Malaysia Tightens Data Protection from June 2025 (2025)

Table of Contents
Mandatory appointment of a Data Protection Officer (DPO) Mandatory data breach notification framework Empowering data subjects with portability rights Compliance strategy for businesses operating in Malaysia Conclusion: A call to act before June 2025

Posted by ASEAN Briefing Written by Ayman Falak Medina Reading Time: 3 minutes

Malaysia is entering a significant phase in the evolution of its data privacy landscape. On June 1, 2025, key amendments to the Personal Data Protection Act (PDPA) will come into effect, bringing about stricter compliance obligations for businesses handling personal data. Introduced through the PDPA Amendment Act 2024, these changes are designed to elevate Malaysia’s data protection standards to meet global expectations, aligning more closely with frameworks like the EU’s GDPR and Singapore’s PDPA.

The reforms are being introduced in phases, but the most far-reaching obligations—including mandatory appointment of a Data Protection Officer (DPO), compulsory data breach notifications, and data portability rights, take effect from June. These developments will impact not only Malaysian companies but also foreign businesses with operations or users in Malaysia.

Mandatory appointment of a Data Protection Officer (DPO)

A cornerstone of the new PDPA requirements is the mandatory appointment of a Data Protection Officer. This applies to organizations that process large volumes of personal data, handle sensitive information, or conduct regular and systematic monitoring of individuals.

The DPO can be an internal employee or an external consultant, but must meet key qualifications:

See Also
The New Rules of Data Privacy: What Every Business Must Know in 2025

  • Be a Malaysian resident for at least 180 days per year
  • Be fluent in both Bahasa Malaysia and English
  • Possess expertise in Malaysian data protection laws and practices

The DPO’s role is central to ensuring compliance. Responsibilities include advising the organization on its obligations under the PDPA, monitoring internal data protection activities, conducting impact assessments where necessary, and serving as the point of contact with the Personal Data Protection Commissioner.

Businesses are also required to notify the Commissioner of their appointed DPO and must publish a designated DPO email address on their website or public channels. This step is critical for promoting accountability and transparency in handling personal data.

Mandatory data breach notification framework

The new law introduces a formal obligation to notify both the authorities and affected individuals in the event of a personal data breach. Under the updated PDPA, organizations must:

  • Notify the Commissioner within 72 hours of becoming aware of the breach
  • Notify affected individuals within seven days if there is a risk of significant harm

“Significant harm” is defined broadly and includes risks such as financial loss, identity theft, reputational damage, or loss of access to essential services. Organizations must also maintain a data breach register for a minimum of two years. This documentation must include the nature of the breach, the affected data, actions taken, and any remedial steps implemented.

The inclusion of breach notification requirements brings Malaysia in line with global data privacy standards and places a greater burden on companies to adopt a proactive, transparent approach to security incidents.

Empowering data subjects with portability rights

Another major reform is the introduction of the right to data portability. This empowers individuals to request the transfer of their data from one data controller to another, provided the transfer is technically feasible and secure.

For example, a consumer could request that their data from one insurance provider be moved to another, allowing for greater mobility and competition in data-driven services. While the format and procedures for data transfer are still being clarified, companies must be prepared to:

  • Enable data retrieval in a commonly used and machine-readable format
  • Securely transfer personal data without delays
  • Document and track such requests to demonstrate compliance

This new right will likely have the greatest impact on digital platforms, financial service providers, telecommunications firms, and other data-centric businesses.

Compliance strategy for businesses operating in Malaysia

The 2025 PDPA reforms will require both foreign and local organizations to make structural adjustments. Businesses should immediately assess whether they fall under the categories that mandate a DPO. They should also review internal protocols on breach detection and response, and ensure their systems can handle data portability requests.

Other key action points include:

  • Updating internal and external privacy policies
  • Developing response protocols for security incidents
  • Conducting employee training programs on PDPA compliance
  • Designating or hiring a qualified DPO before June

Legal teams and compliance officers should work closely with IT departments to implement technical solutions that ensure data is protected throughout its lifecycle — collection, storage, transfer, and deletion.

Conclusion: A call to act before June 2025

The latest amendments to Malaysia’s Personal Data Protection Act represent a crucial step toward a more robust data governance framework. These reforms reflect the growing importance of privacy and security in a digital economy and the expectations placed on companies that manage personal data.

For businesses, these changes are not just regulatory obligations — they represent an opportunity to build trust, strengthen internal systems, and adopt a future-ready approach to data handling.

About Us

ASEAN Briefing is one of five regional publications under the Asia Briefing brand. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Jakarta, Indonesia; Singapore; Hanoi, Ho Chi Minh City, and Da Nang in Vietnam; besides our practices in China, Hong Kong SAR, India, Italy, Germany, and USA. We also have partner firms in Malaysia, Bangladesh, the Philippines, Thailand, and Australia.

Please contact us at asean@dezshira.com or visit our website at www.dezshira.com and for a complimentary subscription to ASEAN Briefing’s content products, please click here.

  • Previous Article Value Added Tax in the Philippines: A Guide for Foreign Investors
  • Next Article Singapore’s High-Yield Stocks Gain Favor as Global Trade Risks Rise
Malaysia Tightens Data Protection from June 2025 (2025)
Top Articles
Should You Wear A Motorcycle Touring Kidney Belt??
PS Store Planet Of The Discounts Sale Now Live With Hundreds Of PS5, PS4 Deals - PlayStation Universe
DO KIDNEY BELTS REALLY HELP? - Motocross Action Magazine
Latest Posts
Recensie Figures in Extinction door NDT – Theaterkrant
Kidney Belts Archives - Medieval Collectibles
Recommended Articles
Article information

Author: Dan Stracke

Last Updated:

Views: 5940

Rating: 4.2 / 5 (43 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Dan Stracke

Birthday: 1992-08-25

Address: 2253 Brown Springs, East Alla, OH 38634-0309

Phone: +398735162064

Job: Investor Government Associate

Hobby: Shopping, LARPing, Scrapbooking, Surfing, Slacklining, Dance, Glassblowing

Introduction: My name is Dan Stracke, I am a homely, gleaming, glamorous, inquisitive, homely, gorgeous, light person who loves writing and wants to share my knowledge and understanding with you.