Introduction
Malaysia’s data protection regime is entering a new phase. On 22 August 2025, the Personal Data Protection Commissioner (JPDP) issued Public Consultation Paper No. 4/2025, proposing amendments to the Personal Data Protection Regulations 2013. Stakeholders have until 8 September 2025 to provide feedback.
These proposals build on recent amendments to the Personal Data Protection Act 2010, which introduced mandatory breach notifications, Data Protection Officers, and expanded processor obligations. Together, they signal Malaysia’s push to align with global standards like the GDPR while addressing the realities of a digital economy.
The proposed amendments mark a key step in modernizing Malaysia’s privacy framework. They introduce stricter consent rules (with exceptions), safeguards for minors, mandatory processor contracts, and compulsory breach management—moving the regime closer to global standards like the GDPR.
Implications for Businesses
For businesses operating in Malaysia, these proposed amendments are a wake-up call to review and strengthen compliance frameworks. Key action points include:
- Review consent practices — Ensure all forms, contracts, and digital platforms obtain clear, explicit consent in line with the new requirements.
- Update privacy notices — Incorporate the new requirements, including DPO contact information.
- Audit third-party arrangements — Put in place formal contracts with all processors handling personal data.
- Revise security policies — Include detailed data breach response procedures, covering detection, reporting, and recovery.
- Strengthen governance — Appoint or empower your DPO to oversee the implementation of these changes and act as the point of contact for regulators and individuals.
Failure to adapt quickly may not only result in penalties but also reputational damage in an increasingly privacy-conscious market.
Implications for Individuals
For individuals, the proposed amendments are a win for privacy rights. The changes provide:
- Greater transparency about how personal data is collected and used.
- Better safeguards against misuse, especially for children and vulnerable groups.
- Clearer avenues for redress, thanks to improved accessibility of DPO contact details and stronger enforcement powers for the JPDP.
In short, Malaysians can expect stronger protections and a more robust framework to hold organizations accountable.
Five Key Takeaways from the Proposed Amendments
The following are the five key takeaways from the proposed amendments issued in Public Consultation Paper No. 4/2025:
1. Clearer Guidance on Consent
Consent has always been the cornerstone of Malaysia’s PDPA. Under the current framework, a data controller may only process personal data if the data subject has given consent. However, questions have persisted about what constitutes valid consent.
The proposed amendments provide clearer, stricter guidance:
- Timing matters — consent must be obtained before any processing begins.
- Transparency is key — data controllers must provide a personal data protection notice, explaining why the data is being collected, how it will be used, and the rights available to the individual.
This is an important development because it reduces ambiguity and aligns Malaysia’s approach with international standards. Organizations will no longer be able to rely on vague or implied consent; instead, they must establish clear processes and records to demonstrate compliance. For data subjects, this translates into stronger protection and greater confidence that their information won’t be misused.
2. Processing Without Consent: Recognising Exceptions
While consent remains the rule, the amendments acknowledge that in certain cases, personal data can be processed without consent. This is consistent with exceptions already permitted under the PDPA, such as:
- Where processing is necessary to comply with legal obligations.
- Where it is needed to protect the vital interests of the data subject.
- Where it is required for legitimate business functions, provided it does not override the rights of individuals.
By explicitly recognizing these exceptions in the regulations, the JPDP aims to strike a balance between practicality and protection. Businesses will have the legal certainty to act in situations where seeking consent is impractical or unnecessary, while data subjects will benefit from safeguards against abuse.
3. Strengthening Consent Verification for Minors and Vulnerable Data Subjects
The amendments also introduce new verification obligations for situations where consent is given by parents, guardians, or individuals with responsibility over the data subject (such as minors). Data controllers will now be required to take reasonable verification steps to confirm the authenticity of such consent. Similarly, the amendment also requires the data controller to inform the data subject about the collection and processing of personal data through a personal data protection notice, consistent with the Notice and Choice Principle. This means organizations cannot simply rely on a box-tick exercise; they will need systems in place to ensure the person giving consent truly has the authority to do so.
This change addresses a growing concern in the digital space: the collection of children’s data by apps, platforms, and online services. With this amendment, Malaysia moves toward stronger protections for vulnerable groups, echoing similar measures seen in other jurisdictions.
4. Mandatory Contracts with Data Processors
One of the most significant proposed changes is the introduction of a mandatory written contract requirement between data controllers and data processors.
Currently, while data controllers bear ultimate responsibility for protecting personal data, the obligations of data processors (third parties who process data on behalf of controllers) are less clearly defined. The new rules aim to fix this by requiring contracts to include:
- The purpose, duration, and nature of processing.
- The types of personal data involved.
- The security measures to be implemented.
- The respective rights and obligations of both parties.
This amendment aligns with global best practices, ensuring processors are held to the same high standards as controllers. It also provides businesses with a structured framework to manage outsourcing arrangements, cloud service providers, and other third-party relationships.
5. Enhanced Security Policies and Mandatory Breach Management
Perhaps the most forward-looking amendment relates to the Security Principle. Under the new rules, every organization’s security policy must now include mandatory data breach management procedures.
This reflects the reality that breaches are no longer a matter of “if” but “when.” By requiring proactive planning, JPDP aims to ensure that organizations can:
- Detects breaches quickly.
- Respond promptly to mitigate harm.
- Notify regulators and affected individuals as required by law.
The amendments also extend the obligation to develop and implement security policies to data processors, not just data controllers. This broadens accountability and strengthens Malaysia’s overall resilience against cyber threats.
Other Notable Amendments
Beyond the five major amendments, the consultation paper outlines several additional changes worth noting:
- New Definitions Introduced — such as business contact information (to distinguish work-related details from personal data) and personal data protection notice.
- Notice and Choice Principle Strengthened — requiring organizations to display the business contact details of their appointed DPO or the person responsible for data protection matters.
- Retention and Integrity Principles — while the underlying provisions remain largely unchanged, compliance will now be ensured through a revised Personal Data Protection Standard 2025, covering data retention policies, secure disposal, and periodic monitoring.
- Expanded Penalties — data processors, not just controllers, will now be directly liable for violations, particularly under the Security Principle. Penalties remain severe: fines of up to RM250,000, imprisonment up to two years, or both.
- Inspection Powers Enhanced — the JPDP and its officers will have clearer and broader powers to request documents, records, and other information during inspections, ensuring more effective oversight.
Conclusion: A Step Towards Global Alignment
Malaysia’s proposed amendments to the Personal Data Protection Regulations 2013 mark a significant step toward stronger, more transparent, and globally aligned data protection. For businesses, they signal the need for proactive compliance; for individuals, they promise clearer rights and better safeguards. With the consultation period ending on 8 September 2025, now is the time to engage and help shape Malaysia’s privacy future.
How Securiti Helps You Comply with the Proposed Amendments
Securiti’s Data Command Center enables organizations to comply with Malaysia’s Proposed Amendments to the Personal Data Protection Regulations by securing the organization’s data and enabling organizations to maximize data value and fulfill an organization’s obligations around data security, data privacy, data governance, and compliance.
Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.
To see Securiti in action, request a demo today.
