Malaysia: Guidelines Issued on Data Breach Notification and Data Protection Officer Appointment

By Carolyn Bigg & Qiuyang Zhao on March 4, 2025

Posted in Data Protection Officers, Data security and breaches, New laws, Privacy Law

Following Malaysia’s introduction of data breach notification and data protection officer (“DPO”) appointment requirements in last year’s significant amendments to the Personal Data Protection Act (“PDPA”) (click here for our summary), the Personal Data Protection Commissioner of Malaysia (“Commissioner”) recently released guidelines that flesh out such requirements, titled the Guideline on Data Breach Notification (“DBN Guideline”) and the Guideline on Appointment of Data Protection Officer (“DPO Guideline”). With the data breach notification and DPO appointment requirements set to come into force on 1 June 2025, organisations subject to the PDPA, whether data controllers or processors, are recommended to understand and adapt to these guidelines to ensure compliance.

DBN Guideline

When must a personal data breach be notified to the regulator and affected data subjects?

A data controller must notify a personal data breach to both the Commissioner andaffected data subjects if it causes or is likely to cause “significant harm”, which includes a risk for any of the following:

physical harm, financial loss, a negative effect on credit records, or damage to or loss of property;
misuse of personal data for illegal purposes;
compromise of sensitive personal data;
combination of personal data with other personal information that could potentially enable identity fraud; or
(for the purpose of notification to the Commissioner only) a breach of “significant scale”, i.e. involving more than 1,000 affected data subjects.

What is the timeframe to make data breach notifications?

The timeframe for notifications is as follows:

Notification to the Commissioner: as soon as practicable and within 72 hours from the occurrence of the breach. If notificationfails to be made to the Commissioner within 72 hours, a written notice detailing the reasons for the delay and providing supporting evidence must be submitted; and
Notification to affected data subjects: without unnecessary delay and within seven days of notifying the Commissioner.

What are the other key obligations related to personal data breaches?

A data controller should:

DPA: contractually obligate its data processor to promptly notify it of a data breach and to provide it with all reasonable and necessary assistance to meet its data breach notification obligations;
Management and response plans: put in place adequate data breach management and response plans;
Training: conduct periodic training as well as awareness and simulation exercises to prepare its employees for responding to personal data breaches;
Breach assessment and containment: act promptly as soon as it becomes aware of any personal data breach to assess, contain, and reduce the potential impact of the data breach, including taking certain containment actions (such as isolating compromised systems) and identifying certain details about the data breach in its investigation; and
Record-keeping: maintain a register of the personal data breach for at least two years to document the prescribed information about the data breach.

DPO Guideline

Who are required to appoint DPOs?

An organisation, in the role of either a data controller or a data processor, is required to appoint a DPO if its processing of personal data involves:

personal data of more than 20,000 data subjects;
sensitive personal data including financial information of more than 10,000 data subjects; or
activities that require “regular and systematic monitoring” of personal data.

Who can be appointed as DPOs?

DPOs may be appointed from among existing employees or through outsourcing services based on a service contract. They must:

Expertise: demonstrate a sound level of prescribed skills, qualities and expertise;
Language: be proficient in both Malay and English languages; and
Residency: be either resident in Malaysia or easily contactable via any means.

What are the other key obligations related to DPO appointments?

A data controller required to appoint a DPO should:

Notification: notify the Commissioner of the appointed DPO and their business contact information within 21 days of the DPO appointment;
Publication: publish the business contact information of its DPO through:

its website and other official media;
its personal data protection notices; or
its security policies and guidelines; and
Record-keeping: maintain records of the appointed DPO to demonstrate compliance.

A data processor required to appoint a DPO should comply with the publication and record-keeping obligations above in relation to its DPO.

Next Steps The new guidelines represent a significant step in the implementation of the newly introduced data breach notification and DPO appointment requirements. All organisations subject to the PDPA, whether data controllers or processors, should carefully review the guidelines and take steps to ensure compliance by 1 June 2025. This includes updating relevant internal policies (such as data breach response plans and record-keeping and training policies) and contracts with data processors to align with the guidelines. Additionally, organisations should assess whether a DPO appointment is necessary and, if so, be prepared to complete the appointment and notification processes and update their privacy notices, websites and other media to include DPO information.