Law: Personal Data Protection Act 2010 (PDPA), as amended by the Personal Data Protection (Amendment) Act 2024 ( the PDP Act)

Regulator: The Department of Personal Data Protection (PDP)

Summary: The PDPA is supplemented by several pieces of subsidiary legislation that have been enacted by the Ministry of Communications and Multimedia Malaysia and govern, among other things, data user registration, class of data users, fees, and inspections. In addition, the PDP has released data protection standards, setting out minimum security requirements as well as codes of practice for various sectors including the banking and finance, energy, and insurance sectors.

On October 17, 2024, the PDP Act was published in the Gazette after receiving Royal Assent on October 9, 2024. The PDP Act will enter into effect on a date appointed by the Minister by notification in the Gazette. The PDP Act contains amendments introducing mandatory data protection officer (DPO) appointment by controllers and processors, mandatory breach notification, the right to portability as a data subject right, and requirements under the security principle. In addition, the PDP Act amends the rules relating to data transfers and increases the maximum penalty for breach of PDPA's principles.

On August 22, 2024, the Cybersecurity Act 2024 came into effect. The Act provides for the obligation of cybersecurity providers to be licensed, the regulations for cybersecurity service providers, and the functions and duties of the national critical information infrastructure (CII) sector leads and entities, among others.