoundable offence under Section 130.

How does PDPA interact with BNM data localisation requirements?

PDPA governs personal data handling generally, while BNM's RMiT Policy Document and Outsourcing Policy impose additional data residency and cross-border outsourcing approval requirements on licensed FIs. nCrypt advises Malaysian FIs on the dual-regime overlay — PDPA + BNM — including hosting, vendor due-diligence, and breach-notification interplay.

CompliancePDPA

Personal Data Protection Act 2010

PDPA ComplianceServices Malaysia

Comprehensive Personal Data Protection Act compliance services. We help you protect personal data, implement security controls, and meet Malaysian data protection requirements.

Data Protection Experts

100+ Organizations Helped

Full Compliance Support

Get PDPA Assessment View All Compliance

RM500K

Max Penalty per Offense

3 Years

Maximum Imprisonment

100+

Organizations Helped

100%

Compliance Success

New Regulation

PDPA 2024 Amendment Act (Act A1709) — Effective 1 June 2025

Malaysia's Personal Data Protection (Amendment) Act 2024 (Act A1709) substantially extends PDPA 2010 with mandatory DPO appointments, 72-hour breach notification, and increased penalties. Phased enforcement begins 1 June 2025 and continues into 2026.

Every commercial data user processing personal data of Malaysian residents must reassess their compliance posture against the amended regime. Below are the headline obligations every Malaysian organisation should plan against today.

•Mandatory Data Protection Officer (DPO) appointment for designated classes of data controllers and large-scale processors. The DPO must be reachable, qualified, and independent of conflicting business functions.
•72-hour breach notification to the Personal Data Protection Commissioner (PDPC) and to affected data subjects where there is risk of significant harm. This brings Malaysia into alignment with GDPR-style timelines and replaces the prior “reasonable” window.
•New data portability rights for data subjects — the right to request that their personal data be transmitted in a structured, commonly used format to another data controller where technically feasible.
•Increased penalties — fines of up to RM 1 million per offence and/or imprisonment up to 3 years for serious breaches. Director liability extends to “controlling minds” of the data controller.
•Data Trust Officer concept — a new accountability role designed to bridge governance, legal, security, and operations in handling cross-functional data protection matters.
•Cross-border data transfer overhaul — the previous whitelist regime is being replaced with an adequacy/safeguards model. Transfers now hinge on whether the destination provides comparable protection or contractual safeguards are in place.

The 7 PDPA Principles

Understanding PDPA Requirements

The PDPA establishes seven key principles that organizations must follow when processing personal data.

General Principle

Processing personal data with consent

Notice & Choice

Informing data subjects of data use

Disclosure

Limiting data sharing to stated purposes

Security

Protecting personal data from breaches

Retention

Keeping data only as long as necessary

Data Integrity

Ensuring accuracy and completeness

Access

Right to access and correct data

Our Services

Complete PDPA Compliance Support

End-to-end services to help your organization achieve and maintain PDPA compliance.

Data Protection Assessment

Comprehensive audit of your data processing activities

Data inventory & mapping
Processing activity review
Legal basis analysis
Cross-border transfer review

Security Controls

Technical measures to protect personal data

Access control implementation
Encryption solutions
Data loss prevention
Security monitoring

Governance & Policies

Organizational frameworks for data protection

Privacy policy development
Data handling procedures
Consent management
Breach notification process

Non-Compliance Penalties

PDPA Violations Can Be Costly

Non-compliance with PDPA can result in fines up to RM500,000 and/or imprisonment up to 3 years per offense.

Ensure Your Compliance Today

PDPA Compliance Assessment

Get a comprehensive assessment of your PDPA compliance status with actionable recommendations.

Complete data processing audit

Gap analysis report

Remediation roadmap

Policy templates

Request Assessment Call +6012 770 7421

Free initial consultation

Get your PDPA readiness score

Share your scope. We'll respond within 24 hours.

Get a Free Quote

Share your scope. We'll respond within 24 hours.

Protect Personal Data

Ensure your organization complies with Malaysia's Personal Data Protection Act and avoid costly penalties.

Request Assessment Call +6012 770 7421

Last reviewed: 12 May 2026 by nCrypt Compliance Team (CISA, ISO 27001 Lead Auditor)

PDPA 2024 Amendment Act (Act A1709) — Effective 1 June 2025

•Mandatory Data Protection Officer (DPO) appointment for designated classes of data controllers and large-scale processors. The DPO must be reachable, qualified, and independent of conflicting business functions.

•72-hour breach notification to the Personal Data Protection Commissioner (PDPC) and to affected data subjects where there is risk of significant harm. This brings Malaysia into alignment with GDPR-style timelines and replaces the prior “reasonable” window.

•New data portability rights for data subjects — the right to request that their personal data be transmitted in a structured, commonly used format to another data controller where technically feasible.

•Increased penalties — fines of up to RM 1 million per offence and/or imprisonment up to 3 years for serious breaches. Director liability extends to “controlling minds” of the data controller.

•Data Trust Officer concept — a new accountability role designed to bridge governance, legal, security, and operations in handling cross-functional data protection matters.

•Cross-border data transfer overhaul — the previous whitelist regime is being replaced with an adequacy/safeguards model. Transfers now hinge on whether the destination provides comparable protection or contractual safeguards are in place.