With the final tranche of the key amendments to the Personal Data Protection Act 2010 (“PDPA”) amended pursuant to the Personal Data Protection (Amendment) Act 2024, which has come into effect on 1 June 2025, this article highlights the need-to-know about the amendments.
Increased Penalties
One of the most notable changes is the substantial increase in penalties for non-compliance with the PDPA. Data controllers that fail to comply with any of the 7 Personal Data Protection Principles now stare down the barrel of a fine of up to RM1,000,000 (approximately USD237,000)*1 and/or imprisonment for up to 3 years. This is a sharp increase from the previous maximum fine of RM300,000 (approximately USD71,000) *2 and/or imprisonment of up to 2 years.
*1 Figure converted from Malaysian Ringgit (“RM”) to United States Dollar (“USD”) based on the middle rate published by Bank Negara Malaysia on 15 August 2025, and rounded up to the nearest thousand.
*2 Sensitive personal data includes any personal data relating to: (a) physical or mental health or condition; (b) political opinions: (c) religious belief or other belief of similar nature; (d) commission or alleged commission of any offence; or (e) biometric data.
Data Protection Officer
Under Section 12A of the PDPA, every data controller and data processor are now required to appoint at least one data protection officer (“DPO”), if their processing of personal data involves:
a. more than 20,000 data subjects;
b. sensitive personal data (including financial information data) of more than 10,000 data subjects; or
c. activities that require regular and systematic monitoring.
In addition to the above conditions, the Guidelines on Appointment of Data Protection Officer further detail on the DPO’s required expertise and qualifications, scope of responsibilities, and other matters relating to the appointment. While there is no minimum professional qualification, a DPO must, among other things, possess knowledge of the PDPA and relevant data protection practices.
It is also important to note that the DPO appointed or to be appointed should be:
a. physically residing in Malaysia for at least 180 days per calendar year;
b. easily contactable by the Malaysian authorities; and
c. proficient in both Bahasa Malaysia and English.
Further, the DPO must have at least the following core responsibilities in respect of the data processing activities of the data controller or data processor:
a. inform and provide advice to the data controller or data processor on the processing of personal data;
b. support the data controller or data processor in complying with the PDPA and other related data protection laws including staying informed of data processing risks affecting the data controller or data processor;
c. support the carrying out of Data Protection Impact Assessments in accordance with the requirements as may be determined by the Personal Data Protection Commissioner (“Commissioner”) from time to time;
d. monitor the personal data compliance of the data controller or data processor; and
e. ensure proper data breach and security incident management by assisting the data controller or data processor to prepare, process and submit reports and other documents required by the Commissioner in respect of personal data breaches, within the prescribed periods.
The DPO may be appointed from among existing employees or through outsourcing service (based on a service contract signed with an individual or organisation). The Commissioner also published additional guidelines as follows in relation to DPO:
a. Data Protection Officer Competency Guideline;
b. Data Protection Officer Professional Development Pathway & Training Roadmap; and
c. Management of Data Protection Officer Training Service Providers Guideline.
Data controllers and data processors are also required to notify the Commissioner of their appointed DPO via the DPO Registration Portal within 21 days of the DPO’s appointment. Any subsequent changes to the DPO or their business contact details must be updated within 14 days of the change.
While the DPO is accountable to the appointing data controller or data processor for ensuring PDPA compliance, the appointment of a DPO does not absolve the data controller or the data processor of its own obligation to comply with all duties and functions required by the PDPA.