Melur Chambers
Get Advice
Melur Chambers office
OUR FIRM

Data Protection Practice
Grounded in Malaysian Law

Melur Chambers was established to serve organisations navigating the Personal Data Protection Act 2010 and its evolving amendments — with counsel that is straightforward and specific to your situation.

Back to Home
Our Story

Founded on a Quiet Conviction

Melur Chambers was set up to address what we kept observing in our earlier practice: that Malaysian organisations facing PDPA obligations were receiving one of two things — either an extensive audit report that no one had capacity to act on, or generic off-the-shelf policy templates with no meaningful review of whether they reflected how the organisation actually operated.

Neither served clients well. The Personal Data Protection Act 2010, and particularly the 2024 amendments, demands more than documentation. It requires organisations to understand their data flows, to make considered decisions about how they process personal information, and to have records that reflect those decisions honestly.

Our founding approach was to keep engagements scoped tightly, write outputs that practitioners could actually use, and stay available when questions arose in the course of implementation. That approach has not changed. What has grown is our familiarity with how different industries — financial services, healthcare, education, e-commerce — encounter the PDPA in practice, and how the Department of Personal Data Protection (JPDP) has approached enforcement and regulatory guidance.

We are based at Glomac Damansara in Kuala Lumpur and serve clients across Peninsular Malaysia. Our engagements are conducted in English and Bahasa Malaysia, and our documentation output covers both languages where required by law.

Mission

To make PDPA compliance accessible and meaningful for organisations of all sizes — delivered through advice that is specific, readable, and implemented.

Practice Focus
  • PDPA Compliance Reviews
  • Privacy Notice Drafting
  • DPO Standing Advisory
  • Breach Response & JPDP Engagement
  • Data Processor Agreements
Sectors Served
  • Financial Services & Fintech
  • Healthcare & Clinics
  • E-Commerce & Retail
  • Education & EdTech
  • Professional Services
Our Team

The People Behind the Practice

SR

Sharifah Ruzaini

Founding Partner

Sharifah leads our compliance review and advisory practice. She has advised financial institutions, healthcare providers, and e-commerce operators on PDPA obligations since the Act's commencement, and has guided several organisations through JPDP registration and inquiry processes.

AK

Ahmad Khairul

Senior Associate

Ahmad leads our breach response practice and standing advisory work for DPOs. His background in information technology and law allows him to engage directly with IT teams during breach assessments and translate technical findings into legal and regulatory context.

NF

Nurul Farhana

Associate

Nurul focuses on policy and documentation work, including data processor agreements, internal processing records, and bilingual Personal Data Notices. She manages client documentation workflows and supports the team on regulatory submissions to JPDP.

Standards

How We Work

Principles that govern every engagement, from initial discussion through to final documentation delivery.

Scope Discipline

Each engagement is defined clearly at the outset. We do not expand scope without client instruction, and we do not pad deliverables to justify fees.

Client Confidentiality

All information shared with us is treated as strictly confidential. Our own data handling practices align with the obligations we advise clients to meet.

Documented Advice

Verbal discussions are followed by written records. Clients leave each engagement with outputs they can act on and retain for their compliance records.

Regulatory Currency

We track JPDP guidance, legislative amendments, and regional developments in privacy law to ensure advice reflects the current legal landscape.

Transparent Billing

Fee structures are agreed before work begins. Retainer scope and out-of-scope work are defined in writing so there are no billing surprises at the end of a matter.

Bilingual Capacity

Personal Data Notices and key compliance documents are prepared in both Bahasa Malaysia and English, as required under the PDPA. We do not treat the Bahasa Malaysia version as an afterthought.

Our Values

Data Protection as a Genuine Obligation

Malaysian organisations processing personal data carry a legal and ethical responsibility to the individuals whose information they hold. The Personal Data Protection Act 2010 formalises that responsibility — defining how data must be collected, used, disclosed, stored, and eventually destroyed. The 2024 amendments have strengthened those requirements considerably, particularly around breach notification timelines and the accountability principle.

Our view is that compliance is most sustainable when it is understood by the people responsible for it, not just documented for an external audit. That is why our compliance reviews produce roadmaps, not just checklists. It is why our advisory retainers are built around regular conversation, not just on-demand responses. And it is why our breach response work begins with clear thinking about what has actually happened, before moving to what must be communicated.

Organisations that handle data well — that have clear notices, sound consent mechanisms, and documented processing records — are better placed when the JPDP reviews their practices, when a data subject exercises their rights, or when a security incident occurs. That is the value of considered compliance work, and it is what we set out to support.

Ready to Start a Conversation?

We are glad to discuss your organisation's data protection situation and whether our services would be a good fit — without any pressure or obligation.

Contact Our Team