- In a major step forward for data governance, Malaysia will begin enforcing the First Tranche of Data Protection Guidelines on 1 June 2025, pursuant to the Personal Data Protection (Amendment) Act 2024.
These new guidelines introduce two critical obligations for organisations operating in Malaysia: the mandatory appointment of a Data Protection Officer (DPO) and mandatory notification of certain data breaches. The measures signal a stronger regulatory framework to promote accountability, enhance public trust, and bring Malaysia’s data protection standards closer in line with international best practices.
Appointment of a Data Protection Officer (DPO)
i. Who must appoint a DPO?
Organisations will be required to appoint a DPO if they meet any of the following thresholds:
- Process personal data of 20,000 or more individuals;
- Handle sensitive personal data (such as health or financial information) of 10,000 or more individuals; or
- Engage in regular and systematic monitoring of individuals, which includes activities such as;
- Closed-circuit television (CCTV) surveillance
- Use of wearable devices and health applications
- Online tracking and behavioural monitoring
- DPO responsibilities
ii. DPO responsibilities
The appointed DPO will serve as the main point of contact on all matters related to PDPA compliance. Key responsibilities include:
- Advising the organisation on its personal data obligations
- Acting as the liaison with the Personal Data Protection Commissioner (PDPC) and affected individuals
- Overseeing internal compliance audits and risk assessments
- Coordinating prompt responses to data breaches, including ensuring timely notifications
Organisations may appoint an internal employee or engage an external service provider to serve as their DPO. However, the individual or service must be either based in Malaysia or readily accessible to the organisation.
Mandatory Data Breach Notification (DBN)
i. What is a notifiable data breach?
Under the new guidelines, a data breach must be reported to the PDPC if it results in, or is likely to result in, significant harm to individuals. Examples of notifiable data breaches include:
- Physical or financial harm
- Identity theft or fraud
- Unauthorised or illegal use of personal data
- Loss of property
- Exposure of sensitive personal data
- Incidents involving 1,000 or more individuals
ii. Notification timeline
Organisations are required to comply with the following notification timelines:
- Notify the PDPC within 72 hours of detecting a notifiable breach
- Inform affected individuals within 7 days of notifying the PDPC
These timelines are designed to ensure timely intervention, reduce the impact of breaches, and maintain transparency with affected parties.
What organisations should do now
To prepare for the change, organisations should begin taking the following steps:
- Assess current data processing activities to determine whether the thresholds for DPO appointment apply
- Appoint a qualified DPO or engage an outsourced provider who meets local requirements
- Develop or update internal procedures for detecting, assessing, and responding to data breaches
- Train staff on new compliance responsibilities, including data handling and breach response protocols
- Review privacy policies, contracts, and internal documentation to ensure alignment with the updated legal obligations
Moving towards a stronger data protection culture
The introduction of the DPO requirement and mandatory data breach notification marks a significant evolution in Malaysia’s data protection regime. These changes reflect a broader shift towards embedding privacy, transparency, and accountability into business operations.
Organisations that act early to comply with these guidelines will not only reduce their regulatory risk but also enhance stakeholder trust in an increasingly data-driven economy.
For more information and official guidance, visit the Personal Data Protection Department (JPDP) website or consult a PDPA compliance professional.