PDPA 2024 amendments — what changed for Malaysian SMEs

The headline changes

The Personal Data Protection (Amendment) Act 2024 gazetted in February 2024 with phased commencement through 2025. By May 2026, all material provisions are in force.

1. Mandatory DPO at 20,000 records

Any data user processing the personal data of 20,000 or more individuals must appoint a Data Protection Officer. The DPO need not be a lawyer but must be reasonably qualified and reachable in Malaysia.

2. Mandatory breach notification — s.43A

"As soon as practicable" notification to the Commissioner where a personal data breach is likely to result in significant harm. Additionally, notification to affected individuals where the breach is likely to result in significant harm and that harm cannot be mitigated.

3. Data portability — s.43B

Subjects may request their personal data in a structured, commonly-used, machine-readable format and have it transmitted to another data user directly where technically feasible.

4. Direct obligations on data processors

Processors (vendors, BPOs, cloud providers) now have direct PDPA obligations — not just contractual ones through the data user. This means: security obligation, breach notification to the data user, etc.

5. Increased penalties

Maximum fine for general offences raised to RM1 million. Maximum prison term to 3 years. Repeat offenders face larger numbers.

What ONSET does

GUARDIAN runs daily PDPA checks across every tenant: DPO threshold (alerts at 18K), consent expiry, retention deadlines, suppression integrity. The /admin/runbook/pdpa-data-subject-request playbook handles the new s.43B portability requests.