Conventus Law

Conventus Law

by

The protection of personal data has become a central legal and operational priority for organisations operating in Malaysia. As technology continues to evolve, an increasing volume of data processing and decision-making is conducted through automated systems. This trend is further amplified by digitalisation, cross-border data flows, and the growing deployment of artificial intelligence (AI). 

Against this backdrop, regulatory scrutiny under Malaysia’s Personal Data Protection Act (PDPA) has intensified. Recent legislative amendments and enforcement trends underscore the importance of  adopting a structured, forward-looking approach to data protection compliance. Organisations can no longer afford to treat personal data protection as a peripheral compliance issue; it is now a core governance and risk-management concern. 

This guide provides a practical overview of the PDPA, its core principles, and key compliance obligations. It also highlights emerging regulatory developments,  including  data breach notification requirements, the appointment  of  Data Protection Officers (DPOs), Data Protection Impact Assessments (DPIAs), and cross-border data transfers. 

Overview of the Personal Data Protection Act Malaysia 

The PDPA is Malaysia’s primary data protection legislation. It governs the processing of personal data in the context of commercial transactions and applies to any person or organisation that: 

  • Processes personal data in Malaysia; or 
  • Is not established in Malaysia, but uses equipment in Malaysia to process personal data  otherwise than for the purposes of transit. 

The PDPA does not apply to personal data processed outside Malaysia unless such data is intended to be further processed in Malaysia. At its core, the PDPA seeks to strike a balance between the legitimate operational needs of organisations and the rights of  individuals’ to privacy and data security. It regulates how personal data is collected, used, disclosed, retained, and protected.  

Non-compliance may result in criminal penalties, fines, and significant reputational harm. ,. The PDPA is administered and enforced by the Personal Data Protection Commissioner (“the Commissioner”).  

What Constitutes Personal Data? 

Under the PDPA, “personal data” refers to any information relating to an identified or identifiable individual, whether directly or indirectly. This includes: 

  • Names, identification numbers, and contact details; 
  • Financial and employment information; 
  • Online identifiers and digital footprints; and 
  • Sensitive personal data, such as health information or biometric data. 

As digital transformation accelerates, the scope of what constitutes personal data continues to expand, particularly in AI-driven and data-intensive environments. 

The Seven PDPA Principles  

The PDPA is underpinned by seven statutory principles that apply to all personal data  processing activities. 

1. General Principle (Consent) 

Personal data may only be processed with the consent of the data subject and for purposes  directly related to that consent, unless a statutory exception applies. Consent must be clear, informed, and capable of being  recorded and maintained by the data controller. Where the data subject is under the age of eighteen years of age, A data controller shall obtain consent from the parent, guardian or person who has parental responsibility on.  

Key compliance consideration: 

Privacy notices and consent mechanisms must accurately reflect actual data practices and be appropriately tailored, particularly where sensitive personal data is involved. 

2. Notice and Choice Principle 

Data controllers  must provide data subjects with a  written notice (“Privacy Notice”), informing them of, among other matters: 

  • The purpose of collecting personal data; 
  • The categories of third parties to whom data may be disclosed; and 
  • The data subject’s rights of access and correction  

The Privacy Notice should enable data subjects to understand how their data will be processed and what choices are available to them.  As technology evolves, organisations must consider whether their notice mechanisms remain accessible and effective for diverse user groups. 

3. Disclosure Principle 

Personal data must not be disclosed for purposes other than those originally notified, unless consent has been obtained or a legal exception applies. 

Uncontrolled data sharing, particularly with vendors, affiliates or group companies, remains a common source of compliance risk. Effective implementation requires legal, technical and operational safeguards to work in tandem. 

4. Security Principle 

Data controllers  are required to take practical and reasonable measures to protect personal data from loss, misuse, modification,  unauthorised or accidental access, or disclosure. This principle is particularly relevant in the context of data breach notification obligations.   

Organisations are expected to adopt a proactive, integrated security framework in which data protection safeguards are embedded throughout the lifecycle of personal data processing. 

5. Retention Principle 

Personal data must not be retained for longer than is necessary to  fulfil the purpose for which it was collected. 

Clear data retention policies, classification frameworks and retention schedules are essential both to demonstrate compliance and to reduce exposure in the event of audits or investigations. 

6. Data Integrity Principle 

Reasonable steps must be taken to ensure that personal data is accurate, complete, not misleading and kept up to date. 

Inaccurate data may expose organisations not only to PDPA liability, but also to contractual, operational and reputational risks. 

7. Access Principle 

Data subjects have the right to: 

  • Access their personal data; and 
  • Request corrections to inaccurate or incomplete data 

Organisations must establish procedures to respond within prescribed timelines and ensure accessibility, including through appropriate formats and channels. 

Data Breach Notification in Malaysia 

Historically, Malaysia’s PDPA did not impose mandatory data breach notification obligations. This position has changed following  recent legislative developments, signalling a shift towards a mandatory breach notification regime and , aligning Malaysia more closely with international data protection standards. With effect from 1 June 2025,  Section 12B(1) of the PDPA requires a data controller who has reason to believe that a personal data breach has occurred to notify the Commissioner as soon as practicable, in the manner prescribed.  

A data controller who fails to comply commits an offence and, upon conviction, may be liable to a fine of up to RM250,000, and/or imprisonment for up to two years. Further, Section 12B(2) further provides that where the personal data breach causes or is likely to cause any significant harm to the data subject, the data controller shall notify the personal data breach to the data subject in the manner and form as determined by the Commissioner without unnecessary delay. 

The Personal Data Protection Guideline on Data Breach Notification published on 25 February 2025 further clarifies that:  

  • notification to the Commissioner must be made within 72 hours from the occurrence of the personal data breach;  
  • Phased notifications are permitted where not all required information is available at the time of the initial notification; and 
  • Any delay in notification must be justified and documented. 

Where notification to affected individuals is required, such notification must be made without unnecessary delay and no later than seven (7) days after the initial data breach notification is made to the Commissioner. 

Practical implication: 

Organisations  should put in place  robust incident response plans and internal escalation protocols well in advance. These requirements should be carefully integrated into data breach response playbooks, training programmes, simulations and drills, with the objective of anticipating and mitigating privacy risks proactively, rather than responding reactively once a breach has occurred. 

Appointment of a Data Protection Officer (DPO Malaysia) 

The PDP Amendment Act introduces a mandatory obligation, effective 1 June 2025, for certain data controllers and data processors to appoint a Data Protection Officer (DPO) and register the appointment. A DPO is required where processing involves: 

  • personal data of more than 20,000 data subjects; 
  • sensitive personal data of more than 10,000 data subjects; or 
  • regular and systematic monitoring of personal data.  

The DPO plays a central role in:  

  • Informing and providing advice to the data controller or data processor on the processing of personal data 
  • Identifying, assessing, and mitigating risks associated with the processing of personal data across its full lifecycle; 
  • Overseeing the data controller or data processor’s ongoing compliance with personal data protection laws, regulations and internal policies;  
  • Preparing compliance reports, conducting and/or facilitating regular personal data audits, and ensuring accurate documentation of personal data protection activities; and 
  • Supporting the organisation’s personal data protection efforts and acting as the liaison with the Commissioner and data subjects 

Data Protection Impact Assessments (DPIA Malaysia) 

Data Protection Impact Assessment (DPIA) is a structured assessment designed to identify, evaluate and mitigate privacy risks to the protection of personal data based on the organisation’s functions, needs and processes arising from new or high-risk data processing activities. 

DPIAs are particularly relevant where organisations deploy: 

  • Large-scale data analytics; or 
  • New technologies involving personal data 

Conducting DPIAs demonstrates accountability and allows organisations to anticipate regulatory concerns before issues arise.  

Artificial Intelligence and PDPA Compliance 

Although the PDPA does not expressly regulate AI, its principles apply fully to AI-driven data processing. Key issues include: 

  • Automated profiling and decision-making 
  • Transparency, and explainability 
  • Data minimisation and purpose limitation 

Organisations must ensure that AI deployments  remain  lawful, proportionate, and aligned with PDPA requirements . 

Cross-Border Data Transfers  

Recent amendments to section 129 of the PDPA permit cross-border transfers where the receiving jurisdiction: 

  • has laws substantially similar to the PDPA; or 
  • ensures an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection afforded by the PDPA. 

Transfer Impact Assessments may be conducted to assess the permissibility of cross-border personal data transfers, taking into account factors such as: 

  • whether the laws of the receiving jurisdiction afford data subjects rights that are similar to those under the PDPA; 
  • Whether there are similar data protection principles (for example, the Security Principle) in place; 
  • Whether there are similar requirements and protection with regards to the processing of personal data; 
  • Whether there is a similar or equivalent requirement for the appointment of a Data Protection Officer; 
  • Whether there exists a comparable regulatory authority to the Department of Personal Data Protection to oversee data protection compliance; and 
  • Whether there is a similar data breach notification requirement.  

Section 129(3) permits cross-border transfers of personal data even where the receiving jurisdiction does not have substantially similar laws or an adequate level of protection, provided that certain statutory exceptions apply. These include circumstances where: 

  •  the transfer is necessary for the performance of a contract between the data subject and the data controller; or 
  • the data controller has taken all reasonable precautions and exercised due diligence to ensure that the personal data will not be processed in a manner which, if carried out in Malaysia, constitutes a contravention of the PDPA. 

Enforcement Trends and Compliance Risks 

Regulatory enforcement under the PDPA has become increasingly  active. Enforcement actions and regulatory attention have tended to  focus on, among others: 

  • Failure to hold a valid certificate of registration  
  • Breaches of the general, disclosure and security principles  

Under the amended regime, a data controller or data processor who contravenes any of the seven PDPA principles commits an offence and shall, on conviction, be liable to a fine not exceeding one million ringgit or to imprisonment for a term not exceeding three years or to both.. 

Building an Effective PDPA Compliance Framework 

A robust and defensible PDPA compliance programme typically includes: 

  • Data mapping and inventory exercises to identify personal data flows and processing activities; 
  • Updated privacy notices and consent practices aligned with actual operational practices; 
  • Security risk assessments and breach response plans, including the involvement of a cross-functional team comprising legal, technical and compliance representatives, particularly prior to deploying new AI systems or materially modifying existing technologies; 
  • Appointment of a DPO or designated data protection lead; and 
  • Regular training,audits and compliance reviews to ensure continuous alignment with legal and regulatory expectations. 

For organisations operating across borders or deploying advanced and data-intensive technologies, ongoing legal guidance is critical to ensure compliance remains scalable, resilient and future-ready. 

Conclusion 

The PDPA is no longer a peripheral compliance consideration.It is a core governance obligation that directly affects how organisations operate, innovate, and grow. As regulatory expectations continue to rise, organisations  must move beyond reactive compliance and adopt a structured, strategic and risk-based approach to personal data protection. 

A clear understanding of the  PDPA principles, readiness  for data breach notification obligations, effective management of  cross-border data transfers, and addressing emerging risks such as those posed by artificial intelligence are essential to safeguarding both regulatory compliance and stakeholder trust. 

Engaging experienced legal advisers such as Shearn Delamore & Co., with deep expertise in data protection and regulatory compliance, can assist  organisations in navigating these evolving obligations with confidence, clarity, and foresight. 

WRITTEN BY

For further information, please contact:

Datin Grace C. G. Yeoh – Shearn Delamore & Co,
gcgyeoh@shearndelamore.com

Practice Areas

Corporate / M&A (Head) 
Energy, Natural Resources & Green Technology (Head)
Private Wealth & Family Business                                              

Languages

English,
Malay    

PRACTICE

Mergers and acquisitions, venture capital, takeovers, security dealings, corporate restructuring, joint ventures, demergers, listings, corporate exercises as well as general corporate planning work. Datin Grace Yeoh has assisted key banking players on their incorporation within the local banking industry as well as Malaysian companies investing overseas. She advises on regulatory compliance, corporate governance and inbound foreign investments in addition to private wealth and family business matters.

She oversees major transactions with respect to Energy, Natural Resources and Green Technology (ENRGT) projects and their related joint ventures, licensing, operation, management and other associated agreements. Her work includes assisting clients in liaising with regulatory authorities such as the Ministry of Energy, Green Technology and Water as well as other ministries and authorities.

Datin Grace Yeoh currently sits on the Board of Directors of CIMB Bank Berhad and Bursa Malaysia Berhad, the listed operator of Bursa Malaysia, the Malaysian stock exchange.

QUALIFICATIONS

LL.B, London School of Economics
LL.M, University of London
Barrister-at-Law, Middle Temple
Advocate & Solicitor, High Court of Malaya
CFP (Certified Financial Planner)

ADMISSIONS

England & Wales (1984)
Malaysia (1985)

POSITIONS HELD

CIMB BANK BERHAD – Independent Non-executive Director
          Member of Board Risk Committee
BURSA MALAYSIA BERHAD –  Independent Non-executive Director
Member of Risk Management Committee
Member of Nomination and Remuneration  Committee
Non-executive Director of Bursa Malaysia Securities Berhad
Non-executive Director of Bursa Malaysia Securities Clearing Sdn Bhd
Member of the Corporate and Commercial Committee of the Malaysian Bar Council
Member of the Trade in Legal Services Committee of the Malaysian Bar Council

PROFESSIONAL MEMBERSHIPS

Malaysian Bar
International Bar Association (IBA)
Financial Planning Association of Malaysia

PUBLICATIONS

Malaysian and Singapore Company Law and Practice, CCH
Getting the Deal Through – Insolvency and Restructuring, and Global M&A
M&A practice guides, Chambers & Partners, 1st Edition, 2012

AWARDS & RECOGNITION

Asialaw Profiles 2020 – “Elite Practitioner” in Corporate/M&A
Asian Legal Business Malaysia Law Awards (2018) – “Managing Partner of the Year”
Asialaw Leading Lawyers (2014 – 2016) – “Leading Lawyer” in Corporate/M&A
Asialaw Leading Lawyers (2017 – 2019) – “Market Leading Lawyer” in Corporate/M&A
Asialaw Leading Lawyers (2018 and 2019) – “Market Leading Lawyer” in Energy & Natural Resources
Asialaw Leading Lawyers 2020 – “Elite Practitioner” in Corporate/M&A
Asia Business Law Journal (2019 and 2020) – one of Malaysia’s Top 100 Lawyers
Chambers Asia-Pacific (2010 – 2020) – “Leaders in their Field” in Corporate/M&A
Chambers Global (2013 – 2020) – “Leaders in their Field” in Corporate/M&A
IFLR1000 (2018 – 2020) – “Market Leader” in Project Development and M&A
IFLR1000 (2014 – 2017) – “Leading Lawyer” in Energy: Project Development
IFLR1000 (2018 – 2020) – one of the IFLR1000’s Women Leaders
The Legal 500 Asia-Pacific (2010 – 2020) – “Leading Individual” in Corporate/M&A
The Legal 500 Asia-Pacific (2019 and 2020) – “Recommended Lawyer” in Projects and Energy
The Legal 500 Asia-Pacific (2020) – highlighted in the Hall of Fame
Expert Guides (2018 and 2019) – “Leading Practitioner” in M&A and Women in Business Law

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

RELATED ARTICLES