The Personal Data Protection (Amendment) Act 2024 (“Amendment Act”) marks the most significant overhaul of Malaysia’s data protection framework since the PDPA came into force in 2013. With higher penalties, new obligations, and tighter rules on data governance, corporates in Malaysia must act now to strengthen compliance and avoid costly sanctions.

---

Key Changes That Affect Corporates

1. Higher Penalties Across the Board

• The maximum fine for breaching any Personal Data Protection (“PDP”) Principle has been increased from RM300,000 to RM1 million, with potential imprisonment of up to three years, or both.
• This applies not just to “data controllers” (formerly “data users”), but also to data processors for breaches of the Security Principle.

Example: A retail chain that fails to safeguard customer databases from hacking could face RM1 million in fines, even if the breach is due to negligence by its outsourced IT vendor.

2. Mandatory Appointment of Data Protection Officers (DPOs)

• All data controllers and data processors must appoint one or more DPOs accountable for PDPA compliance.
• The appointment must be notified to the Commissioner in the prescribed form.

Impact: Corporates will need to ensure the DPO has sufficient authority, resources, and independence to oversee compliance. For SMEs, this may mean reassigning an existing compliance or legal staff member, but larger organisations should consider a dedicated role.

3. Mandatory Data Breach Notification

• Corporates must notify the Commissioner as soon as practicable when a personal data breach occurs.
• Data subjects must also be notified without unnecessary delay if the breach causes, or is likely to cause, significant harm.
• Failure to notify can lead to fines up to RM250,000 or imprisonment of up to two years.

Example: If a bank’s customer portal is compromised, it must promptly alert both the Commissioner and affected customers, rather than waiting to complete internal investigations.

4. Data Portability Rights

• Data subjects can request the transfer of their personal data from one data controller to another, subject to technical feasibility.

Impact: Service-based industries like telecommunications and financial services will need systems capable of securely transmitting data between providers within the prescribed period.

5. Tighter Cross-Border Data Transfer Rules

• The “whitelisting” system is removed. Transfers are now only permitted to countries with laws substantially similar to the PDPA or which ensure an equivalent level of protection.

Example: A Malaysian e-commerce company using overseas cloud storage must verify that the hosting jurisdiction’s data protection laws meet the PDPA’s adequacy standard.

6. Expanded Definition of Sensitive Personal Data

• Now includes biometric data such as facial recognition and fingerprint data, alongside health, political, and religious data.

Impact: Corporates using biometric access systems or facial recognition marketing tools will require explicit consent and stronger safeguards.

---

Key Takeaway

The Amendment Act demands not just policy updates, but cultural change – compliance must now be part of daily operations.

This is the first part of our three-part series on the PDPA Amendment Act 2024. In Part 2, we look at the real-world consequences of non-compliance, from million-ringgit fines to reputational damage. Read it PDPA: Part 2