Data Protection Counsel
That Speaks Plainly

The Personal Data Protection Act 2010 applies to any person who processes personal data in the course of commercial transactions — broadly interpreted. If your organisation collects names, contact details, identification numbers, financial data, or health information from customers, employees, or any natural persons in Malaysia, the Act is likely engaged. Government bodies are excluded from most provisions. A quick review of your data flows will clarify the picture.

The 2024 amendments introduced, among other changes, mandatory data breach notification to the Department of Personal Data Protection (JPDP) within prescribed timeframes, an expanded definition of sensitive personal data, updated consent and processing principles, and strengthened enforcement provisions including higher penalties. Organisations that aligned with the 2010 Act but have not revisited their practices since 2023 will likely have gaps to address.

A typical review begins with a data flow mapping exercise — understanding what personal data enters your organisation, how it is processed, stored, shared, and eventually disposed of. We then review your existing privacy notices, consent mechanisms, internal policies, and any data processor or sharing agreements in place. The output is a prioritised compliance roadmap, updated or new Personal Data Notices in Bahasa Malaysia and English, and where relevant, revised consent forms and retention schedules.

Document what you know and when you learned it. Preserve logs and any evidence of the incident. Avoid making public statements or notifying affected individuals before understanding the scope and your legal obligations — early, uncoordinated communication can complicate matters. Contact us as soon as you are able; early involvement allows us to help assess notification triggers and coordinate with IT and forensic teams while the situation is still being assessed.

Our retainer is structured around what DPOs and compliance teams actually encounter on a recurring basis: a monthly check-in call, review and drafting support for data subject access and erasure request responses, advice on specific processing use cases as they arise (including analytics, marketing consent, and AI-assisted tools), assistance with Data Protection Impact Assessments on new projects, and drafting of internal processing records. The scope can be adjusted at renewal based on what has actually been useful.

Yes. Where a foreign company processes personal data of individuals in Malaysia in the course of commercial transactions, the PDPA may apply. We work with regional headquarters and compliance teams to understand the applicable obligations and to prepare documentation that satisfies Malaysian legal requirements, including notices and agreements that may need to align with the PDPA alongside other regional frameworks.