New Guidelines on Mandatory Breach Notifications under Malaysia’s Personal Data Protection Act 2010

In February 2025, the Personal Data Protection Commissioner (the “Commissioner”) of Malaysia issued the Guidelines on Data Breach Notification (“DBN Guidelines”) providing guidance on mandatory breach notifications in Malaysia. The DBN Guidelines should be read with the Personal Data Protection Act 2010 (“PDPA”), which introduced the mandatory breach notification requirement. The mandatory breach notification requirement comes into force from 1 June 2025.

Threshold for Notifications 

A. Notification to the Commissioner Only

Where a personal data breach is of significant scale (i.e. it affects over 1,000 data subjects), but does not otherwise cause significant harm, data controllers will only be obliged to notify the Commissioner.

B. Notification to the Commissioner and Affected Data Subjects

The obligation to notify the Commissioner and affected data subjects is triggered where a personal data breach causes or is likely to cause significant harm. A personal data breach will be considered to cause or be likely to cause significant harm where there is a risk that the compromise of the personal data:

• may result in physical harm, financial loss, a negative effect on credit records or damage to or loss of property;
• may be misused for illegal purposes;
• consists of sensitive personal data; or
• consists of personal data and other personal information which, when combined, could potentially enable identity fraud.

Timeline for Notifications

A. Notifications to the Commissioner

Data controllers must notify the Commissioner of a notifiable personal data breach as soon as practicable and, in any case, no later than 72 hours from when the personal data breach occurred or from when the data controller is informed of the personal data breach. If a data controller does not notify the Commissioner within 72 hours, it must submit a written notice detailing the reasons for delay, alongside supporting evidence (including documentation of the incident timeline, internal communications and any technical issues or external factors that contributed to the delay). Where more than one data controller is affected by a personal data breach, each affected data controller must submit its own notification to the Commissioner.

B. Notifications to the Commissioner and Data Subjects

Data controllers must notify the affected data subjects without unnecessary delay, and no later than 7 days after the initial notification to the Commissioner. Data controllers must communicate directly with each affected data subject, using accessible language that enables affected data subjects to make informed decisions and take necessary actions to protect themselves against potential harms flowing from the breach.

How Notifications Should be Made 

A. Notifications to the Commissioner  

Notifications may be made by:

• completing the notification form available on the official website of the Department of Personal Data Protection (www.pdp.gov.my);
• completing the notification form found in Annex B of the DBN Guidelines and submitting it via email ([email protected]); or
• completing the notification form found in Annex B of the DBN Guidelines and submitting a hard copy to the Commissioner.

Upon receiving the notification, the Commissioner will issue a confirmation notice to the data controller. Crucially, the initial notification will not be deemed submitted without the issuance of the Commissioner’s confirmation notice.

Beyond the mandatory information required to be submitted in the notification form, a data controller making the notification must also provide the following information:

• Details of the personal data breach, including:
  • the date and time the personal data breach was detected by the data controller;
  • the type of personal data involved and the nature of the breach;
  • the method used to identify the breach and the suspected cause of the incident;
  • the number of affected data subjects;
  • the estimated number of affected data records; and
  • the personal data system affected, which resulted in the breach;
• the potential consequences arising from the personal data breach;
• the chronology of events leading to the loss of control over personal data;
• measures taken or proposed to be taken by the data controller to address the personal data breach, including steps implemented or planned to mitigate the possible adverse effects of the breach;
• measures taken or proposed to be taken to address the affected data subjects; and
• the contact details of the data protection officer (“DPO”) or any other relevant contact person from whom further information on the personal data breach may be obtained.

However, if the data controller is unable to provide this information when submitting the initial notification, the data controller may provide the information in phases, as soon as practicable but no later than 30 days from the date the initial notification was made.

Where a data controller is required to appoint a DPO, the DPO will be the main point of contact for the Commissioner to direct inquiries or requests regarding the personal data breach. If a data controller is not required to appoint a DPO, they must designate a representative who is sufficiently senior and experienced.

B. Notifications to Data Subjects

When notifying the affected data subjects, a data controller must provide the following information:

• the details of the personal data breach that has occurred;
• details on the potential consequences resulting from the personal data breach;
• measures taken or proposed to be taken by the data controller to address the personal data breach including, where appropriate, measures to mitigate its possible adverse effects;
• measures that the affected data subjects may take to eliminate or mitigate any potential adverse effects resulting from the data breach; and
• the contact details of the DPO or other contact points from whom more information regarding the personal data breach can be obtained.

Nonetheless, data controllers will not be required to communicate directly with data subjects if doing so would involve a disproportionate effort, in which case a public statement or similar measure that is effective in informing data subjects of the personal data breach suffices. However, to inform affected data subjects, data controllers must use a form of notification sent separately from other types of information to ensure the clarity and transparency of the notification.

Further, where the data controller has implemented appropriate technological and organisational protection measures that mitigate the harm suffered by the affected data subjects, or where the affected personal data is rendered unintelligible to unauthorised viewers due to the security measures implemented, the data controller may be exempt from or allowed to postpone the notification to the affected data subjects.

Compliance Requirements

Data controllers must implement adequate data breach management and response plans aimed at enabling data controllers to identify data breaches, take appropriate remediation measures and fulfil their notification obligations. The management and response plan must minimally address:

• personal data breach identification and escalation procedures;
• roles and responsibilities of relevant stakeholders (e.g., the data breach response plan, the data protection officer);
• steps to contain and mitigate the impact of the breach;
• steps to determine whether it is necessary to notify the Commissioner and / or the affected data subjects;
• communication plan for notifying the Commissioner and / or the affected data subjects; and
• post-incident review.

Periodic training, alongside awareness and simulation exercises, should be conducted to enable data controller employees to fulfil their responsibilities when assisting their employers in responding to a personal data breach.

Furthermore, data controllers must keep and maintain a register of all personal data breaches, regardless of whether the breaches met the criteria for notification to the Commissioner and / or affected data subjects, for a period of at least 2 years.

Conducting Assessments of Data Breaches

Once data controllers become aware of a personal data breach, they must act promptly to assess, contain and reduce any impacts of the breach. The following immediate containment actions should be taken, where applicable:

• isolate and disconnect the compromised database or system from the network;
• suspend or disable compromised access rights;
• stop the practices identified as having caused the data breach; and
• determine whether the lost data can be recovered or whether any immediate remedial action can be taken to minimise further harm caused by the breach.

As part of the initial investigation into a personal data breach, data controllers should identify the following:

• the type(s) of personal data involved;
• the number of affected data subjects;
• the systems, servers, databases, platforms and services affected;
• the chronology of events leading to the data breach;
• the severity of the data breach;
• the root cause of the data breach, and whether it is still ongoing;
• the harm and potential harm that may result from the data breach;
• the measures that should be taken to contain the data breach, and mitigate its possible adverse effects; and
• the remedial actions that should be taken to reduce the harm to affected data subjects.

Data controllers should also conduct post-breach evaluations to assess the efficacy of their management and response plans, as well as the ability of their data protection practices and policies to prevent recurring security incidents.

Conclusion

The new mandatory DBN Guidelines reinforces the importance of timely and transparent responses to data incidents. Organisations must establish clear protocols for identifying, assessing and reporting breaches to ensure compliance. Further, organisations should carefully assess the type of data they process to determine if a compromise in the data would trigger a data breach notification obligation. To stay ahead, organisations should conduct regular risk assessments, implement strong security measures, and train employees on breach response procedures. Taking stock of their operations and making the necessary preparations will be crucial to enable organisations to comply with their obligations under the DBN Guidelines.  

Click here to refer to the Guidelines.

The information provided above does not, and is not intended to, constitute legal advice pertaining to the Malaysian data protection regime under the PDPA and its subsidiary legislation; information, content, and materials stipulated above is based on our reading of the amendments and are for general informational purposes only.