Amendments to Malaysia’s Personal Data Protection Act 2010 (PDPA)

Overview of key amendments

The Ministry of Digital, through the Personal Data Protection Commissioner (Pesuruhjaya Perlindungan Data Peribadi (PPDP)) has made amendments to the Personal Data Protection Act 2010, and passed the Personal Data Protection (Amendment) Act 2024. These amendments are intended to ensure that Malaysia’s data privacy and protection regime remains up to date with technological advancements and aligns with international standards.

The amendments were passed by the Dewan Rakyat on 16 July 2024, and subsequently approved by the Senate on 31 July 2024. Following Royal Assent on 9 October 2024, the amendments were officially gazetted by the Attorney-General’s Chambers on 17 October 2024.

These amendments are significant, introducing greater accountability for organisations handling personal data. In summary, the amendments can be outlined as follows:

Novel amendments

• Mandatory appointment of a Data Protection Officer (DPO)
• Mandatory data breach notification to the Commissioner and data subjects
• Rights to data portability

Amendments built upon pre-existing provisions

• Data transfer to countries with equivalent level of protection
• Direct responsibilities on data processors
• Increase of penalties for breach of personal data protection principles

Amendments related to administration & enforcement

• Change of terminology from “data user” to “data controller” and from “data user register, data user form register” to “data controller register, data controller forum register”.
• Inclusion of biometric data as sensitive data, which requires a stricter legal basis for processing (i.e., explicit consent).
• Exclusion of deceased individuals from the definition of data subject.
• Introduction of “personal data breach” definition, which is defined as any breach of personal data, loss of personal data, misuse of personal data or unauthorised access of personal data.
• Expansion of the “requestor” definition to include data subjects who submit data access requests, data correction requests, and data portability requests.
• The Commissioner can designate a body or a data controller as "data controller forums" for specific classes of data controllers.

Important developments on the horizon

Organisations are advised to closely monitor developments in this area and prepare for the additional compliance obligations they may potentially arise. The Personal Data Protection (Amendment) Act 2024 will be further supplemented by forthcoming guidelines, circulars and standard.

These guidelines will specifically address key areas such as data breach notification, the role of data protection officers, data portability, cross-border data transfers, data protection impact assessments, privacy by design, as well as profiling and automated decision-making.

Are you prepared?

The Personal Data Protection (Amendment) Act 2024 will have a significant impact on organisations across four key dimensions: People, Process, Policy, and Technology. These changes necessitate a re-evaluation and adaptation of current practices.

At Deloitte, our Digital Privacy and Trust team provides a suite of services that can help your organisation evolve your program to protect the data and business models that truly matter, while keeping up with the latest regulatory changes. We also offer tailored solutions based on your organisation’s characteristics and needs.

We hope this brochure will guide organisations in navigating the data privacy and protection landscape and requirements in Malaysia.