7 PDPA Principles in Malaysia Every Entrepreneur Must Know
- ipgenn
- Dec 5
- 7 min read
Are you collecting customers’ personal data?
If you collect names, emails, or phone numbers for your business in Malaysia, the Personal Data Protection Act 2010 ("PDPA") applies to you.
Most entrepreneurs collect customer details without thinking much about it — maybe through a Google Form, WhatsApp order, email enquiry, or social media DM. All of these are considered personal data under the PDPA.
If you run a business in Malaysia and you process personal data for commercial purposes, you must follow the seven PDPA principles.
Principle 1: Get Consent from Customers
This is the General Principle under Section 6 of PDPA.
You must get your customer’s consent before processing their personal data. Under Section 6 of the PDPA, a business cannot process personal data unless the customer has given consent. The purpose must be lawful, necessary for your business activity and directly related to why you collected the data This applies no matter where the data comes from.
Although the PDPA doesn’t strictly say consent must be in writing, but in real life, written consent protects you because:
It avoids misunderstandings.
It lets you prove you followed the PDPA.
It helps if customers later complain.
It’s good to have a simple checkbox (“I agree to the Privacy Notice”) or a short written confirmation.
Without consent, processing customer data may expose your business to complaints, fines or even operational disruption.
Principle 2: Give Customers a Written Privacy Notice
You must explain, in writing, what personal data you collect and how you plan to use it.
This is the Notice & Choice Principle under Section 7 of the PDPA. Every business must give customers a proper written notice (commonly known as Privacy Notice or PDPA Notice).
This is essentially a simple document that tells people what personal data you’re collecting, why you need it, how long you keep it, who you might share it with, and how they can contact you if something goes wrong.
PRIVACY NOTICE IN ENGLISH AND BAHASA MALAYSIA
The law requires this notice to be in both Bahasa Malaysia and English, and it should ideally appear the moment you collect data — for example, on your website, landing page, Google Form, or even attached to your contract. The key idea is transparency.
Customers have the right to know what you are doing with their personal data before they hand it over.
CHOICES
Your Privacy Notice should also give customers choices. They must be able to decide whether they want to limit certain uses of their data, such as receiving marketing messages. If your system offers no clear way to opt out, that is a compliance risk.
Many entrepreneurs unintentionally break this rule because their website or Google Form simply asks for data… but offers no PDPA Notice. This is considered non-compliant and may expose your business to complaints or enforcement action.
So, make sure every place where you collect data — even a simple form — includes a short Privacy Notice or a link to one. It’s one of the easiest PDPA requirements to fix.
Principle 3: Do Not Share Customer Data Without Consent
You cannot disclose your customers' personal data to anyone unless they have agreed to it.
The PDPA is very strict about disclosure. Under Section 8 of PDPA, which stipulates the Disclosure Principle, you are not allowed to pass your customer’s information to another person, or another company if the customer has not consented to it. And even if you do have consent, you can only disclose the data for the same purpose it was originally collected for, or a purpose that is closely related.
For example, if a customer gives you their phone number to arrange a delivery, you cannot suddenly use that number for marketing, or share it with a business partner, unless the customer agreed to this upfront. Similarly, giving your customer list to a marketing agency, IT freelancer, or cloud service provider without listing them in your Privacy Notice is also a breach.
This rule is simple: If in doubt, don’t disclose. Ask first.
It’s prudent in practice to review who has access to your customer data. If a third party needs the information, make sure your customers have been told about it and have consented to it.
Principle 4: Protect Your Customers’ Data
You must take reasonable steps to keep personal data safe.
This is the Security Principle under Section 9 of the PDPA. It expects every business, even a small start-up to take practical measures to protect the personal data they handle. This means preventing any loss, misuse, unauthorised access, or accidental leaks of information such as names, phone numbers, emails, addresses, or other personal details.
The goal here is not about perfection. It may not be necessary for a company to build a military-grade cybersecurity system. But you must show that you took reasonable and sensible steps to protect the data, especially since customers trust you with their information.
Principle 5: Do Not Keep Personal Data Longer Than Necessary
You must delete customer data once you no longer need it.
Many businesses collect personal data and then forget about it. Under the Retention Principle pursuant to Section 10 of PDPA, this is not allowed. You cannot keep customer information forever “just in case.” Once the original purpose for collecting the data has been fulfilled — for example, after completing a transaction or closing an account — you must either delete or permanently destroy the data.
Keeping data unnecessarily increases your legal risk. It also increases the impact if a data breach occurs. The PDPA requires businesses to be disciplined: keep what you need, but dispose of the rest.
In practice, this could mean having a simple routine where you review and clear old records every quarter, or setting up an automated system that deletes inactive customer data after a certain period.
Principle 6: Make Sure Your Customers’ Data Is Correct and Up-to-Date
You must ensure the personal data you keep is accurate and not misleading.
Under Section 11 of the PDPA, the Data Integrity Principle requires every business to take reasonable steps to make sure the data they hold is correct. This includes checking that the information is accurate, complete, up-to-date, and not misleading.
This might sound simple, but in real business settings, mistakes happen easily: a customer changes their phone number, a typo sneaks into your system, or your team copies the wrong detail into a form. Even a small error could cause delivery issues, billing problems, or customer frustration.
The PDPA doesn’t expect perfection, but it does expect that you take sensible steps to keep your data clean. This might mean confirming details during customer onboarding, updating old entries when customers reach out, or having a habit of reviewing information before using it.
Principle 7: Let Customers Access and Correct Their Data
Your customers have the right to see their personal data, and to ask you to correct it.
The PDPA recognises that people should have control over their own information. Under Section 12 of PDPA, the Access Principle stipulates that customers have the right to request access to the personal data you hold about them. If they find something wrong, maybe the data is incomplete, outdated, or simply inaccurate, they can ask you to correct it, and you must respond.
This right applies whether you store information in spreadsheets, Google Drive, CRM systems, or even paper files. If a customer makes a legitimate request, the PDPA also sets specific timelines for businesses to reply, so ignoring or delaying is not an option.
Allowing access is not only a legal requirement, it also builds trust. Customers feel safer when they know they can review what you keep and correct any mistakes.
What Counts as Personal Data?
After going through all seven PDPA principles, you might wonder what exactly qualifies as personal data. The PDPA keeps this definition intentionally broad.
Under Section 4 of the PDPA, “personal data” basically means:
“any information, collected for commercial purposes, that relates directly or indirectly to a person who can be identified from that information.”
In simple terms: almost anything that can identify a person. If the information can point to a real human being, whether by itself or together with other details you already have, it is considered personal data.
This can include obvious things like a customer’s name, phone number, email address, home address, or identification number.
The law does not give a fixed, exhaustive list. Why? Because technology changes, and new ways of identifying people appear all the time. So the PDPA uses a flexible definition to cover almost any information connected to a person.
Conclusion: What This PDPA Principle Malaysia Means for Entrepreneurs
PDPA compliance isn’t just a legal requirement — it’s part of building customer trust.
As your business grows, you will naturally collect more personal data through websites, WhatsApp, online forms, payment systems, marketing tools, and daily operations. The Personal Data Protection Act is designed to make sure that this information is handled responsibly.
By following the seven PDPA principles — consent, notice, disclosure, security, retention, data integrity, and access — you are not only protecting your customers, but also protecting your brand, reducing your risk, and showing the market that your business takes privacy seriously.
PDPA compliance doesn’t have to be complicated. With the right processes and a clear Privacy Notice, most SMEs and start-ups can reach a solid level of compliance quickly.
Need Help With PDPA Compliance?
If you need help preparing a clear and legally-compliant Privacy Notice, or if you want LAWENCO to review your current PDPA practices, feel free to contact us!
We can help you put the right structure in place — simple, practical, and tailored to how your business actually works.
Written by,
Registered Trademark, Patent and Design Agent
LL.B (HONS), CLP
Advocate & Solicitor
Disclaimer: The above information is merely for general sharing and does not constitute any legal advice. Readers are advised to seek individual advice from the professionals.
Comments