Understanding the Upcoming PDPA Amendments: What You Need to Know

On the 21st of May earlier this year, the BAC Education Group had held an exciting briefing session with Deloitte to discuss the upcoming amendments to Malaysia’s Personal Data Protection Act (PDPA). The session shed light on crucial regulatory changes that will reshape how organizations manage and protect personal data.

Here are the key takeaways every business and professional should know:

Effective 1 April 2025

New Terminology: The term data user will now be replaced with data controller. The amendments also introduce formal definitions for biometric data and personal data breach, clarifying key areas of compliance.
Bigger Penalties: Non-compliance will now carry much heavier consequences, with fines of up to RM1 million and potential jail time of up to three years.
Data Processor Liability: Vendors or service providers who handle data on behalf of others are now directly responsible for maintaining data security.
Stricter Cross-Border Rules: The current White List for approved data transfers abroad will be removed, requiring stronger justifications and safeguards for sending personal data overseas.

Effective 1 June 2025

Mandatory Data Breach Notification (DBN): Organisations must report any significant data breach to the government within 72 hours, and notify affected individuals within 7 days.
Mandatory Data Protection Officer (DPO): Any company that handles large volumes of sensitive data or engages in regular monitoring must appoint and register a DPO.
Data Portability Rights: Individuals will now have the right to request that their personal data be transferred to another organization, strengthening control over personal information.

These amendments mark one of the most significant overhauls to Malaysia’s data protection framework since the PDPA’s introduction. With increased accountability and harsher penalties, every organization must act quickly to ensure compliance and update their data management policies.

As Deloitte’s experts emphasized, these changes are not just about avoiding penalties, they’re about building trust and transparency in how businesses handle personal information.

Stay tuned for more updates and internal guidance from the BAC Education Group as we prepare to align our policies and operations with these critical regulatory changes.