What Organisations Say After Working With Us

A growing e-commerce business with over 200,000 registered customers had never conducted a formal PDPA compliance review. Privacy notices on the website were copied from a template, consent mechanisms were ambiguous, and the marketing email list had been built without clear records of consent basis. A complaint from a former customer prompted the review.

Data flow mapping identified fourteen categories of personal data across customer onboarding, order fulfilment, third-party logistics, and marketing. Gaps in consent records and notice adequacy were prioritised. New Privacy Notice, Cookie Policy, and marketing consent mechanism were drafted. Data processor agreements with the logistics partner and payment gateway were reviewed and updated. Compliance roadmap issued in four priority tiers.

The complaint was resolved without escalation to JPDP. Updated notices and consent flows were implemented within six weeks. A follow-up review three months later confirmed three of four priority tiers addressed. The business subsequently engaged on a DPO retainer basis for ongoing advisory support.

A private hospital group discovered that a misconfigured patient portal had exposed appointment records and limited health information for approximately 3,400 patients over a two-month period. The exposure was identified by an external security researcher. The group had no breach response procedure and was uncertain about its notification obligations under the recently amended PDPA.

Melur Chambers was engaged within 24 hours of internal discovery. Containment guidance was provided while the IT team worked with the researcher. Scope assessment determined the mandatory notification threshold was met. JPDP notification was prepared and filed within the statutory window. Affected patient communications were drafted in Bahasa Malaysia and English. Regulator follow-up queries were managed over the subsequent four weeks.

JPDP notification filed on time. No formal enforcement action was taken. Patient communications were sent within the timeframe recommended by the regulator. The group subsequently implemented a written breach response procedure and conducted a PDPA compliance review across the group.

An online education provider processing data for approximately 45,000 registered learners was preparing to introduce an AI-assisted progress tracking and personalisation feature. The DPO had concerns about consent requirements for the new processing, the data minimisation approach, and whether an impact assessment was required. Existing internal resources were insufficient to assess the PDPA position confidently.

A DPO retainer was established. The AI feature DPIA was conducted over three months, involving review of the technical specification, consent flow design, data minimisation assessment, and third-party processor agreement review for the AI vendor. The retainer also addressed pending data subject requests and provided advice on learner data retention schedules. Processing records were updated to reflect the new processing activity.

The AI feature launched with an appropriately updated consent flow and documented DPIA. Three changes to the technical specification were recommended and implemented before launch. The retainer continues with monthly calls addressing ongoing matters across the organisation's data processing activities.