+44 (0) 121 582 0192 [email protected]

Are You Compliant? The Impact of Malaysia’s Updated PDPA on Data Controllers and Processors

by | FriAprJ | China, EU, Hong Kong, India, Indonesia, Japan, Malaysia, Philippines, Singapore, South Korea, Thailand, United Arab Emirates, United Kingdom, United States, Vietnam Privacy Law

Personal Data Protection Act Malaysia, Malaysia pdpa, pdpa malaysia,

Introduction

Malaysia’s Updated PDPA has recently undergone important changes. These updates, however, have been missed or ignored by many organisations. Consequently, both local and international businesses could now be exposed to higher risks of non-compliance.

What Changed in the Malaysia PDPA?

Firstly, the most notable change in Malaysia’s Updated PDPA  is the mandatory appointment of a Data Protection Officer (DPO). Previously, appointing a DPO was considered a best practice but not a legal requirement. Now, it has become compulsory for all applicable organisations handling personal data.

Secondly, the scope of the PDPA has broadened. It now clearly includes data processors alongside data controllers. Therefore, companies processing data on behalf of others must also comply directly with PDPA obligations.

Thirdly, new powers have been granted to the Personal Data Protection Commissioner (PDPC). The PDPC can now issue stronger penalties and enforcement orders against non-compliant organisations. Ignoring these updates could lead to serious financial and reputational damage.

Who Needs to Act?

Importantly, these changes apply to two main groups:

  • Malaysian entities that collect, process, or store personal data.

  • International companies that, although without a Malaysian office, handle data of individuals located in Malaysia.

Both groups are now equally responsible for ensuring full compliance with the revised PDPA.

Impact on Malaysian-Based Entities, Malaysia’s Updated PDPA

For businesses physically operating in Malaysia, the new DPO requirement is immediate. Entities must appoint a qualified individual responsible for overseeing PDPA compliance. This DPO must have appropriate expertise in Malaysian data protection law and practice.

Moreover, organisations must now ensure that both their internal activities and any outsourcing arrangements meet PDPA standards. Contracts with external service providers must be reviewed and updated. Failure to act can trigger audits, penalties, and even public enforcement notices.

Additionally, transparency obligations have increased. Companies must update privacy notices to explain how individuals can exercise their rights under the PDPA. The DPO is expected to manage this process effectively.

Impact on International Companies Without a Malaysian Entity

International businesses might wrongly believe they are unaffected. However, if a company offers goods or services to individuals in Malaysia, or monitors their behaviour, it falls under the PDPA.

Significantly, such businesses must now appoint a local DPO or an equivalent representative. The DPO must be accessible to both individuals and the PDPC. This requirement ensures that overseas companies can no longer hide behind distance or jurisdictional gaps.

Furthermore, international companies must align their practices with Malaysian standards. Even if already compliant with laws like the GDPR, Malaysia’s PDPA imposes its own unique requirements. Ignoring these differences could result in regulatory action.

Risks of Non-Compliance

The risks of non-compliance are now much higher. The PDPC can impose fines of up to RM 500,000 per offence. Beyond financial penalties, the Commissioner may also issue public reprimands, severely damaging an organisation’s reputation.

In addition, individuals whose data rights are violated can lodge complaints. Consequently, the cost of managing investigations, lawsuits, and remediation could escalate rapidly.

Moreover, with enforcement actions now being made public, the damage to brand trust could be long-lasting and difficult to repair.

Immediate Steps to Take

Given the scale of these updates, organisations should act immediately. Here are critical steps to begin with:

  • Appoint a qualified DPO who understands the Malaysian PDPA in depth.

  • Review and update contracts with third-party processors and service providers.

  • Audit existing data practices to ensure they align with new PDPA requirements.

  • Update privacy notices to reflect expanded transparency obligations.

  • Train staff regularly to understand their responsibilities under the PDPA.

Without these actions, organisations will remain highly vulnerable to regulatory enforcement.

How Formiti Can Help

Appointing and maintaining an in-house DPO can be costly and resource-intensive. Many organisations also struggle to find professionals with real expertise in Malaysia’s specific legal environment.

Fortunately, Formiti offers a solution. Our Global Outsourced Data Protection Officer Service provides expert DPO support without the overheads of a full-time hire.

Our service gives your organisation:

  • Immediate compliance support from qualified privacy experts.

  • Ongoing monitoring and advice to stay ahead of changes in Malaysian law.

  • Representation and liaison services with the Malaysian PDPC.

  • Rapid risk assessments and remediation support where needed.

  • Global expertise tailored to your regional obligations.

With Formiti, you gain peace of mind knowing your compliance needs are fully managed. Whether you are based in Malaysia or abroad, we help you avoid fines, reduce risk, and protect your brand reputation.

In conclusion, the PDPA changes are not optional. Businesses must act now or face real consequences. Partnering with Formiti ensures your compliance journey is smooth, efficient, and cost-effective.

Contact Formiti today to learn how our Outsourced DPO Service can protect your business in Malaysia and beyond.