Malaysia imposes data breach reporting – what your business needs to know

On 25 February 2025, Malaysia's Personal Data Protection Commissioner released the Guideline (“Guideline”) on Data Breach Notification¹.

In this article, we explore the new requirements introduced by the Guideline and their practical impact on businesses operating in Malaysia.

1. What qualifies as “personal data breach”?

• A “personal data breach” broadly refers to any event or incident that leads to, or is likely to lead to, the breach, loss, misuse, or unauthorized access of personal data. A personal data breach may be caused by accidental or deliberate actions, either internally or externally.

Notification to the Commissioner

1. Is it mandatory to notify the Commissioner about every personal data breach?

• No. A data controller must only notify the Commissioner if the personal data breach causes or is likely to cause significant harm.
• A personal data breach is considered to cause or is likely to cause “significant harm” if there is a risk that the affected data:

(a) may result in physical harm, financial loss, a negative effect on credit records or damage to or loss of property;

(b) may be used for illegal purposes;

(c) consists of sensitive personal data;

(d) consists of personal data and other personal information that may lead to identity fraud; or

(e) is of significant scale (i.e. the number of the affected data subjects exceeds 1,000).

(collectively referred to as “Significant Harm”).

2. How soon must a data breach be reported to the Commissioner?

• The notification must be made as soon as possible, and within 72 hours of the personal data breach “occurring”².
• The computation of the 72-hour timeframe for notification begins once the data controller is informed of a security incident or detects a security incident. The data controller must conduct a preliminary investigation to determine whether a data breach has actually occurred.

3. What happens if the Commissioner is not notified?

• If the data controller fails to notify the Commissioner within 72 hours, they must submit a written notice explaining the delay, along with the following supporting evidence: 

(a) the incident timeline;

(b) internal communications about the incident; and

(c) any technical or external factors that caused the delay.

4. How to notify the Commissioner?

• Notification can be made to the Commissioner using one of the following methods:

(a) submit the notification form (available on the official website of the Department of Personal Data Protection at www.pdp.gov.my);

(b) email a copy of the completed notification form in Annex B of the Guideline to dbnpdp@pdp.gov.my; or

(c) submit a hard copy of the completed notification form in Annex B of the Guideline to the Commissioner.

5. What information should be provided to the Commissioner?

• In addition to the notification form, the data controller shall also provide the Commissioner with the following information:

(a) details of the personal data breach (i.e. date and time of the personal data breach, the type and nature of personal data breach involved, the method used to identify the breach and the suspected cause, the number of affected data subjects, the estimated number of affected data records, and the personal data system affected);

(b) the potential consequences arising from the personal data breach;

(c) the chronology of events leading to the loss of control over personal data;

(d) measures taken or proposed to be taken to address the personal data breach and the affected data subjects; and

(e) contact details of the data protection officer or any other relevant contact person where further information on the personal data breach may be obtained.

• In the event where it is not possible for the data controller to provide all the information requested at the time of submitting the initial notification to the Commissioner, the information may be provided in phases, as soon as practicable and no later than 30 days from the date of the notification referred to in Question 4 above.

Notification to the affected data subjects

1. Should affected data subjects be informed of the data breach?

• The data controller must notify the affected data subjects of a personal data breach if the breach results in, or is likely to result in, Significant Harm to the affected data subjects. The criteria for determining what constitutes Significant Harm is set out in Question 1 above.

2. How soon to notify the affected data subjects?

• The notification must be made without unnecessary delay, and not later than 7 days after the initial notification is made to the Commissioner. 

3. What kind of information should be provided to the affected data subjects?

• When notifying affected data subjects of a personal data breach, the data controller must include the following details:

(a) details of the data breach that has occurred;

(b) details on the potential consequences resulting from the data breach;

(c) measures taken or proposed to be taken by the data controller to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects;

(d) measures that the affected data subjects may take to eliminate or mitigate any potential adverse effects resulting from the data breach; and

(e) the contact details of the data protection officer or any other relevant contact person where further information on the data breach may be obtained.

4. Must affected data subjects be notified directly?

• The notification to the affected data subjects must be provided directly and individually to the data subjects in a practicable manner, in order to allow the affected data subjects to take necessary precautions to protect themselves against the possible adverse effects of the breach.
• However, if direct notification is not practicable or requires a disproportionate effort (i.e. excessive logistical, administrative or financial burden) the data controller may use alternative means of notification, such as public communication or any similar method that effectively informs affected data subjects of the data breach.

What this means for your business

As Malaysia joins a fast-growing list of jurisdictions that has implemented mandatory reporting for breaches involving personal data, we offer some steps for coming into compliance with these new requirements.

1. Develop a data incident response plan

• Develop a comprehensive data incident response plan that addresses the regulatory requirements specified in the Guideline.
• Such plan should minimally include internal escalation procedures to be followed in the event of a data breach, as well as identify relevant stakeholders and external counsel who can advise on the applicability of notification requirements to a data incident.

2. Strengthen security measures, including incident detection

• Implement robust monitoring systems to detect potential data breaches promptly.
• Conduct regular audits and security assessments to identify vulnerabilities.

3. Provide regular training

• Conduct regular training for employees on data protection practices, including the data incident response plan adopted by your organization.
• Consider running a data breach simulation exercise to test situational awareness and the understanding of internal response protocols.

4. Review and update internal policies and contracts

• Review and consider whether existing data and security policies should be updated to ensure compliance with the Guideline.
• Organizations should also review their existing contracts with data processors to update or include the following:

(a) the responsibility of the data processor to notify the organization of data breaches; and

(b) the responsibility of the data processor to assist the organization with continued compliance with regulatory requirements.

Conclusion

With the implementation of this new Guideline in Malaysia, organizations are now required to not only take proactive steps to monitor, detect and respond to data breaches from an internal operational standpoint, but should also conduct a thorough gap assessment to ensure that any and all external-facing risks, including with vendors, third party recipients of shared data, as well as data subjects, are adequately considered and mitigated.

Should you need assistance or have enquiries about whether and how this new regulatory requirement affects your organization, please reach out to your usual contact at Hogan Lovells or the authors.

Authored by Charmian Aw and Audrey Koh.