Malaysia’s Personal Data Protection Act (PDPA) has been in force since 2013 — but enforcement has historically been light-touch. That’s changing. The amendments that took effect in 2024 introduced stricter requirements, mandatory breach notification, and significantly higher penalties.
If you’re a technology leader in Malaysia, here’s what you need to have in place.
Understanding your obligations
The PDPA applies to any organisation that processes personal data in the course of commercial transactions. “Personal data” includes any information that identifies, or could identify, a living individual — names, IC numbers, phone numbers, email addresses, location data, financial information, and more.
As a data controller, you are responsible for ensuring that personal data is:
- Collected only for a specific, lawful purpose
- Not excessive relative to that purpose
- Accurate and kept up to date
- Retained only as long as necessary
- Protected against unauthorised access, disclosure, or loss
- Not transferred outside Malaysia without adequate protections
The technology checklist
Data inventory and mapping
- Maintain a complete inventory of all personal data held by the organisation
- Document where data is collected, stored, processed, and transferred
- Assign data owners for each category of personal data
- Review and update the inventory at least annually
Access controls
- Implement role-based access control (RBAC) — staff access only the data they need
- Enforce multi-factor authentication (MFA) for all systems holding personal data
- Log and monitor all access to personal data
- Implement privileged access management for administrators
Encryption
- Encrypt personal data at rest (AES-256 or equivalent)
- Encrypt personal data in transit (TLS 1.2 minimum, prefer 1.3)
- Manage encryption keys securely — ideally using a hardware security module (HSM) or managed key service
Third-party and vendor management
- Maintain a register of all third parties that process personal data on your behalf
- Ensure data processing agreements (DPAs) are in place with all processors
- Review vendor security posture annually
- Understand where vendor-processed data is hosted geographically
Breach response
- Have a documented data breach response plan
- Know who to notify (data subjects, regulators) and by when (breach notification requirements)
- Test the breach response plan with tabletop exercises at least annually
- Log all security incidents, even those that don’t rise to the level of a reportable breach
AI and analytics systems
This is an area where many organisations are behind the curve:
- Ensure AI systems do not have access to raw personal data
- Implement PII masking before data reaches any AI model
- Audit AI outputs for potential re-identification risks
- Document the purpose and logic of automated decision-making systems
Where to start if you’re behind
If this checklist feels overwhelming, prioritise in this order:
Know what you have. You can’t protect data you don’t know about. A data inventory exercise is the foundation of everything else.
Lock down access. Most data breaches involve credentials — either stolen, shared, or improperly provisioned. MFA and RBAC address the majority of risk here.
Have a breach plan. Even if your controls aren’t perfect, knowing how you’ll respond when something goes wrong limits the damage significantly.
Our security team regularly conducts PDPA readiness assessments for organisations across Malaysia. Get in touch to understand where you stand.