Understanding the Personal Data Protection Act 2010: What’s New in the 2024 Amendments?

In an era where personal data is the new currency, businesses can no longer afford to be complacent about data protection. With Malaysia’s digital economy expanding rapidly—valued at RM89 billion in 2023 and expected to grow even further—the spotlight on data governance has never been brighter. The Personal Data Protection Act (PDPA) 2010 has long served as the cornerstone of Malaysia’s data protection framework. However, the recent 2024 amendments have introduced substantial changes, compelling businesses and data users to re-evaluate their compliance strategies.

But what exactly has changed in 2024? And how do these changes affect your organisation? Whether you are a small business owner, an HR executive, or part of a corporate compliance team, understanding these updates is essential—not just for legal protection, but for maintaining consumer trust in a data-sensitive age.

At OTC Training Centre, we empower professionals and organisations with up-to-date training to navigate complex legal landscapes such as the PDPA. Read on to learn what’s new in the 2024 amendments—and how your business can stay ahead.

Key Highlights of the 2024 Amendments to the PDPA

The Ministry of Communications and Digital has announced the latest round of revisions to ensure Malaysia’s PDPA is aligned with international standards such as the EU’s General Data Protection Regulation (GDPR). The 2024 updates reflect current global concerns surrounding cybercrime, AI ethics, and cross-border data flow.

Here are some major updates you should be aware of:

• Mandatory Data Breach Notification
  Data users are now required to notify the Personal Data Protection Commissioner (PDPC) and affected individuals within 72 hours of identifying a data breach.
• Data Processor Accountability
  Third-party processors are now directly liable for data breaches, unlike before where only data users bore the responsibility.
• Higher Penalties for Non-Compliance
  Fines have increased significantly ranging up to RM1 million or up to 3% of annual turnover, whichever is higher.
• Expanded Definition of Sensitive Data
  The law now includes biometric data, genetic information, and political opinions as part of sensitive personal data.
• Cross-Border Data Transfer Rules
  More stringent requirements are in place for transferring data outside Malaysia. Companies must now ensure the receiving country provides adequate data protection.
• Appointment of Data Protection Officers (DPO)
  Certain organisations—especially those processing large volumes of data—must appoint an internal or external Data Protection Officer to oversee compliance.
• Stricter Consent Requirements
  Consent must now be explicit and informed. Pre-ticked boxes or silence no longer qualify as consent

Why the Amendments Matter to Businesses in Malaysia

These updates aren’t just regulatory—they reflect the urgent need to rebuild public trust in how organisations handle personal information. Cybersecurity incidents in Malaysia rose by more than 30% in 2023, according to CyberSecurity Malaysia. This alarming trend has prompted stricter laws that demand more transparency and accountability from businesses.

Failing to comply can result in severe financial losses and irreversible reputational damage. However, being proactive rather than reactive offers a competitive edge. Companies that show genuine concern for data protection are more likely to attract and retain customers, investors, and partners.

Who Needs to Comply?

If your organisation collects, stores, or processes personal data in Malaysia, the PDPA applies to you. This includes:

• Private companies (small and large)
• Healthcare providers
• Financial institutions
• E-commerce platforms
• Educational institutions
• Marketing and advertising agencies

Even if your servers are hosted outside Malaysia, your operations are still subject to PDPA if you handle data from Malaysian citizens.

How Can Your Business Prepare?

Preparation involves more than just revising privacy policies. Businesses need to take strategic and operational steps to achieve full compliance.

Here are some actionable tips:

• Conduct a Data Audit
  Identify what types of personal data you collect, where they’re stored, and who has access to them.
• Update Consent Mechanisms
  Review all consent forms, checkboxes, and privacy policies to ensure they meet the new standards.
• Train Your Staff
  Everyone—from HR to marketing—should understand the basics of PDPA and how it affects their daily tasks.
• Appoint a DPO
  Ensure your Data Protection Officer is trained and has clear authority to enforce compliance internally.
• Test Your Response Plan
  Simulate a data breach scenario to ensure your team can respond within the required 72-hour window.
• Work with Trusted Partners
  Ensure third-party vendors and processors also comply with PDPA requirements.

Final Thoughts

The 2024 amendments to the Personal Data Protection Act mark a turning point in how Malaysia views and governs personal data. As digital adoption surges, businesses must rise to the challenge—not just to meet legal requirements, but to secure long-term customer loyalty and operational integrity.

Don’t wait until a breach occurs. Take action today. Let OTC Training Centre be your strategic partner in building a safer, more compliant future for your business.