PDPA (Personal Data Protection Act 2010)

The Personal Data Protection Act 2010 (PDPA) is Malaysia's data privacy law, enforced by the Department of Personal Data Protection (JPDP). It regulates how businesses collect, store, use, and share personal data of individuals in the context of commercial transactions. Any organisation in Malaysia that processes customer, employee, or supplier personal data must comply.

The 7 Data Protection Principles

1. General Principle — process data only with consent and for a lawful purpose
2. Notice and Choice Principle — inform individuals what data is collected and how it will be used
3. Disclosure Principle — do not disclose personal data without consent or legal authority
4. Security Principle — take practical steps to protect data from loss, misuse, and unauthorised access
5. Retention Principle — do not keep data longer than necessary for its purpose
6. Data Integrity Principle — ensure data is accurate, complete, and up to date
7. Access Principle — allow individuals to access and correct their personal data

Practical Steps for SMEs

• Appoint a data protection officer or assign responsibility to a senior staff member
• Conduct a data inventory — know what personal data you hold and where it is stored
• Implement a clear privacy notice on your website and at all data collection points
• Obtain proper consent before collecting or using personal data
• Establish a data breach response plan with clear reporting procedures
• Train staff on data handling procedures relevant to their roles