Malaysia's data protection law was, for over a decade, one of the lightest-touch regimes in the region. That era is over. The Personal Data Protection (Amendment) Act 2024 — with its headline obligations in force from 1 June 2025 — brings Malaysia much closer to the EU's GDPR: a mandatory Data Protection Officer, mandatory 72-hour breach notification, tougher penalties, a new cross-border transfer regime, and direct liability for data processors. For a foreign company operating in Malaysia — running HR systems, e-commerce, a CRM, or a customer database — this is now a live compliance obligation, not a background formality. This guide explains what changed, who must comply, and the concrete steps to get compliant.
The law and who it applies to
The Personal Data Protection Act 2010 (PDPA) governs the processing of personal data in commercial transactions in Malaysia, administered by the Personal Data Protection Commissioner under the Ministry of Digital. It applies to any organisation that processes personal data in Malaysia — regardless of where the company is headquartered — so a foreign-owned Sdn. Bhd., a branch, or even an overseas company using equipment in Malaysia to process data can fall within scope.
The 2024 Amendment does not replace the PDPA; it upgrades it. The most important structural change is terminology with teeth: the old term "data user" becomes "data controller", and — critically — "data processors" (the vendors and service providers who handle data on your behalf) are now placed under direct legal obligations, especially the Security Principle. Previously only the data user was liable; now your outsourced payroll bureau or cloud vendor carries its own statutory duty.

The seven principles you are still built on
Underneath the new obligations, the PDPA still rests on seven data protection principles. Every compliance programme should map back to these:
- General Principle — process personal data only with consent or a lawful basis.
- Notice & Choice — tell data subjects what you collect, why, and their rights (a privacy notice, in Malay and English).
- Disclosure — do not disclose data for purposes other than those notified, without consent.
- Security — protect data with appropriate technical and organisational safeguards.
- Retention — do not keep data longer than necessary.
- Data Integrity — keep data accurate, complete and up to date.
- Access — let data subjects access and correct their data.
What the 2024 Amendment actually changed
Six changes matter most in practice. Take them one by one.
| Change | What it means for your business |
|---|---|
| Mandatory DPO | Qualifying controllers and processors must appoint a Data Protection Officer and register their details with the Commissioner. |
| 72-hour breach notification | Notify the Commissioner within 72 hours of becoming aware of a data breach; notify affected individuals if there is a risk of significant harm. |
| Higher penalties | Maximum fine for breaching the data protection principles raised from RM300,000 to RM1,000,000; jail from 2 to 3 years. |
| New cross-border transfer rules | The old "whitelist" is gone; transfers abroad now need an adequacy/comparable-protection basis and a Transfer Impact Assessment. |
| Data processors directly liable | Vendors handling your data must themselves comply with the Security Principle. |
| Biometric data + data portability | Biometric data is now "sensitive personal data"; a new right to data portability is introduced. |
The mandatory Data Protection Officer (DPO)
This is the change most companies underestimate. Under the Guideline on the Appointment of Data Protection Officers (issued 25 February 2025, effective 1 June 2025), you must appoint at least one DPO if your organisation, as a data controller or processor, meets any of these triggers:
- you process the personal data of more than 20,000 data subjects; or
- you process sensitive personal data (including financial information) of more than 10,000 data subjects; or
- your processing activities require regular and systematic monitoring of personal data (for example, behavioural tracking or large-scale profiling).
The DPO does not have to be a new full-time hire — the role can be assigned to a suitable existing employee or outsourced — but the person must meet real requirements:
| DPO requirement | Detail |
|---|---|
| Residency / reachability | Resident in Malaysia (physically present ≥180 days in a calendar year) or easily contactable in Malaysia. |
| Language | Proficient in both Bahasa Melayu and English. |
| Registration | Register the DPO and submit their business contact details within 21 days of appointment, via the Personal Data Protection System. |
| Accessibility | The DPO's business contact must be published so data subjects and the Commissioner can reach them. |

72-hour breach notification
Malaysia now has a mandatory data breach notification regime, closely modelled on GDPR. When a data controller becomes aware of a personal data breach that has, or is likely to cause, harm:
- Notify the Commissioner within 72 hours of becoming aware of the breach, through the Personal Data Protection System. If you cannot report within 72 hours, you must give reasons for the delay.
- Notify affected data subjects without unnecessary delay (the guideline points to notifying affected individuals promptly, generally within 7 days) where the breach is likely to cause significant harm — for example financial loss, identity theft, or exposure of sensitive data.
- Keep a record of the breach, your assessment, and the remedial steps taken.
The practical implication is that you need an incident response plan ready before a breach happens. A 72-hour clock is not something you can improvise: you need to know who assesses the breach, who decides on notification, who drafts it, and how you reach affected individuals — all pre-agreed.
Cross-border data transfer: the whitelist is gone
Previously, personal data could only be transferred outside Malaysia to countries on an official "whitelist" (which was never really finalised). The 2024 Amendment removes that mechanism and replaces it with a risk-based framework, supported by Cross-Border Transfer Guidelines issued in 2025. You may transfer personal data abroad where:
- the destination has laws substantially similar to the PDPA, or ensures an adequate level of protection; or
- a permitted exception applies (e.g. the data subject's consent, necessity for a contract, etc.).
Before transferring, the controller should conduct a Transfer Impact Assessment (TIA) — documenting the destination's legal framework and the safeguards in place. For a China-headquartered group routinely sending Malaysian customer or employee data back to servers in China, this is a direct and important obligation: the transfer is not automatically illegal, but it must be assessed, justified and documented.

Penalties — and why enforcement is now credible
The maximum fine for breaching the data protection principles rose from RM300,000 to RM1,000,000, and maximum imprisonment from two years to three years. Failure to comply with the mandatory breach-notification or DPO-appointment obligations carries its own penalties, up to fines, imprisonment or both. Just as importantly, the amendment signals a shift from a largely paper regime to one the Commissioner intends to enforce — backed by the new notification data flowing in and a properly resourced authority. The reputational cost of a publicised breach, for a foreign brand trying to build trust in a new market, often exceeds the statutory fine.
A practical compliance checklist
For a foreign company operating in Malaysia, getting to a defensible position means working through, in order:
- Map your data. What personal data do you hold (employees, customers, leads), where does it live, and who processes it? Count your data subjects against the DPO thresholds.
- Appoint and register a DPO if you cross a threshold — resident, bilingual, registered within 21 days.
- Publish a compliant privacy notice in Bahasa Melayu and English, covering notice, choice, purposes and rights.
- Put an incident-response plan in place so the 72-hour clock is workable.
- Review vendor contracts. Ensure data-processing terms bind your processors to the Security Principle.
- Assess cross-border flows. Run a Transfer Impact Assessment for any data leaving Malaysia, especially to a parent company abroad.
- Document everything. Under the new regime, being able to show your assessments and decisions is much of the compliance.
How ONE KEY can help
PDPA compliance sits at the intersection of legal, HR and IT — which is exactly where a foreign company's small local team is stretched thinnest. We help you run the data-mapping exercise, determine whether you cross the DPO and breach-notification thresholds, source or serve as a compliant Malaysian DPO, draft bilingual privacy notices and vendor clauses, and document your cross-border transfer assessments. If you are also setting up payroll and HR, this dovetails with our employer payroll guide — because employee data is usually the first sensitive data set a new company holds.
To review your PDPA position or arrange a DPO, reach us on our contact page, or explore our legal consultation and contract drafting services.
Frequently asked questions
When did Malaysia's PDPA Amendment 2024 take effect?
The Personal Data Protection (Amendment) Act 2024 was brought into force in stages during 2025. The headline obligations — mandatory Data Protection Officer appointment and mandatory 72-hour data breach notification — took effect on 1 June 2025, supported by guidelines issued on 25 February 2025. Other changes, including the rename of 'data user' to 'data controller', direct obligations on data processors, and the new cross-border transfer framework, also form part of the amendment.
Does my company need to appoint a Data Protection Officer?
You must appoint at least one DPO if your organisation processes the personal data of more than 20,000 data subjects, or sensitive personal data (including financial information) of more than 10,000 data subjects, or if your processing involves regular and systematic monitoring. The DPO must be resident in Malaysia (or easily contactable there) and proficient in both Bahasa Melayu and English, and must be registered with their business contact details within 21 days of appointment. An overseas group privacy officer alone does not satisfy the Malaysian requirement.
What are the penalties under the amended PDPA?
The maximum fine for breaching the seven data protection principles has been raised from RM300,000 to RM1,000,000, and maximum imprisonment from two to three years. Failing to comply with the mandatory breach-notification or DPO-appointment obligations carries its own penalties of fines, imprisonment or both. Beyond the statutory fine, a publicised breach carries a real reputational cost for a foreign brand building trust in a new market.
Can I still transfer Malaysian personal data to servers in China?
Yes, but it is no longer automatic. The old 'whitelist' has been removed. You may transfer personal data abroad where the destination has substantially similar laws or ensures an adequate level of protection, or where a permitted exception (such as consent) applies. Before transferring, you should conduct and document a Transfer Impact Assessment (TIA) evaluating the destination's legal framework and safeguards. For a China-headquartered group routinely sending data home, the transfer is not illegal, but it must be assessed, justified and recorded.
Sources & references
This article is general information only, not legal, tax or immigration advice. Policies, thresholds and official fees are set by the relevant Malaysian authorities and may change. Talk to our consultants about your specific situation.