More importantly come 1st June 2025, enforcement of the Sections 6 and 9 of PDPA 2024(A) operations will significantly impact how personal data is handled in Malaysia.

PDPA 2010 aims at protecting individual privacy and personal data, and PDPA 2024(A) further strengthens this protection by introducing stricter rules and higher penalties for non-compliance.

Section 6 (Duties of Data Users) revises the obligations of “Data Controllers (DC)” or those who process personal data for commercial, research, or employment purposes. The amendments introduce several new responsibilities, including:

  1. Accountability and Transparency: DC must be transparent about their data processing practices. They are required to provide individuals with clear privacy policies, outlining how data is collected, used, and shared, along with details on retention periods and recipients of the data.
  2. Data Protection Impact Assessment (DPIA): DC must conduct a Data Protection Impact Assessment (DPIA) for activities that pose high risks to individuals’ rights and freedoms. This assessment helps identify and mitigate potential risks before proceeding with data processing activities.
  3. Data Security Measures: It is mandatory for DC to implement robust technical and organizational measures to protect personal data from unauthorized access, alteration, or destruction. These measures ensure the integrity and security of data throughout its lifecycle.
  4. Breach Notification: In case of a data breach that threatens individuals’ privacy, DCs are required to notify both the affected individuals and the Personal Data Protection Commissioner (PDPC) within a specified time frame.
  5. Mandatory Appointment of Data Protection Officer: Companies must appoint a Data Protection Officer (DPO) to ensure compliance with the law and report any breaches to the PDPC.

Section 9 (Penalties for Non-Compliance) outlines the penalties for failure to comply with the regulations, which are designed to deter non-compliance and ensure businesses take their data protection obligations seriously. Key aspects of these penalties include:

  1. Monetary Penalties: DCs who violate Section 6 PDPA2024(A) face hefty fines, which can range from RM 300,000 to RM 3 million, depending on the severity of the breach, the scale of non-compliance, and the harm caused to individuals.
  2. Imprisonment: In cases of serious violations, such as deliberate misuse of personal data or severe data breaches, individuals found guilty may face imprisonment for up to three years.
  3. Liability of Directors and Officers: Senior officers or directors of companies who fail in their duties regarding personal data protection can be held personally liable. This includes potential fines or imprisonment for negligence or violations under their watch.
  4. Reputational Damage: Apart from the legal penalties, businesses may suffer significant reputational harm from data breaches. Such incidents can lead to consumer distrust, damaging the company’s image and causing long-term financial losses.

Conclusion

Sections 6 and 9 PDPA 2024 marks a clear shift towards greater accountability and more rigorous enforcement for data protection in an increasingly digital world. The new obligations for DCs coupled with severe penalties for non-compliance, are expected to enhance public trust and encourage businesses to adopt more responsible data management practices.

As the 2025 implementation date approaches, SMEs must prepare to comply with these new regulations to avoid costly penalties and protect their reputation.