var gform;gform||(document.addEventListener("gform_main_scripts_loaded",function(){gform.scriptsLoaded=!0}),document.addEventListener("gform/theme/scripts_loaded",function(){gform.themeScriptsLoaded=!0}),window.addEventListener("DOMContentLoaded",function(){gform.domLoaded=!0}),gform={domLoaded:!1,scriptsLoaded:!1,themeScriptsLoaded:!1,isFormEditor:()=>"function"==typeof InitializeEditor,callIfLoaded:function(o){return!(!gform.domLoaded||!gform.scriptsLoaded||!gform.themeScriptsLoaded&&!gform.isFormEditor()||(gform.isFormEditor()&&console.warn("The use of gform.initializeOnLoaded() is deprecated in the form editor context and will be removed in Gravity Forms 3.1."),o(),0))},initializeOnLoaded:function(o){gform.callIfLoaded(o)||(document.addEventListener("gform_main_scripts_loaded",()=>{gform.scriptsLoaded=!0,gform.callIfLoaded(o)}),document.addEventListener("gform/theme/scripts_loaded",()=>{gform.themeScriptsLoaded=!0,gform.callIfLoaded(o)}),window.addEventListener("DOMContentLoaded",()=>{gform.domLoaded=!0,gform.callIfLoaded(o)}))},hooks:{action:{},filter:{}},addAction:function(o,r,e,t){gform.addHook("action",o,r,e,t)},addFilter:function(o,r,e,t){gform.addHook("filter",o,r,e,t)},doAction:function(o){gform.doHook("action",o,arguments)},applyFilters:function(o){return gform.doHook("filter",o,arguments)},removeAction:function(o,r){gform.removeHook("action",o,r)},removeFilter:function(o,r,e){gform.removeHook("filter",o,r,e)},addHook:function(o,r,e,t,n){null==gform.hooks[o][r]&&(gform.hooks[o][r]=[]);var d=gform.hooks[o][r];null==n&&(n=r+"_"+d.length),gform.hooks[o][r].push({tag:n,callable:e,priority:t=null==t?10:t})},doHook:function(r,o,e){var t;if(e=Array.prototype.slice.call(e,1),null!=gform.hooks[r][o]&&((o=gform.hooks[r][o]).sort(function(o,r){return o.priority-r.priority}),o.forEach(function(o){"function"!=typeof(t=o.callable)&&(t=window[t]),"action"==r?t.apply(null,e):e[0]=t.apply(null,e)})),"filter"==r)return e[0]},removeHook:function(o,r,t,n){var e;null!=gform.hooks[o][r]&&(e=(e=gform.hooks[o][r]).filter(function(o,r,e){return!!(null!=n&&n!=o.tag||null!=t&&t!=o.priority)}),gform.hooks[o][r]=e)}});
var breeze_prefetch = {"local_url":"https:\/\/ps-engage.com","ignore_remote_prefetch":"1","ignore_list":["wp-admin","wp-login.php"]};
Malaysia’s Data Protection Act takes shape: What businesses need to know
16 June, 2025
As Malaysia positions itself at the forefront of regional digital services, its laws still play catch up to global information security requirements. While the country was a pioneer of data privacy regulations with the enactment of the Personal Data Protection Act (PDPA) in 2013, the rapid pace of regulations rollout, like the Global Data Protection Regulations (GDPR) in Europe afterwards, has left Malaysia in the lurch at the start of this decade. Key issues of its laws relative to the global standard include its lack of breach notification requirements, limited rights for data subjects and weak accountability measures for organisations. Realising this, the government amended the PDPA in 2024, with material changes in force effective from 1 June 2025.
Starting in June 2025, organisations in Malaysia that process a large volume of personal data or handle sensitive personal information must appoint a Data Protection Officer. This officer, who must be a competent Malaysian resident, will oversee the organisation’s compliance with the PDPA and manage internal policies, audits and staff training on data handling practices. This move brings Malaysia in line with jurisdictions such as the European Union, Singapore and the United Kingdom. In all these jurisdictions, the role of the DPO has become the crux on which data privacy frameworks are established, implemented and enforced. The Malaysian government envisions that this requirement will demonstrate its commitment to adhering to global best practices while ensuring organisations are more accountable for their data practices.
Additionally, another impactful change in the PDPA is the mandatory breach notification regime. This regime requires organisations to notify the Personal Data Protection Department (JPDP) if they detect a harmful breach involving 1000 or more individuals. Simultaneously, they must also inform affected individuals within 7 days if the breach poses a risk of damage, fraud, identity theft or other harms. This is a significant shift from the previous regime, where breach disclosures were voluntary and confidential. Organisations are obliged to maintain detailed incident response protocols, which include documentation of internal investigations and response timelines. Failure to comply with any of these requirements will result in fines up to RM 250,000 and/or two years imprisonment. This move signifies a tougher stance on data breaches that has long been needed in Malaysia, considering the rise in sensitive data breaches over the past few years.
Taking a leaf from the GDPR, the PDPA amendment also introduces rights to data portability. This legal requirement affords individuals the right to request their data in a structured, commonly used and machine-readable format. A key provision of this right is that it only applies when the processing is based on consent or contractual necessity and is carried out via automated means. This provision, structured in this way, is a cornerstone of the open data environment that the government envisions in its digital services landscape, as firms from different industries, such as telco, insurance or healthcare, can now transfer data between service providers seamlessly. However, there is a realisation that this environment may take some time to manifest. In the meantime, businesses are expected to build processes that can accommodate data transfer requests while the technical standards and formats are still being developed.
The government also took to repealing outdated provisions in the PDPA, replacing them with mechanisms that are more in line with global data security standards. One such repealed provision is the old ‘whitelist’ system for cross-border data transfer that only permitted data transfers to approved countries. In its place, organisations must now rely on alternative transfer mechanisms such as data subject consent, contractual safeguards and transfer impact assessments (TIA). To complement this, data processors will also now be held legally liable under the Security Principle for failing to implement adequate technical and organisational safeguards. Penalties for violations have been significantly increased, with some offences carrying fines up to RM 1 million and 3 years imprisonment.
Taking all of this into consideration, businesses handling large volumes of personal data, such as telco, healthcare and insurance, should comply immediately. Beyond appointing a qualified DPO, firms should update their data breach response plans and conduct a gap analysis of their cross-border data flows, if any. They should also develop internal procedures for data portability requests while providing employees with the necessary training on updated privacy obligations. The latest information from the JPDP indicates that onsite inspections and audits will be significantly ramped up in the second half of 2025, making this process an immediate priority for the organisations involved. These changes gain even more serious attention considering JPDP has signalled that more sector-specific reforms will take place by year-end, including Data Protection Impact Assessments (DPIA), automated decision making and profiling and use of artificial intelligence in data processing.
With such a monumental change in Malaysia’s data privacy regulation landscape, the Malaysian government has proved its serious intent to create a digital environment on par with its peers on the global stage. Its apparent prioritisation of building consumer trust is a welcome change as its digital economy continues to evolve in line with the government’s aspirations. The data privacy compliance landscape in the country has been reinforced with clearer provisions, updated amendments and stricter penalties. This is aligned with the long-term goal of nudging Malaysian firms to undergo a paradigm shift that entails them treating data privacy not just as a compliance requirement, but a strategic priority embedded within the mission of the organisation. While concerns on the human resources necessary to realise this vision are warranted, Malaysian firms stand at a crossroads, whether to try to align with global standards or risk falling behind as data privacy rules continue to be more sophisticated.
India’s artificial intelligence ambitions are increasingly getting infrastructural support. With the increase of AI adoption, data centres, cloud computing HPC semiconductor and smooth power supply systems will be considered as some of India’s digital economy strategic assets, being at the forefront of this change. India’s Union Budget 2026-27 is the most obvious indication of this, […]
South Korea’s stock market is having a moment. After years of being defined by the so-called “Korea discount,” the KOSPI has surged sharply in 2026. This is more than a market story. It suggests that investors are beginning to reassess Korea’s governance reforms, capital-market openness, and industrial strengths in semiconductors and AI. That matters well […]
Amidst the geopolitical turmoil in the Middle East, the European Union (EU) has quietly laboured to conclude free trade and security agreements in the Indo-Pacific region. This is seen in its recent conclusion of negotiations for the Australia-EU free trade agreement (FTA) in March 2026, following talks that began in July 2018. The deal is […]
jQuery(function(jQuery){jQuery.datepicker.setDefaults({"closeText":"Close","currentText":"Today","monthNames":["January","February","March","April","May","June","July","August","September","October","November","December"],"monthNamesShort":["Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec"],"nextText":"Next","prevText":"Previous","dayNames":["Sunday","Monday","Tuesday","Wednesday","Thursday","Friday","Saturday"],"dayNamesShort":["Sun","Mon","Tue","Wed","Thu","Fri","Sat"],"dayNamesMin":["S","M","T","W","T","F","S"],"dateFormat":"d MM, yy","firstDay":1,"isRTL":false});});
var gform_i18n = {"datepicker":{"days":{"monday":"Mo","tuesday":"Tu","wednesday":"We","thursday":"Th","friday":"Fr","saturday":"Sa","sunday":"Su"},"months":{"january":"January","february":"February","march":"March","april":"April","may":"May","june":"June","july":"July","august":"August","september":"September","october":"October","november":"November","december":"December"},"firstDay":1,"iconText":"Select date"}};
var gf_legacy_multi = [];
var gform_gravityforms = {"strings":{"invalid_file_extension":"This type of file is not allowed. Must be one of the following:","delete_file":"Delete this file","in_progress":"in progress","file_exceeds_limit":"File exceeds size limit","illegal_extension":"This type of file is not allowed.","max_reached":"Maximum number of files reached","unknown_error":"There was a problem while saving the file on the server","currently_uploading":"Please wait for the uploading to complete","cancel":"Cancel","cancel_upload":"Cancel this upload","cancelled":"Cancelled","error":"Error","message":"Message"},"vars":{"images_url":"https:\/\/ps-engage.com\/wp-content\/plugins\/gravityforms\/images"}};
var gf_global = {"gf_currency_config":{"name":"U.S. Dollar","symbol_left":"$","symbol_right":"","symbol_padding":"","thousand_separator":",","decimal_separator":".","decimals":2,"code":"USD"},"base_url":"https:\/\/ps-engage.com\/wp-content\/plugins\/gravityforms","number_formats":[],"spinnerUrl":"https:\/\/ps-engage.com\/wp-content\/plugins\/gravityforms\/images\/spinner.svg","version_hash":"3043fc88b37bd69a4c12e5d2844dff97","strings":{"newRowAdded":"New row added.","rowRemoved":"Row removed","formSaved":"The form has been saved. The content contains the link to return and complete the form."}};
var gform_theme_config = {"common":{"form":{"honeypot":{"version_hash":"3043fc88b37bd69a4c12e5d2844dff97"},"ajax":{"ajaxurl":"https:\/\/ps-engage.com\/wp-admin\/admin-ajax.php","ajax_submission_nonce":"c56f7929da","i18n":{"step_announcement":"Step %1$s of %2$s, %3$s","unknown_error":"There was an unknown error processing your request. Please try again.","error_403":"The request was blocked (403 error) for unknown security reasons. Remove any code-like text (scripts or DB queries) and try again."}}}},"hmr_dev":"","public_path":"https:\/\/ps-engage.com\/wp-content\/plugins\/gravityforms\/assets\/js\/dist\/","config_nonce":"950e2cd668"};
