Introduction
On February 25, 2025, Malaysia's Department of Personal Data Protection (PDP) launched the Data Protection Officer Appointment Guidelines (DPO Guidelines) and Data Breach Notification Guidelines (Breach Guidelines), set to take effect on June 1, 2025. These regulations fall under the Personal Data Protection Act (PDPA), a comprehensive data privacy law enacted to govern the processing of personal data, ensuring individuals' privacy rights while imposing compliance obligations on organizations. The PDPA also appoints the Personal Data Protection Commissioner (Commissioner) as the regulatory authority to enforce compliance.
The DPO and Breach Guidelines provide much-needed clarity on the PDPA regarding when DPOs must be appointed, their qualifications, and the procedural requirements for managing data breaches. While organizations may face challenges in implementing some of the requirements, the overall framework provides a clear and structured direction for improving data breach response. Thus, these guidelines serve as a strong foundation for enhancing data protection in Malaysia and helping businesses establish best practices.
In this blog, we will explore the key provisions of these circulars and discuss what organizations must do to comply with the latest regulatory requirements.
Summary: Key Compliance Measures for Businesses
- Notify the Commissioner of a breach within 72 hours if it causes significant harm or affects more than 1,000 individuals.
- Notify data subjects of a breach within 7 days after the initial notification to the Commissioner if it presents or is likely to present significant harm.
- Maintain a breach register for a period of 2 years to ensure proper documentation and compliance with the guidelines.
- Appoint a DPO if processing exceeds 20,000 data subjects, or 10,000 for sensitive or financial data, or if regular monitoring is involved.
- Notify the Commissioner within 21 days of appointing the DPO.
Breach Guidelines
The Data Breach Guidelines define a personal data breach as unauthorized access, loss, or misuse of personal data, whether accidental or intentional. While data controllers are directly responsible for reporting breaches, processors are not. Instead, controllers must ensure that processors commit via contractual agreements to promptly report breaches and provide necessary support. This approach aligns with global best practices, reinforcing the principle that ultimate accountability lies with the entity determining data processing purposes.
The data controller must establish effective data breach management and response plans to promptly detect, contain, and mitigate breaches while ensuring compliance with notification obligations. The plan should include:
- procedures for identifying and escalating breaches;
- roles and responsibilities of key stakeholders;
- steps to contain and reduce breach impact;
- criteria for notifying the Commissioner and affected data subjects; and
- post-incident review.
Regular training, awareness programs, and simulations are essential for the plan to be effective and ensure employees can respond effectively to data breaches. This helps minimize errors, but keeping employees engaged and retaining knowledge can be challenging.
Have a look at the following table to understand breach notification requirements under the PDPA:
|
Notification to Commissioner
|
Notification to Data Subjects
|
| Threshold |
Every data controller involved in a breach must separately notify the Commissioner if the personal data breach causes or is likely to cause “significant harm.”
A personal data breach poses "significant harm" if it risks physical harm, financial loss, credit damage, property loss, illegal misuse, involves sensitive data, enables identity fraud, or occurs on a significant scale (affects more than 1000 data subjects).
|
Data controllers must inform affected individuals of a personal data breach if it poses or likely poses "significant harm," regardless of the breach's scale. |
| Timeline |
Within 72 hours, otherwise a written notice should be submitted explaining reasons for the delay with evidence. |
Without unnecessary delay, in any case within 7 days of notifying the Commissioner. |
| Manner of Notification |
Notification to the Commissioner can be made via the online form at www.pdp.gov.my.
Additionally, the Breach Guidelines also provide an annexed form. By emailing that to dbnpdp@pdp.gov.my, or by sending a hard copy to the Commissioner, notification can also be made.
|
Affected data subjects must be notified directly in clear, appropriate language to help them take protective measures. It should be separate from the regular communications
Moreover, if direct notification is impractical or overly burdensome, alternative methods like public announcements may be used.
|
| Content of Notification |
The annexed form includes categories such as breach details, data compromised, and recovery steps. The data controller also needs to provide:
- date and time of breach detection;
- type of personal data and nature of breach;
- method of identification and suspected cause;
- number of affected data subjects and records;
- affected personal data systems;
- potential consequences;
- chronology of events leading to the breach;
- mitigation measures taken or planned;
- steps to assist affected individuals; and
- contact details for further information.
|
The breach notification to affected data subjects must include:
- details of the breach;
- potential consequences;
- actions taken or planned to mitigate risks;
- steps individuals can take to reduce harm; and
- contact details for further information.
|
Additionally, data controllers must maintain a breach register for at least two years, documenting key details like cause, impact, and actions taken. While this adds administrative burden, it enhances transparency, helps organizations improve their data protection practices, and demonstrates compliance.
Upon discovering a data breach, data controllers must:
- assess, contain, and minimize impact by isolating systems, suspending access, and stopping harmful practices;
- conduct a thorough investigation to determine the breach's scope, cause, and potential harm; and
- perform a post-breach evaluation to improve future prevention and response.
Compliance Steps for Organizations and How Securiti Can Help
- Create and implement a clear breach management plan.
- Identify breach criteria by understanding what constitutes a data breach and significant harm under the guidelines.
- Implement systems to quickly detect potential data breaches.
- Report the breach to the PDP within the specified time frame, detailing the breach.
- Inform affected data subjects if significant harm is possible.
- Keep detailed records of all breaches and actions taken.
- Evaluate the breach response and improve processes.
- Regularly reassess data processing risks and update the breach plan.
Securiti’s Breach Management automation provides incident response workflows that help organizations respond to privacy incidents promptly and effectively. This enables organizations to take reasonable steps to protect personal information from unauthorized access, disclosure, alteration, misuse, or deletion before processing it.
DPO Guidelines
Data controllers and processors must appoint one or more Data Protection Officers (DPOs) to ensure accountability and compliance with data protection laws. This obligation applies when personal data processing involves:
- more than 20,000 data subjects,
- sensitive personal data exceeding 10,000 data subjects, or
- regular monitoring of personal data.
The threshold approach is similar to other data privacy laws, which oblige organizations of a certain scale and size to appoint a DPO.
When appointing a DPO or determining the qualifications needed, data controllers and processors should consider the nature of the personal data processing, its complexity and scale, the sensitivity of the data, and the level of protection required. However, appointing a DPO does not absolve data controllers or processors from their broader compliance obligations under PDPA. This stipulation emphasizes that the DPO’s role is to assist in achieving compliance, but it does not transfer full responsibility for legal compliance onto the DPO. Organizations must maintain oversight and ensure all regulatory requirements are met.
Organizations must also record the appointed DPO, register the DPO, submit their contact details to the Commissioner within 21 days, and ensure that the contact details are easily accessible through official channels. This maintains transparency and ensures effective communication between organizations and regulatory authorities. Moreover, the DPO must have a separate business email, which further strengthens the DPO’s independence and helps clearly distinguish their role in data protection matters from day-to-day operations.
DPO Eligibility Criteria
To ensure responsiveness, the DPO must be resident in Malaysia for at least 180 days annually, be easily contactable by any means, and be proficient in both Bahasa Melayu and English. Being easily contactable promotes quick communication with stakeholders, reinforcing the importance of responsiveness in compliance. Proficiency in both Bahasa Melayu and English is essential for effective communication with local authorities and data subjects, especially in Malaysia’s multilingual environment.
Responsibilities of DPO
The DPO serves as the primary liaison between data subjects and the data controller or processor for data processing and rights and also acts as the main point of contact between the controller or processor and the Commissioner. It's also important to note that the DPO may hold additional roles and serve multiple entities. Flexibility is a practical approach, particularly for organizations with limited resources. However, it is essential to avoid any conflicts of interest that could compromise the DPO’s independence, as the DPO will be responsible for:
- advising on personal data processing;
- supporting compliance with PDPA and other data protection laws;
- assisting in Data Protection Impact Assessments (DPIA);
- monitoring personal data compliance;
- ensuring proper breach and incident management;
- handling reports and documents required by the Commissioner; and
- taking on additional duties as needed.
It’s also important to note that data controllers and processors are responsible for ensuring their appointed DPO receives necessary resources and adequate training to enable them to perform their functions.
Compliance Steps for Organizations and How Securiti Can Help
- Assess DPO requirements and determine if your organization needs a DPO based on data processing activities.
- Appoint a qualified DPO and ensure the DPO has relevant qualifications and expertise in data protection laws.
- Ensure the DPO is registered with the PDP.
- Make the DPO accessible to all relevant parties, including external entities if applicable.
- Regularly update the DPO on evolving data protection regulations and provide relevant training.
- Ensure DPO operates independently, without conflicts of interest.
Securiti’s Data Mapping module can equip DPOs with tools to uphold stringent data security and governance protocols to catalog and map all data processing activities.
Conclusion
Securiti enables organizations to navigate and comply with Data Protection Officer Appointment Guidelines (DPO Guidelines) and Data Breach Notification Guidelines (Breach Guidelines), set to take effect on June 1, 2025.
Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. Securiti provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.
Request a demo to learn more.
