KUALA LUMPUR, August 28 — In an era rife with phishing attempts, relentless spam, and the looming threat of scams, safeguarding personal data has become more vital than ever.
This necessity underscores the purpose of the Personal Data Protection Act 2010 (PDPA), designed to shield individuals from the misuse of their personal information by mandating adherence to specific principles by data controllers, which include organizations and businesses that handle such data.
But what constitutes personal data? According to Sathish Ramajandran, chairperson of the Personal Data Protection Committee at the Malaysian Bar Council, personal data refers to any information capable of identifying an individual.
Examples include names, email addresses, phone numbers, ages, home addresses, dates of birth, identity card numbers, and photographs. Essentially, any information that can either directly or indirectly identify a person falls under this category.
The PDPA outlines seven fundamental principles that data controllers and processors must comply with, which dictate how personal data should be managed responsibly.
These principles encompass various aspects: personal data can only be processed with the consent of the data subject and for lawful purposes; data subjects must receive written notice in both Malay and English regarding why their data is being collected and their rights related to it; consent is required before disclosing personal data to third parties; and data controllers are compelled to implement reasonable security measures to safeguard personal data from loss or unauthorized access.
Furthermore, the PDPA establishes strict guidelines on data retention, mandating that personal data should not be stored longer than necessary and must be securely deleted or destroyed when no longer needed. Data integrity must also be ensured by maintaining accuracy and timeliness of the information held. Lastly, the Act grants data subjects the right to access their data and request corrections for inaccuracies.
The PDPA empowers individuals as ‘data subjects,’ offering them authority over their information and its usage. It requires all data controllers to register with the Personal Data Protection Commissioner (PDPC), a mandate that affects both public and private sectors.
Non-compliance with these regulations bears severe repercussions. Organizations across sectors—ranging from transportation and education to healthcare and finance—that neglect to register with the PDPC are committing significant offenses, facing fines up to RM500,000, potential imprisonment for three years, or both, as stipulated in Section 16(4) of the PDPA.
The Act underwent amendments in 2024, officially enacted on April 1 and June 1 of this year, reflecting the need for an updated framework that meets contemporary digital challenges and aligns with global standards.
Key amendments effective from April included the classification of biometric data, such as fingerprints and facial scans, as sensitive personal information, now requiring enhanced security and consent protocols. Additionally, the maximum penalties for violations have escalated dramatically—from RM300,000 to RM1 million, with maximum prison terms extending to three years.
Subsequent changes introduced by the June amendments mandate data controllers and processors appoint a Data Protection Officer (DPO) to ensure compliance and require timely notification to both the data subject and the PDPC in the event of a personal data breach.
Individuals now have the right to request direct transfers of their data to other controllers of their choice, enhancing their control over personal information. Expert Vishnu Vijandran emphasizes the importance of stringent online security measures, such as utilizing unique passwords for each account and enabling multi-factor authentication, as proactive defenses against potential breaches.
Despite these advancements, the PDPA isn’t without limitations. For instance, the Act is not applicable to actions taken by federal and state governments, and while the Data Sharing Act 2025 provides a framework for data exchange in the public sector, it does not extend to private enterprises. Notably, PDPA protections are confined to commercial activities, excluding non-commercial entities like political parties and charities, and individuals lack formal rights to compensation for data breaches.
While the PDPC enforces the PDPA, it cannot mandate compensation for damages. Affected individuals still possess avenues for legal redress, such as filing civil lawsuits based on negligence or breach of contract, ensuring that while safeguards are in place, the path to accountability remains complex.
