Malaysia’s Personal Data Protection (Amendment) Act 2024 will come into effect on 1 June 2025, introducing new obligations for businesses operating in Malaysia. Non-compliance may result in fines up to RM1 million or imprisonment for up to three years.
Key Amendments Effective 1 June 2025
1. Mandatory Appointment of a Data Protection Officer (DPO)
Organizations are required to appoint a DPO if they:
- Process personal data of more than 20,000 individuals.
- Handle sensitive personal data (e.g., financial or health-related) of over 10,000 individuals.
- Engage in regular and systematic monitoring of individuals (e.g., behavioral advertising, health data tracking via apps).
DPO Requirements:
- Must reside in Malaysia for at least 180 days per year or be easily contactable by Malaysian authorities.
- Proficient in both Bahasa Malaysia and English.
- Possess a good understanding of the PDPA.
- Should not have conflicting responsibilities and must report directly to senior management.
Notification:
- The appointment must be reported to the Personal Data Protection Commissioner within 21 days.
- A dedicated business email address for the DPO must be established.
2. Mandatory Data Breach Notification
Data controllers must notify the Commissioner of any personal data breach that causes or is likely to cause significant harm to affected individuals.
Notification Requirements:
- Notify the Commissioner as soon as practicable, and in any event, within 72 hours of becoming aware of the breach.
- Inform affected individuals within seven days if the breach is likely to result in significant harm.
Definition of Significant Harm:
- Physical injury (e.g., unauthorized disclosure of medical information).
- Financial loss (e.g., exposure of banking details).
Record-Keeping:
- Maintain records of all data breaches and notifications for a minimum of two years.
3. Right to Data Portability
Individuals have the right to request the transfer of their personal data from one data controller to another, provided the transfer is technically feasible and secure.
Company Obligations:
- Enable data retrieval in a commonly used and machine-readable format.
- Securely transfer personal data without undue delay.
- Document and track such requests to demonstrate compliance.
Steps for Companies to Prepare
1. Assess Applicability
- Determine if your organization meets the thresholds requiring a DPO appointment.
- Evaluate data processing activities for regular and systematic monitoring.
2. Appoint a Qualified DPO
- Identify and onboard a suitable candidate.
- Establish a dedicated business contact channel.
- Complete registration with the Commissioner within the required timeframe.
3. Review and Update Policies
- Revise data breach management policies to align with the new notification obligations.
- Ensure procedures include internal reporting chains, documentation protocols, and risk assessment criteria.
4. Train Relevant Personnel
- Provide training on new legal obligations to employees involved in data processing, information security, and compliance.
5. Update Privacy Notices
- Reflect the appointment of a DPO and the process for responding to breaches in privacy notices and external-facing materials.
6. Review Contracts with Third-Party Processors
- Ensure contracts include provisions requiring prompt breach reporting and cooperation.
By proactively addressing these changes, companies can ensure compliance with the updated PDPA and enhance their data protection practices.