GUIDE · 6 MIN
The 20K-record DPO threshold, breach notification, and data portability — without the legalese.
The Personal Data Protection (Amendment) Act 2024 gazetted in February 2024 with phased commencement through 2025. By May 2026, all material provisions are in force.
Any data user processing the personal data of 20,000 or more individuals must appoint a Data Protection Officer. The DPO need not be a lawyer but must be reasonably qualified and reachable in Malaysia.
"As soon as practicable" notification to the Commissioner where a personal data breach is likely to result in significant harm. Additionally, notification to affected individuals where the breach is likely to result in significant harm and that harm cannot be mitigated.
Subjects may request their personal data in a structured, commonly-used, machine-readable format and have it transmitted to another data user directly where technically feasible.
Processors (vendors, BPOs, cloud providers) now have direct PDPA obligations — not just contractual ones through the data user. This means: security obligation, breach notification to the data user, etc.
Maximum fine for general offences raised to RM1 million. Maximum prison term to 3 years. Repeat offenders face larger numbers.
Our automated compliance monitor runs daily PDPA checks across every tenant: DPO threshold (alerts at 18K records), consent expiry, retention deadlines, suppression integrity. A documented PDPA Data Subject Request playbook handles the new s.43B portability requests.