PDPA 2010: a Malaysian SME's privacy compliance guide

The Personal Data Protection Act 2010 (PDPA) is Malaysia’s principal framework for personal data protection. For most Malaysian SMEs, compliance is less onerous than it first appears — the law is principle-based, the seven principles map cleanly onto sensible business practice, and most of what compliance requires, you are probably doing already in some form. What changes is the discipline of documenting what you do, telling people about it, and being able to respond when someone asks for their data.

This article walks through what the PDPA actually requires of Malaysian SMEs and what the practical compliance journey looks like.

Scope: who does the PDPA apply to?

The PDPA applies to any person or organisation that processes personal data of individuals in Malaysia in commercial transactions. Key exclusions exist for federal and state governments, and for entities outside the commercial-transaction context.

Personal data under the PDPA means any information that can identify an individual, either on its own or in combination with other information. Examples relevant to SMEs include:

• Customer names, contact details, NRIC numbers, addresses.
• Employee records and HR data.
• Vendor and supplier contact details.
• Website visitor data when it identifies an individual.
• Customer transaction history.

Sensitive personal data — information about physical or mental health, political opinions, religious beliefs, criminal records — receives additional protection under the PDPA and warrants more rigorous handling.

The seven principles, translated for SMEs

The PDPA is organised around seven data protection principles. Each is a short statement that maps directly to operational practice.

1. General Principle. Process personal data lawfully and only with the data subject’s consent, or under another recognised legal basis. For most SMEs, the practical interpretation is: get clear consent before collecting personal data, and use it only for the stated purpose.

2. Notice and Choice Principle. Tell people what data you are collecting, why, who you will share it with, and how long you will keep it. Provide a real choice. A privacy notice on your website is the most visible expression of this principle; an internal data collection notice for employees serves the same role.

3. Disclosure Principle. Do not share personal data with third parties without consent, except where the law requires or permits. If you use a third-party processor (a payroll provider, an email marketing service, a cloud hosting company), you have a responsibility to ensure they handle the data appropriately — typically through a written data processing agreement.

4. Security Principle. Take practical, proportionate steps to protect personal data from loss, misuse, modification, unauthorised access or disclosure. For SMEs, this typically means: encryption in transit and at rest, access controls, secure storage, staff training and incident response procedures.

5. Retention Principle. Keep personal data only as long as necessary for the purpose it was collected for, or as required by other laws (tax records, for example, have mandatory retention periods). After the retention period, data should be securely deleted or anonymised.

6. Data Integrity Principle. Take reasonable steps to ensure personal data is accurate, complete and not misleading. Update data when you become aware it is incorrect. Provide a way for data subjects to request correction.

7. Access Principle. Give data subjects a way to request access to their personal data and to correct it. Respond within a reasonable timeframe — the PDPA does not specify a number of days, but best practice and the Personal Data Protection Commissioner’s (JPDP) expectations are typically within 14 to 30 days.

The Personal Data Protection (Class of Data Users) Order 2013

A nuance that sometimes surprises SMEs: the PDPA was originally intended to apply in phases, with the seven principles binding specific sectors as each was designated under the Personal Data Protection (Class of Data Users) Order 2013. Sectors that were early designated — communications, banking, insurance, healthcare, tourism, transport — have been bound by the full set of principles since the early 2010s.

Sectors designated later, including many SMEs in retail, F&B and professional services, became bound in subsequent years. For an SME reading this in 2026, assume the PDPA applies to your business if you process personal data of Malaysian individuals in a commercial context.

The Jabatan Perlindungan Data Peribadi (JPDP, the Personal Data Protection Department, formerly the Personal Data Protection Commissioner) administers and enforces the PDPA.

Common compliance gaps among Malaysian SMEs

Patterns the JPDP has flagged in enforcement actions and guidance:

Generic privacy notices copied from overseas templates. A privacy notice that talks about “GDPR rights” and “EU data subjects” but does not reflect Malaysian context or refer to PDPA 2010 does not meet the Notice and Choice principle. The notice should be written for your actual data subjects.

Marketing without consent. Sending marketing SMS, WhatsApp messages or emails to customers without documented consent — even existing customers — risks violation. Existing customer relationships can sometimes provide a soft-opt-in basis for similar-product marketing, but the legal specifics should be reviewed.

Insecure handling of NRIC numbers. NRIC numbers are particularly sensitive personal data. Collecting them when not necessary, displaying them unnecessarily (on receipts, name cards, marketing materials) and storing them without strong security controls are common violations.

Vendor data processing without contracts. Using a third-party payroll provider, cloud service or marketing platform without a written data processing agreement is a gap. JPDP expects SMEs to have a clear contractual basis with any vendor handling personal data on their behalf.

No incident response plan. When a breach happens — a lost laptop, a misconfigured cloud bucket, a phishing-induced data exposure — the SMEs that fare best are those with a documented plan: who to notify, how to contain, when to engage JPDP, when to notify affected individuals.

A practical compliance sequence

For an SME starting from a low baseline, a realistic 90 to 120 day sequence:

Days 1 to 30 — Map the data. Document what personal data you collect, from whom, for what purpose, where it is stored, who has access, how long you keep it, and with whom you share it. A simple spreadsheet works. The output is a data inventory.

Days 31 to 60 — Policies and notices. Draft or refresh your public privacy notice. Draft an internal data handling policy for staff. Identify any high-risk data flows (NRIC numbers, payment data, health data) and prioritise them.

Days 61 to 90 — Vendor and security review. For each third party that processes personal data on your behalf, confirm a data processing agreement is in place. Review security basics: encryption, access controls, backups, staff password hygiene.

Days 91 to 120 — Operations and training. Train staff on the privacy notice and the internal data handling policy. Establish a simple process for handling access and correction requests. Run a tabletop exercise for a data breach scenario.

What this is not

PDPA compliance is not a one-time certification. It is an ongoing practice that needs to be reviewed annually and updated whenever the business changes — when you add a new system, enter a new market, change a vendor or onboard a new category of data.

For most SMEs, the cost of basic compliance is modest: a few days of staff time for the initial mapping, a few thousand ringgit for legal review of contracts and policies, and ongoing discipline to keep the practice current.

The benefit — beyond avoiding PDPA enforcement, which carries financial penalties and reputational consequences — is that a privacy-disciplined business tends to be operationally disciplined more broadly. Data you have mapped, retained thoughtfully and protected properly is data that is actually useful to your business, rather than an accumulating compliance liability.