As we enter June 2025, this marks one of the most critical periods in the regulatory landscape, particularly in the area of data privacy. As highlighted in our previous article, the Personal Data Protection (Amendment) Act 2024 now comes fully into force, and this means that companies operating in Malaysia must ensure compliance with the new data breach notification requirements introduced under the Personal Data Protection (Amendment) Act 2024. In tandem with the legislative changes, the Personal Data Protection Commissioner has issued a series of supporting guidelines and circulars aimed at clarifying the operational aspects of data breach notification.

Given the regulatory momentum and increasing enforcement expectations, we believe it is both timely and essential to release a comprehensive guide to help organisations establish and operationalise an effective data breach response framework. This article is particularly designed for general counsel, compliance leads, and in-house legal and risk management teams, with the intention of providing a clear and actionable roadmap to address the new requirements.

Given our experience advising companies and assisting organisations in developing data breach management and response plans, we hope this guide can serve as a valuable internal reference, and it may even be used as a model for internal policy development, especially by legal and risk functions. To provide structure and clarity, we will break down this article into 3 parts, reflecting the core obligations under the data breach notification framework:

• i. Understanding What Constitutes a Personal Data Breach
• ii. Notification to the Personal Data Protection Commissioner
• iii. Notification to Affected Data Subjects

Part I: Understanding What Constitutes a Personal Data Breach

For any personal data breach response, the starting point is to understand what a personal data breach is and what it entails.

Under the Personal Data Protection (Amendment) Act 2024, a “personal data breach” broadly refers to any event or incident that leads to, or is likely to lead to, the breach, loss, misuse or unauthorised access of personal data, and a personal data breach may be caused by accidental or deliberate actions, either internally or externally.

It is extremely important to recognise that personal data breaches are not limited to cyberattacks, ransomware incidents, or other externally driven technology-related threats. A common misconception is that only sophisticated external actors are responsible for breaches, however, the legal definition under the Personal Data Protection (Amendment) Act 2024 is significantly broader, where a breach may arise from either accidental or intentional acts and may originate from both internal sources, such as employees or contractors, and external parties.

Ultimately, the determining factor is not the source or method of the incident, but whether the event leads to, or has the potential to lead to, the breach, loss, misuse, or unauthorised access of personal data.

To provide greater clarity, below are illustrative, but non-exhaustive, examples of incidents that may be classified as personal data breaches:

• i. Unauthorised third parties gaining access to personal data held by the company.
• ii. Emails containing personal data mistakenly sent to unintended recipients.
• iii. Loss or misplacement of a company-issued laptop containing unencrypted personal data.
• iv. Deliberate data theft by an employee with authorised access to sensitive personal data.
• v. Cyber intrusions resulting in unauthorised access to the company’s systems, allowing extraction of personal data.
• vi. System errors or misconfigurations that inadvertently expose personal data to unauthorised parties.
• vii. Unauthorised modifications or tampering with personal data records.
• viii. Situations where personal data becomes inaccessible (temporarily or permanently), including due to ransomware or loss of encryption keys.
• ix. Physical documents containing personal data (e.g., financial or medical records) lost during transport or storage.
• x. Delivery of letters or printed forms containing personal data to the wrong individual or address.
• xi. Improper disposal of physical records or storage devices (e.g., hard drives, USB drives) containing personal data without secure destruction, leading to possible data recovery and misuse.
• xii. Employees accessing company systems containing personal data over unsecured or public Wi-Fi networks, leading to interception or unauthorised access by third parties

Part II: Data Breach Notification to the PDP Commissioner

After understanding what constitutes a personal data breach, the natural next step is to assess whether such a breach triggers the obligation to notify the Personal Data Protection Commissioner (“Commissioner”).

At the outset, it is important to recognise that not every personal data breach requires notification to the Commissioner, as the company is only obligated to notify the Commissioner if the breach causes or is likely to cause “significant harm.”

Whether a particular breach is likely to cause “significant harm” must be evaluated through a proper legal assessment to determine the risks associated with the compromised personal data. The assessment involves 5 key criteria, where a breach may be considered to cause significant harm if there is a reasonable risk that the compromised personal data:

• i. May result in physical harm, financial loss, a negative effect on credit records, or damage to/loss of property;
• ii. May be misused for illegal purposes;
• iii. Consists of sensitive personal data;
• iv. Consists of personal data and other information which, when combined, could potentially enable identity fraud; or
• v. Is of significant scale, meaning the breach affects more than one thousand (1,000) data subjects.

Of course, there will be situations where, even after conducting the above assessment, the outcome remains inconclusive or uncertain. In such cases, we recommend adopting a risk-based approach and erring on the side of caution, because as a matter of best practice, and in the interest of transparency and accountability, it is advisable to proceed with notification to the Commissioner, especially where the legal threshold appears borderline.

If the legal assessment concludes that the breach meets the threshold of “significant harm”, the company must then take immediate steps to notify the Commissioner, as the notification must be made as soon as practicable, and in any event, no later than 72 hours from the occurrence of the personal data breach. However, where it is not possible to notify within this 72-hour timeframe, the company must provide a written explanation for the delay, and this explanation should be accompanied by supporting documentation, which may include timeline of the incident, relevant internal communications, and any technical or external factors contributing to the delay.

Importantly, for the notification process with the Commissioner, there is a prescribed notification form that must be submitted within the 72-hour window. However, data breach notification obligation with the Commissioner does not end with the form alone, as in addition to the initial submission, the company is also required to provide comprehensive supplementary information, which includes the following:

• i. Details of the personal data breach, including:
  
  • • the date and time the breach was detected by the Company;
    • the type of personal data involved and the nature of the breach;
    • the method used to identify the breach and the suspected cause of the incident;
    • the number of affected data subjects;
    • the estimated number of affected personal data records; and
    • the affected personal data system that led to the breach.
• ii. The potential consequences arising from the personal data breach;
• iii. A chronology of events leading to the loss of control over the personal data;
• iv. Measures taken or proposed to be taken by the Company to address the breach, including actions / steps implemented or planned to mitigate the potential adverse effects of the breach;
• v. Measures taken or proposed to be taken to address the concerns of the affected data subjects; and
• vi. Contact details of the company’s DPO or any other designated individual from whom further information regarding the breach may be obtained.

It is recognised that not all details may be immediately available at the time of the initial notification. In such cases, the Commissioner permits a phased submission of information, and any outstanding details must be submitted as soon as practicable, and in no event later than 30 days from the initial notification date.

Part III: Data Breach Notification to Affected Data Subjects

Having covered the obligations to notify the Commissioner, we now turn to the equally critical requirement of notifying affected data subjects in the event of a personal data breach.

As with notification to the Commissioner, it is important to emphasise at the outset that not all personal data breaches require notification to affected data subjects. Such notification is only required if the breach results in, or is likely to result in, significant harm to the data subjects concerned.

A personal data breach is considered to cause or likely to cause “significant harm” to affected data subjects if there is a reasonable risk that the compromised personal data:

• i. May result in physical harm, financial loss, a negative effect on credit records, or damage to or loss of property;
• ii. May be misused for illegal purposes;
• iii. Consists of sensitive personal data; or
• iv. Consists of personal data and other personal information which, when combined, could potentially enable identity fraud.

As you may observe, the significant harm test applied to determine whether notification to affected data subjects is required is similar to the test applied in assessing the obligation to notify the Commissioner. The key distinction, however, is that this test comprises 4 limbs rather than 5, as the “significant scale” element is not a relevant factor here because the focus is solely on the potential impact to the individual data subjects involved.

Once it is determined that there is a legal obligation to notify affected data subjects, such data breach notification must be provided no later than 7 days from the date the initial notification was submitted to the Commissioner.

Notification to affected data subjects must be made directly and individually, using clear and intelligible language that is appropriate for the specific circumstances, and the notification must be carried out in a practicable manner that allows affected data subjects to take timely and effective precautions or other protective measures against any potential adverse consequences arising from the breach. Therefore, the notification should include the following key information:

• i. A description of the personal data breach, including the nature of the breach;
• ii. An overview of the potential consequences that may arise as a result of the breach;
• iii. The measures taken or proposed to be taken by the company to address the breach, including actions to mitigate any possible adverse effects;
• iv. Recommended steps that affected data subjects may take to reduce or eliminate potential harm; and
• v. The contact details of the company’s DPO or other designated contact person.

Where direct notification is not practicable or would involve a “disproportionate effort”, the company may resort to alternative methods of notification, and these may include public announcements or any other approach that effectively informs affected individuals about the breach. Situations that may constitute a “disproportionate effort” include, but are not limited to:

• i. Where the company is required to notify a large number of data subjects across multiple jurisdictions, and doing so would create an excessive logistical, administrative, or financial burden;
• ii. Where the contact information of affected data subjects is outdated or inaccurate, and obtaining current contact details would require significant time and resources.

In such scenarios, the company must exercise reasonable judgment in selecting the most effective and efficient method of communication, having regard to the severity of the breach, the nature of the data involved, and the urgency with which data subjects need to act. Ultimately, the method and manner of notification must be determined based on the specific circumstances of each breach, with a focus on protecting the rights and interests of affected individuals and maintaining public trust.

Conclusion: Notification Is Only the Beginning

The above sections set out the core framework for data breach notification obligations under Malaysia’s Personal Data Protection (Amendment) Act 2024, whether the notification is to be made to the Commissioner or to the affected data subjects, and these requirements are not merely procedural checkboxes but form a critical component of a company’s broader data protection and risk management framework.

However, it is essential to recognise that notification is only the beginning of the broader data breach response lifecycle. In practice, once a notification is submitted, the Commissioner may initiate a formal investigation, which, based on our experience, can extend over a period of 2 to 4 months, depending on the severity and complexity of the breach, and this process typically involves follow-up queries, requests for documentation, and regulatory scrutiny of the company’s data protection practices and remedial actions.

As such, data breach management must not be treated as a reactive compliance task, but rather as an integrated part of the company’s broader data protection and risk management strategy. All organisations should proactively develop and maintain an adequate data breach response and management plan, which includes not only notification protocols but also investigation handling, internal communication strategies, and post-incident reviews.

The Technology Practice Group at Halim Hong & Quek regularly advises clients on a broad spectrum of data privacy matters, including DPO, data breach, gap analysis, and PDPA framework development. Should your organisation require assistance in assessing or strengthening your data breach response plan, we would be pleased to assist, please feel free to contact our team.

Our Technology Practice continues to be recognised by leading legal directories and industry benchmarks. Recent accolades include FinTech Law Firm of the Year at the ALB Malaysia Law Awards (2024 and 2025), Law Firm of the Year for Technology, Media and Telecommunications by the In-House Community, FinTech Law Firm of the Year by the Asia Business Law Journal, a Band 2 ranking for FinTech by Chambers and Partners, and a Tier 3 ranking by Legal 500.

About the authors
Ong Johnson
Partner
Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”),
Fintech, TMT Disputes, TMT Competition, Regulatory
and Compliance
johnson.ong@hhq.com.my
◦
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.

More of our Tech articles that you should read:

• • The Future of Digital Assets and Blockchain in Malaysia: Key Developments for 2025 and Beyond
• • Key Impacts of the Online Safety Bill 2024
• • The Symbiotic Relationship Between Cyber Insurance and Compliance in Navigating Data Breaches and Cyber Security Incidents