← All insights Compliance

Malaysia's PDPA Amendment 2024: Data Protection Compliance for Foreign Companies (DPO, 72-Hour Breach Notification, Cross-Border Transfers)

·8 min read

Malaysia's data protection law was, for over a decade, one of the lightest-touch regimes in the region. That era is over. The Personal Data Protection (Amendment) Act 2024 — with its headline obligations in force from 1 June 2025 — brings Malaysia much closer to the EU's GDPR: a mandatory Data Protection Officer, mandatory 72-hour breach notification, tougher penalties, a new cross-border transfer regime, and direct liability for data processors. For a foreign company operating in Malaysia — running HR systems, e-commerce, a CRM, or a customer database — this is now a live compliance obligation, not a background formality. This guide explains what changed, who must comply, and the concrete steps to get compliant.

The law and who it applies to

The Personal Data Protection Act 2010 (PDPA) governs the processing of personal data in commercial transactions in Malaysia, administered by the Personal Data Protection Commissioner under the Ministry of Digital. It applies to any organisation that processes personal data in Malaysia — regardless of where the company is headquartered — so a foreign-owned Sdn. Bhd., a branch, or even an overseas company using equipment in Malaysia to process data can fall within scope.

The 2024 Amendment does not replace the PDPA; it upgrades it. The most important structural change is terminology with teeth: the old term "data user" becomes "data controller", and — critically — "data processors" (the vendors and service providers who handle data on your behalf) are now placed under direct legal obligations, especially the Security Principle. Previously only the data user was liable; now your outsourced payroll bureau or cloud vendor carries its own statutory duty.

Digital padlock symbol representing data security and privacy protection
The 2024 Amendment moves Malaysia from a light-touch regime toward GDPR-style obligations — with real penalties attached.

The seven principles you are still built on

Underneath the new obligations, the PDPA still rests on seven data protection principles. Every compliance programme should map back to these:

What the 2024 Amendment actually changed

Six changes matter most in practice. Take them one by one.

ChangeWhat it means for your business
Mandatory DPOQualifying controllers and processors must appoint a Data Protection Officer and register their details with the Commissioner.
72-hour breach notificationNotify the Commissioner within 72 hours of becoming aware of a data breach; notify affected individuals if there is a risk of significant harm.
Higher penaltiesMaximum fine for breaching the data protection principles raised from RM300,000 to RM1,000,000; jail from 2 to 3 years.
New cross-border transfer rulesThe old "whitelist" is gone; transfers abroad now need an adequacy/comparable-protection basis and a Transfer Impact Assessment.
Data processors directly liableVendors handling your data must themselves comply with the Security Principle.
Biometric data + data portabilityBiometric data is now "sensitive personal data"; a new right to data portability is introduced.

The mandatory Data Protection Officer (DPO)

This is the change most companies underestimate. Under the Guideline on the Appointment of Data Protection Officers (issued 25 February 2025, effective 1 June 2025), you must appoint at least one DPO if your organisation, as a data controller or processor, meets any of these triggers:

The DPO does not have to be a new full-time hire — the role can be assigned to a suitable existing employee or outsourced — but the person must meet real requirements:

DPO requirementDetail
Residency / reachabilityResident in Malaysia (physically present ≥180 days in a calendar year) or easily contactable in Malaysia.
LanguageProficient in both Bahasa Melayu and English.
RegistrationRegister the DPO and submit their business contact details within 21 days of appointment, via the Personal Data Protection System.
AccessibilityThe DPO's business contact must be published so data subjects and the Commissioner can reach them.
Why this bites foreign companies specifically. A DPO who must be resident in Malaysia and fluent in Bahasa Melayu is a real constraint for a company run from China or overseas with a small local team. Appointing an overseas group privacy officer does not satisfy the Malaysian requirement. This is a common gap we see — the group thinks it is "covered" globally, but has no compliant DPO on the ground in Malaysia.
HR and administration team working with employee records in an office
Even a modest employer processes sensitive HR, payroll and identity data — often enough to cross the DPO and breach-notification thresholds.

72-hour breach notification

Malaysia now has a mandatory data breach notification regime, closely modelled on GDPR. When a data controller becomes aware of a personal data breach that has, or is likely to cause, harm:

  1. Notify the Commissioner within 72 hours of becoming aware of the breach, through the Personal Data Protection System. If you cannot report within 72 hours, you must give reasons for the delay.
  2. Notify affected data subjects without unnecessary delay (the guideline points to notifying affected individuals promptly, generally within 7 days) where the breach is likely to cause significant harm — for example financial loss, identity theft, or exposure of sensitive data.
  3. Keep a record of the breach, your assessment, and the remedial steps taken.

The practical implication is that you need an incident response plan ready before a breach happens. A 72-hour clock is not something you can improvise: you need to know who assesses the breach, who decides on notification, who drafts it, and how you reach affected individuals — all pre-agreed.

Cross-border data transfer: the whitelist is gone

Previously, personal data could only be transferred outside Malaysia to countries on an official "whitelist" (which was never really finalised). The 2024 Amendment removes that mechanism and replaces it with a risk-based framework, supported by Cross-Border Transfer Guidelines issued in 2025. You may transfer personal data abroad where:

Before transferring, the controller should conduct a Transfer Impact Assessment (TIA) — documenting the destination's legal framework and the safeguards in place. For a China-headquartered group routinely sending Malaysian customer or employee data back to servers in China, this is a direct and important obligation: the transfer is not automatically illegal, but it must be assessed, justified and documented.

Rows of servers in a data centre representing cross-border data storage
Sending Malaysian personal data to overseas servers now requires an adequacy basis and a documented Transfer Impact Assessment — the old whitelist is gone.

Penalties — and why enforcement is now credible

The maximum fine for breaching the data protection principles rose from RM300,000 to RM1,000,000, and maximum imprisonment from two years to three years. Failure to comply with the mandatory breach-notification or DPO-appointment obligations carries its own penalties, up to fines, imprisonment or both. Just as importantly, the amendment signals a shift from a largely paper regime to one the Commissioner intends to enforce — backed by the new notification data flowing in and a properly resourced authority. The reputational cost of a publicised breach, for a foreign brand trying to build trust in a new market, often exceeds the statutory fine.

A practical compliance checklist

For a foreign company operating in Malaysia, getting to a defensible position means working through, in order:

  1. Map your data. What personal data do you hold (employees, customers, leads), where does it live, and who processes it? Count your data subjects against the DPO thresholds.
  2. Appoint and register a DPO if you cross a threshold — resident, bilingual, registered within 21 days.
  3. Publish a compliant privacy notice in Bahasa Melayu and English, covering notice, choice, purposes and rights.
  4. Put an incident-response plan in place so the 72-hour clock is workable.
  5. Review vendor contracts. Ensure data-processing terms bind your processors to the Security Principle.
  6. Assess cross-border flows. Run a Transfer Impact Assessment for any data leaving Malaysia, especially to a parent company abroad.
  7. Document everything. Under the new regime, being able to show your assessments and decisions is much of the compliance.
Start with the data map. Almost every mistake we see — an unappointed DPO, an unassessed transfer to China, a missing privacy notice — traces back to a company that never sat down to list what personal data it actually holds. The data map is an afternoon's work and it tells you exactly which of these obligations apply to you.

How ONE KEY can help

PDPA compliance sits at the intersection of legal, HR and IT — which is exactly where a foreign company's small local team is stretched thinnest. We help you run the data-mapping exercise, determine whether you cross the DPO and breach-notification thresholds, source or serve as a compliant Malaysian DPO, draft bilingual privacy notices and vendor clauses, and document your cross-border transfer assessments. If you are also setting up payroll and HR, this dovetails with our employer payroll guide — because employee data is usually the first sensitive data set a new company holds.

To review your PDPA position or arrange a DPO, reach us on our contact page, or explore our legal consultation and contract drafting services.

Frequently asked questions

When did Malaysia's PDPA Amendment 2024 take effect?

The Personal Data Protection (Amendment) Act 2024 was brought into force in stages during 2025. The headline obligations — mandatory Data Protection Officer appointment and mandatory 72-hour data breach notification — took effect on 1 June 2025, supported by guidelines issued on 25 February 2025. Other changes, including the rename of 'data user' to 'data controller', direct obligations on data processors, and the new cross-border transfer framework, also form part of the amendment.

Does my company need to appoint a Data Protection Officer?

You must appoint at least one DPO if your organisation processes the personal data of more than 20,000 data subjects, or sensitive personal data (including financial information) of more than 10,000 data subjects, or if your processing involves regular and systematic monitoring. The DPO must be resident in Malaysia (or easily contactable there) and proficient in both Bahasa Melayu and English, and must be registered with their business contact details within 21 days of appointment. An overseas group privacy officer alone does not satisfy the Malaysian requirement.

What are the penalties under the amended PDPA?

The maximum fine for breaching the seven data protection principles has been raised from RM300,000 to RM1,000,000, and maximum imprisonment from two to three years. Failing to comply with the mandatory breach-notification or DPO-appointment obligations carries its own penalties of fines, imprisonment or both. Beyond the statutory fine, a publicised breach carries a real reputational cost for a foreign brand building trust in a new market.

Can I still transfer Malaysian personal data to servers in China?

Yes, but it is no longer automatic. The old 'whitelist' has been removed. You may transfer personal data abroad where the destination has substantially similar laws or ensures an adequate level of protection, or where a permitted exception (such as consent) applies. Before transferring, you should conduct and document a Transfer Impact Assessment (TIA) evaluating the destination's legal framework and safeguards. For a China-headquartered group routinely sending data home, the transfer is not illegal, but it must be assessed, justified and recorded.

This article is general information only, not legal, tax or immigration advice. Policies, thresholds and official fees are set by the relevant Malaysian authorities and may change. Talk to our consultants about your specific situation.

How ONEKEY BIZ can help

Need help navigating this in Malaysia?

Our Mandarin- and English-speaking consultants handle the whole process — fixed quotes, zero hidden fees.