In today’s digital economy, data has emerged as one of the most valuable assets an organisation possesses, yet it remains one of its greatest points of vulnerability. As consumers become increasingly technologically adept and cyber threats continue to evolve with unprecedented speed, the risk of a personal data breach is no longer a matter of if, but when.
To keep pace with technological demands, many Malaysian companies now rely on third-party providers for cloud storage, cybersecurity monitoring and firewall protection. Yet these safeguards, though essential, remain imperfect. A single firewall breach or a vendor’s lapse in handling personal data can trigger repercussions far beyond the initial incident, exposing businesses to significant legal consequences, including liability for failing to properly oversee their service providers.
For a start, in Malaysia, the Personal Data Protection Act 2010 (“PDPA”) is the principal statute governing the collection, use and processing of personal data in commercial transactions in Malaysia. It establishes a framework to ensure that business handle personal data responsibly and with due regard for the privacy rights of individuals. It is pertinent to highlight that the obligations under the PDPA depend on the role a business plays in handling personal data. The key categories are:
- Data Controller means a person who either alone, jointly, or in common with others processes any personal data or has control over or authorises the processing of any personal data. This definition does not include a data processor.
- Data Processor means any person other than an employee of the data controller, who processes personal data solely on behalf of the data controller and does not process the data for their own purposes.
- Data Subject means an individual who is the subject of the personal data, excluding deceased individuals.
In recognising the growing prevalence and potential harm of data breaches, the PDPA was amended in February 2025, introducing various areas of amendments. One of the primary amendments was the insertion of Section 12A and Section 12B.
Essentially, Section 12A imposes an obligation for companies to appoint, at least one, data protection officer who shall be held accountable to comply with the PDPA.1 In addition to the insertion of Section 12A, the PDPA also incorporated Section 12B which introduces the mandatory data breach notification obligations.
As such, this article explores the growing risks posed by data breaches, the legal obligations imposed on Malaysian businesses under the PDPA, specifically Section 12B and the practical steps businesses can take to strengthen compliance, protect their reputation and minimise exposure.
As mentioned above, among the key changes is the introduction of Section 12B which places an obligation on businesses that processes personal data i.e. data controllers to notify the Personal Data Protection Commissioner (“PDPC”) as soon as practicable, using the method and format prescribed by the Commissioner.2 This includes incidents where personal data in the possession of businesses become lost, accessed, disclosed, or otherwise compromised due to accidental, negligent, or unlawful acts of third party service providers.
Following the insertion of Section 12B of the PDPA, the PDPC issued a Personal Data Protection Guideline (Data Breach Notification) (“DBN Guideline”), which sets out the procedures that data controllers must take to notify the PDPC and affected data subjects of data breaches.3 Although these guidelines are not legally binding, they serve as an important benchmark for demonstrating responsible governance and regulatory compliance.
Nevertheless, in practice, the distinction between a data controller and a data processor can become blurred, especially for businesses that process personal data on behalf of clients while simultaneously using data for their own commercial purposes. Where these roles overlap, the prudent approach is to adopt the highest standard of compliance by following the steps set out in the PDPA guidelines.
Doing so demonstrates that reasonable steps were taken to address the incident and help protect the businesses from harsher penalties and preserve its reputation and stakeholder trust. This is especially important given that failure to comply with Section 12B carries significant legal consequences. According to Section 12B(3) of the PDPA, a fine of up to RM250,000, imprisonment of up to two years, or both will be imposed if the data controller is found liable.4
To illustrate the gravity of non-compliance, it is useful to look at how other jurisdictions treat similar notification failures. For example, in 2018, Booking.com in Netherlands failed to notify the Dutch Data Protection Authority within 72 hours after a phone-based attack exposed data of over 4,000 individuals, resulting in a EUR 475,000 fine.5 The regulator emphasized that even preliminary notifications are mandatory. Similarly, Lithuania fined MisterTango EUR 61,500 for failing to report a data breach involving banking information, as well as for violating security and data minimisation principles.6
With data breaches on the rise, compliance with the PDPA, especially Sections 12A and 12B, is crucial for Malaysian businesses. Strengthening governance to identify and address risks promptly can reduce legal and reputational exposure. Treating data protection as a core responsibility helps safeguard operations, maintain trust and navigate the evolving digital threat landscape because protecting data is not only compliance, but survival.
For further information, please contact:
Izzat Asyraf Zamri, Partner, Azmi & Associates
izzat@azmilaw.com
- Personal Data Protection Act 2010, s 12A.
- Personal Data Protection Act 2010, s 12B.
- Personal Data Protection Commissioner. (2025). Personal Data Protection Guideline (Data Breach Notification) (Ver. 1.0).
- Personal Data Protection Act 2010, s 12B(3).
- Wilson Sonsini, The Data Advisor, ‘Booking.com fined EUR 475,000 for failure to timely notify Dutch Supervisory Authority of data breach’ <https://www.wsgrdataadvisor.com/2021/04/booking-com-fined-eur-475000-for-failure-to-timely-notify-dutch-supervisory-authority-of-data-breach/?utm_source>.
- European Data Protection Board, ‘First Significant Fine Was Imposed for the Breaches of the General Data Protection Regulation in Lithuania’ (2019) <www.edpb.europa.eu/news/national-news/2019/first-significant-fine-was-imposed-breaches-general-data-protection_en?utm_> accessed 19 November 2025.
