
Trump Administration Executive Order (EO) Tracker
Malaysia issued a regulatory guideline for data breach notification in February 2025. This article discusses how the new regulation affects businesses in Malaysia.
On 25 February 2025, Malaysia's Personal Data Protection Commissioner released the Guideline (“Guideline”) on Data Breach Notification1.
In this article, we explore the new requirements introduced by the Guideline and their practical impact on businesses operating in Malaysia.
1. What qualifies as “personal data breach”?
1. Is it mandatory to notify the Commissioner about every personal data breach?
(a) may result in physical harm, financial loss, a negative effect on credit records or damage to or loss of property;
(b) may be used for illegal purposes;
(c) consists of sensitive personal data;
(d) consists of personal data and other personal information that may lead to identity fraud; or
(e) is of significant scale (i.e. the number of the affected data subjects exceeds 1,000).
(collectively referred to as “Significant Harm”).
2. How soon must a data breach be reported to the Commissioner?
3. What happens if the Commissioner is not notified?
(a) the incident timeline;
(b) internal communications about the incident; and
(c) any technical or external factors that caused the delay.
4. How to notify the Commissioner?
(a) submit the notification form (available on the official website of the Department of Personal Data Protection at www.pdp.gov.my);
(b) email a copy of the completed notification form in Annex B of the Guideline to dbnpdp@pdp.gov.my; or
(c) submit a hard copy of the completed notification form in Annex B of the Guideline to the Commissioner.
5. What information should be provided to the Commissioner?
(a) details of the personal data breach (i.e. date and time of the personal data breach, the type and nature of personal data breach involved, the method used to identify the breach and the suspected cause, the number of affected data subjects, the estimated number of affected data records, and the personal data system affected);
(b) the potential consequences arising from the personal data breach;
(c) the chronology of events leading to the loss of control over personal data;
(d) measures taken or proposed to be taken to address the personal data breach and the affected data subjects; and
(e) contact details of the data protection officer or any other relevant contact person where further information on the personal data breach may be obtained.
1. Should affected data subjects be informed of the data breach?
2. How soon to notify the affected data subjects?
3. What kind of information should be provided to the affected data subjects?
(a) details of the data breach that has occurred;
(b) details on the potential consequences resulting from the data breach;
(c) measures taken or proposed to be taken by the data controller to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects;
(d) measures that the affected data subjects may take to eliminate or mitigate any potential adverse effects resulting from the data breach; and
(e) the contact details of the data protection officer or any other relevant contact person where further information on the data breach may be obtained.
4. Must affected data subjects be notified directly?
As Malaysia joins a fast-growing list of jurisdictions that has implemented mandatory reporting for breaches involving personal data, we offer some steps for coming into compliance with these new requirements.
1. Develop a data incident response plan
2. Strengthen security measures, including incident detection
3. Provide regular training
4. Review and update internal policies and contracts
(a) the responsibility of the data processor to notify the organization of data breaches; and
(b) the responsibility of the data processor to assist the organization with continued compliance with regulatory requirements.
With the implementation of this new Guideline in Malaysia, organizations are now required to not only take proactive steps to monitor, detect and respond to data breaches from an internal operational standpoint, but should also conduct a thorough gap assessment to ensure that any and all external-facing risks, including with vendors, third party recipients of shared data, as well as data subjects, are adequately considered and mitigated.
Should you need assistance or have enquiries about whether and how this new regulatory requirement affects your organization, please reach out to your usual contact at Hogan Lovells or the authors.
Authored by Charmian Aw and Audrey Koh.
References