20 FAQs On Malaysia’s PDPA 2010 (+2024 Amendments)

Malaysia’s Personal Data Protection Act 2010 (PDPA) governs, among other things, how businesses in Malaysia handle user personal data.

Of course, we know first hand that data protection isn’t exactly a priority for SMEs!

The PDPA was recently amended with key changes to enforcement, and in our experience, fear of penalties unites businesses of all sizes.

Below, we answer 20 questions on how businesses in Malaysia should collect, use, process, store, and share personal data in commercial transactions – starting with the penalties!

Let’s begin.

1. What are the increased PDPA penalties?

Under the PDPA, penalties vary by offence but can be as high as: 

• a fine of up to RM1,000,000, or 
• imprisonment for up to 3 years, or
• both

If that’s sufficiently severe to get your attention, read the FAQ til the end!

2. Who does the PDPA apply to? 

The PDPA applies to: 

• any person or commercial organisations established in Malaysia, and 
• foreign organisations using equipment in Malaysia to process personal data

Basically, if you run a business in Malaysia and collect customer information for record-keeping, marketing, or any other business function, the PDPA applies to you!

3. What is ‘personal data’ under the PDPA? 

Any information that identifies or can identify an individual, directly or indirectly, including:  

• names  
• IC numbers 
• phone numbers 
• email addresses, and  
• physical addresses

There is also a sub-category of personal data known is ‘sensitive personal data’ which has a higher protection requirement.

4. What is ‘sensitive’ personal data under the PDPA? 

Sensitive personal data is a special category of personal data that requires extra care because of its sensitive nature, and includes: 

• physical or mental health records 
• religious beliefs 
• political opinions 
• criminal records, and 
• biometric data 

5. Am I allowed to collect customer personal data? 

Yes, but only after informing them and obtaining consent, and explicit consent (i.e. clearly expressed and documented) for sensitive personal data. 

6. How can I obtain consent to collect personal data? 

There are many possible ways, all of which can be valid if the following criteria are met: 

1. Consent is freely given, not forced or obtained through pressure.
2. The customer knows what data is being collected, why, and how it will be used.
3. There is a record of how and when consent was obtained.

Here are some examples that meet the above requirements: 

• signed form
• manually ticked checkbox  
• an email or message, and even
• in response to a clear request

7. Can I share personal data with third parties? 

Yes, but make sure you have: 

• obtained written consent from your customers 
• ensured third parties follow data protection standards 
• used a contract or service agreement that includes relevant PDPA-compliant clauses

8. Can I transfer personal data overseas? 

Cross-border transfers are allowed under the PDPA, provided:  

• the receiving country has similar data protection laws as the PDPA, or 
• the individual has given consent, or 
• the transfer is necessary for contractual or legal purposes

9. How long can I keep personal data? 

Under the Retention Principle (one of seven PDPA principles we touch on below), personal data should only be kept for as long as necessary to fulfil the original purpose for which it was collected.  

Once it’s no longer needed, you should delete or anonymise it securely. 

10. How can my business comply with the PDPA?

Seven PDPA principles set the standard for how personal data should be handled responsibly: 

1. General – Only collect personal data when necessary and with consent. 
2. Notice and Choice – Inform people what personal data you collect and why. 
3. Disclosure – Don’t share personal data without consent. 
4. Security – Protect personal data from loss, misuse, or unauthorised access. 
5. Retention – Don’t keep personal data longer than needed. 
6. Data Integrity – Make sure the personal data you hold is accurate, complete, and up to date. 
7. Access – Give individuals the right to access and correct their personal data. 

Comply with the seven principles and your organisation is already ahead of most SMEs.

One of the best first steps is by including a clear privacy notice!

11. What must a privacy notice include? 

Your privacy notice is how you show transparency and should clearly explain: 

• what personal data you collect 
• why you collect it (purpose) 
• where the personal data comes from 
• who it may be shared with 
• whether it’s mandatory or voluntary 
• how people can access or correct their personal data 
• what choices they have (e.g. opt-outs) 

The privacy notice should be provided in both Bahasa Malaysia and English, and for reference, the PDP Department has a sample privacy notice template. 

12. Where should a privacy notice be displayed? 

Your privacy notice should be clearly displayed at the point where personal data is collected.

For example: your website, registration forms, premises, and any customer touchpoints that involve collecting personal data. 

13. How can I make sure my team understands PDPA compliance? 

To embed PDPA compliance in your organisation, consider these: 

• a clear Privacy Notice
• internal training and awareness programmes 
• documented processes for access / correction requests 

Start small and scale based on your size and risk exposure. 

14. What rights do customers have? 

Under the PDPA, your customers (referred to as data subjects) have a right to: 

1. Access: Request a copy of their personal data held by you. 
2. Correct: Ask for their personal data to be corrected if it’s inaccurate or outdated. 
3. Withdraw Consent: Revoke consent previously given, at any time. 
4. Object to Processing: Say no to personal data being used for whatever reason they disagree with. 
5. Data portability: Request their personal data to be transferred. 

15. How can I let customers access their data? 

To meet this obligation, you can: 

• provide a simple way for individuals to request access to their data, such as an online form 
• establish a process for verifying identity before releasing personal data 
• enable individuals to submit personal data correction requests 
• ensure requests are handled promptly, typically within 21 days, as required under the PDPA 

16. What’s expected under the Security Principle? 

Organisations must take practical and reasonable steps to protect personal data from: 

• loss or destruction 
• misuse or unauthorised access 
• modification or destruction  

Common steps may include: 

Technical Measures	– Strong passwords  – Two-factor authentication (2FA)  – Data encryption – Secure cloud infrastructure with firewalls
Organisational Measures	– Role-based access control  – Regular audits and access reviews
Physical Measures	– Restricted physical access to servers or sensitive files  – Secure disposal of physical records

17. How do I ensure data integrity? 

To comply with the Data Integrity Principle, ensure that personal data is: 

1. Accurate – Regularly verify that the personal data is correct (e.g. contact info, payment details). 
2. Complete – Avoid using incomplete records that may misrepresent someone. 
3. Not misleading – Personal data should not be ambiguous, deceiving or an oversight. 
4. Up to Date – Update personal data when notified of changes (e.g. change of address or employment status). 

18. Is there a breach notification requirement under the PDPA? 

Yes. The organisation should notify the incident where the breach causes or is likely to cause significant harm. You should: 

• have an internal incident response plan 
• assess and document breaches immediately 
• use the prescribed DBN form to notify 

19. What is a Data Protection Officer?

A Data Protection Officer (DPO) is a company employee responsible for ensuring an organisation’s full compliance with the Personal Data Protection Act (PDPA).

As of 2025, appointing one is a legal requirement for many businesses in Malaysia.

20. Do I need to appoint a Data Protection Officer? 

Yes, but only if your organisation: 

• processes personal data of more than 20,000 individuals 
• processes sensitive personal data of more than 10,000 individuals, or 
• conducts regular and systematic monitoring of personal data (e.g., CCTV) 

If your organisation does not fall under these classes, appointing a DPO is not compulsory.  

Let MISHU help with your PDPA compliance needs

MISHU is partnered with numerous service providers to help us deliver a comprehensive suite of business solutions to SMEs in Malaysia. Let us connect you with the right experts to meet your n