PDPA Compliance in Malaysia: What Your Business Actually Need To Do

“Sir, please scan this QR Code to order your food.”

This has quietly become part of our day-to-day life. When we order food at a restaurant today, we are often asked to scan a QR code at the table. Some systems may also request our name and mobile number before the order can be placed.

However, the moment a restaurant starts collecting a customer’s name, mobile number, or other personal data, it has already entered the territory of the Malaysian Personal Data Protection Act 2010 (“PDPA 2010”).

Many businesses still think that PDPA compliance is only relevant to large technology companies, SaaS platforms, or businesses processing massive amounts of data.

In reality, PDPA Malaysia may apply the moment a business starts collecting personal data, whether from customers, employees, vendors, or business contacts. This applies regardless of whether the data is collected digitally, through QR ordering systems, websites, WhatsApp, or even manually using paper forms.

Many Malaysian businesses are already handling personal data every day without realising that PDPA compliance obligations may already exist within their operations.

Does Your Business Need To Comply With PDPA?

Section 2 of the PDPA 2010 states that the Act applies to any person who processes or has control over the processing of personal data in respect of commercial transactions.

The Act expressly uses the word “any person”. In other words, PDPA compliance is not limited to large corporations or technology companies. In many cases, the moment your business starts processing personal data as part of its business operations, PDPA obligations may already arise.

Some business owners may think:

“I am only collecting names and contact numbers, nothing sensitive or highly private.”

However, Section 4 of the PDPA defines “personal data” broadly as:

“…any information in respect of commercial transactions… that relates directly or indirectly to a data subject, who is identified or identifiable from that information…”

Following this definition, personal data may include:

• customer names,

• mobile numbers,

• email addresses,

• IC or passport details,

• addresses,

• and other information capable of identifying a person.

As such, many SMEs, startups, restaurants, clinics, e-commerce sellers, agencies, and professional firms may already fall within the scope of PDPA Malaysia without realising it.

What Are The Things To Be Complied Under PDPA? Just Remember These 7 Principles

The moment your business starts collecting and processing personal data, you are generally expected to comply with the 7 principles under the PDPA 2010.

Sections 5 to 12 of the PDPA set out the detailed requirements of these principles. However, for easier understanding, they can generally be summarised as follows:

1. General Principle – Do not process personal data without consent or in a manner contrary to the PDPA.

   
   

2. Notice and Choice Principle – Properly inform the individuals involved (commonly referred to as “data subjects”), such as your customers, employees, or vendors, on how their personal data is being collected and used.

   
   

3. Disclosure Principle – Do not simply disclose or share personal data with third parties without proper basis or consent.

   
   

4. Security Principle – Take practical steps to protect and secure the personal data collected by the business.

   
   

5. Retention Principle – Do not retain personal data longer than necessary.

   
   

6. Data Integrity Principle – Take reasonable steps to ensure the personal data is accurate, complete, and not misleading.

   
   

7. Access Principle – Individuals may request access to or correction of their personal data held by the business.

   
   

In practice, these 7 PDPA principles form the core foundation of PDPA compliance in Malaysia. Many businesses may already be subject to these obligations without realising it.

For a more detailed explanation of the 7 Principles under PDPA Malaysia, you may refer to our article: 7 PDPA Principles in Malaysia Every Entrepreneur Must Know

Personal Data Protection Compliance Checklist For Conducting Business in Malaysia

Now that we understand there are 7 PDPA Principles to comply with, what exactly should businesses do in their daily operations to comply with the PDPA 2010?

Below are some of the key compliance steps businesses should consider.

1. Prepare A Proper PDPA Notice

First thing first, prepare a proper Personal Data Protection Notice (“PDPA Notice”).

The word “proper” is emphasised because you should not simply copy and paste a PDPA Notice from the internet without considering whether it actually reflects your business operations and data handling practices.

A PDPA Notice should ideally be customised according to the nature of your business, how personal data is collected, and how the business processes and uses the personal data.

Generally, a PDPA Notice should explain the following:

• what personal data is collected,

• why the personal data is collected,

• whether it is compulsory for the individual to provide the personal data,

• whether and how the personal data may be disclosed to third parties,

• the rights of individuals to access and correct their personal data,

• the method to withdraw consent or opt-out,

• and the contact details of the business for PDPA-related matters.

  
  

Under the PDPA, the notice should generally be in writing and available in both Bahasa Malaysia and English.

As a better practice, the PDPA Notice should be provided to the individual before or at the point where the personal data is collected.

2. Implement Internal PDPA Policies & Employee Controls

PDPA compliance is not just about preparing external documents such as a PDPA Notice. Internally, you should also establish proper SOPs and internal controls to safeguard the personal data handled within your business operations.

In practice, many personal data breaches happen internally due to weak access control, poor employee handling, or lack of proper procedures.

Some of the internal control mechanisms you should consider include:

1. Restrict Staff Access

Do not make personal data freely accessible to everyone within the company. Access should only be given to employees who genuinely require the information to perform their duties.

For example, not every employee should have access to your customer database, employee records, or payroll information.

2. Employee Onboarding & Resignation Procedures

   
   

   You should conduct routine training and internal briefings to cultivate awareness on PDPA compliance and proper handling of personal data within the company.

   
   

   During onboarding, employees should be informed about:

   
   

   • how personal data should be handled,

   • internal compliance procedures,

   • confidentiality obligations,

   • and restrictions on disclosure or misuse of personal data.

Upon resignation or termination, businesses should also ensure that:

• company devices, documents, and databases are returned,

• system access and passwords are revoked,

• unnecessary copies of personal data are deleted,

• and the employee continues to comply with post-employment confidentiality obligations where applicable.

3. Confidentiality Agreements

You should ensure that proper confidentiality clauses or confidentiality agreements are signed with employees, particularly where they have access to customer information, employee records, financial information, or other sensitive business data.

This helps strengthen internal PDPA compliance and reduces the risk of unauthorised disclosure or misuse of personal data.

3. Review Your Security Measures

While not every business needs expensive enterprise-level cybersecurity systems, you should at least implement reasonable security measures to safeguard the personal data under your control.

Some practical security measures may include:

• Passwords – Use reasonably strong passwords and avoid sharing passwords between employees.

• Two-Factor Authentication (2FA) – Enable 2FA where possible, especially for email accounts, cloud storage, banking access, and internal systems.

• Antivirus & Firewall Protection – Ensure your devices and systems have basic security protection against malware, hacking, and unauthorised access.

• Encrypted Devices – Consider encryption for laptops, phones, or storage devices containing customer or employee personal data, especially if employees work remotely.

• Secure Backups – Maintain proper backups to reduce the risk of data loss due to hardware failure, ransomware attacks, or accidental deletion.

• Physical File Protection – Hardcopy documents containing personal data should not be left openly accessible within the office.

• Secure Disposal – Personal data should be disposed of securely. For example, physical documents may need shredding, while digital files should be properly deleted instead of simply moved to the recycle bin.

Cloud storage, shared drives, and even WhatsApp usage may also create PDPA compliance risks if they are used without proper internal controls or security measures.

4. Establish a Data Retention & Deletion Process

Many businesses overlook this point, but PDPA compliance does not mean you can keep personal data forever.

Under the PDPA 2010, you should only retain personal data for as long as necessary for the purpose it was collected.

As part of your internal PDPA compliance process, you should decide:

• what types of personal data should be retained,

• how long the data should be kept,

• when the data should be deleted,

• and how the data should be securely destroyed or archived.

  
  

For example, after a certain period of time, you may need to delete:

• old job application resumes,

• inactive customer records,

• ex-employee information,

• outdated vendor databases,

• or marketing lists belonging to individuals who have already opted out from marketing communications.

  
  

In practice, businesses should establish an internal schedule and procedure for the retention, deletion, backup, and destruction of personal data to reduce unnecessary PDPA compliance risks.

5. Review Vendors, Cloud Providers & Third Parties

Nowadays, it is quite unavoidable for businesses to share or disclose personal data to third parties during day-to-day operations. These third parties may include payroll vendors, accounting software providers, CRM providers, HR software providers, cloud storage providers, or communication platforms.

For example, you may store personal data through services such as Google Drive, Dropbox, cloud accounting systems, or even WhatsApp communications.

However, it is important to understand that outsourcing or using third-party service providers does not automatically shift your PDPA compliance responsibilities to those vendors.

As part of your PDPA compliance process, you should periodically review the following:

• Review Contracts – Ensure your agreements with vendors properly address data handling, confidentiality, and security responsibilities.

  
  

• Confidentiality Obligations – Ensure vendors or service providers handling personal data are subject to proper confidentiality obligations.

  
  

• Vendor Due Diligence – Conduct reasonable checks on whether your vendors have adequate security and data protection practices.

  
  

• Limit Unnecessary Access – Only provide vendors or third parties with access to personal data that is genuinely necessary for their services.

  
  

• Assess Overseas Storage Risks – If personal data is stored or processed overseas through cloud services or foreign providers, you should assess the potential PDPA and data transfer risks involved.

6. Prepare Procedures For Personal Data Access & Correction Requests

Personal data may change from time to time. For example, your customers, employees, or vendors may update their phone numbers, email addresses, residential addresses, or company details.

As part of your PDPA compliance process, you should prepare an internal procedure to handle such requests properly.

This may include:

• a designated contact channel for PDPA-related requests,

• a verification process to confirm the identity of the requester,

• internal procedures for updating records,

• and proper documentation of the requests received and actions taken.

  
  

Although this may appear administrative in nature, poor handling of personal data requests may still create unnecessary compliance and operational issues for the business.

7. Determine Whether Your Business Must Register As A Data User / Data Controller

While businesses generally need to comply with the PDPA 2010, certain sectors may also be required to register with the Personal Data Protection Department Malaysia as registered data users.

These sectors may include:

• healthcare,

• banking,

• insurance,

• tourism,

• education,

• and transportation.

  
  

This is governed under Sections 13 to 20 of the PDPA.

Businesses falling within these categories may also need to comply with the applicable Code of Practice issued by their respective data user forums.

Failure to comply with the applicable Code of Practice may constitute an offence under the PDPA, which may expose the business to penalties, including a fine not exceeding RM100,000, imprisonment not exceeding one year, or both pursuant to Section 29 of the PDPA.

8. Appointment of Data Protection Officer

Under the latest amendments to the PDPA 2010, the appointment of a Data Protection Officer (“DPO”) is now part of the compliance requirements to be introduced for businesses processing personal data.

The DPO is generally responsible for overseeing the company’s PDPA compliance matters.

In practice, the role of the DPO may include:

• monitoring the company’s compliance with the PDPA,

• advising the company on personal data protection obligations,

• handling personal data access and correction requests,

• coordinating responses relating to personal data breaches or complaints,

• monitoring internal data protection policies and procedures.

  
  

For SMEs and smaller businesses, the DPO role does not necessarily require a standalone department or full-time officer.

The key point is to ensure there is a clearly designated person responsible for coordinating and monitoring your company’s PDPA compliance efforts internally.

Key Takeaways

To summarise, PDPA compliance in Malaysia is much broader than merely preparing a privacy notice or inserting a disclaimer on your website.

Businesses should also pay attention to their internal operational handling of personal data, including employee access control, vendor management, security measures, retention practices, and internal compliance procedures.

Many SMEs and growing businesses mistakenly assume that PDPA only applies to large corporations or technology companies. In reality, the moment your business starts collecting and processing personal data in the course of commercial transactions, PDPA obligations may already arise.

For most businesses, PDPA compliance should be approached practically and progressively based on the nature, size, and operations of the business.

You do not necessarily need to implement an overly complex compliance system immediately. However, having proper foundational measures in place may significantly reduce legal, operational, and reputational risks in the long run.

If you require assistance in preparing a PDPA Notice, building your internal compliance framework, or assessing your PDPA compliance risks, feel free to contact us at LAWENCO / for practical PDPA compliance support tailored for Malaysian businesses.

Written by,

Lawrence Tan 

Registered Trademark, Patent and Design Agent

LL.B (HONS), CLP

Advocate & Solicitor

Disclaimer

This article is intended for general informational purposes only and does not constitute legal advice. You should obtain specific legal advice for your particular circumstances before acting on any information contained in this article.