This year has undoubtedly been one of the most active, if not the most active, periods in the field of personal data protection in Malaysia. Among legal practitioners, there is a saying that “when it rains, it pours”, and in the current personal data protection regulatory climate, nothing could be closer to the truth.
In early August, we saw the release of three significant documents shaping the future of the Data Protection Officer role in Malaysia:
1. Data Protection Officer Competency Guideline;
2. Management of Data Protection Officer Training Service Providers Guideline; and
3. Data Protection Officer Professional Development Pathway & Training Roadmap.
Barely weeks after these guidelines and documents were released, the Department of Personal Data Protection has now issued Public Consultation Paper No. 4/2025 (“Public Consultation Paper”), proposing new amendments to the Personal Data Protection Regulations 2013.
In this article, we aim to dissect the Public Consultation Paper by highlighting the top 10 key takeaways proposed in amending the Personal Data Protection Regulations 2013, and for those operating in the personal data protection filed, we hope that this article will equip your team and organization with both legal clarity and foresight as your organization prepare for the changes ahead.
Key Takeaway 1: The Status of the Public Consultation Paper
The Public Consultation Paper was officially released on 22 August 2025 and will remain open for feedback until 8 September 2025.
While the Public Consultation Paper does not specify when the proposed amendments to the Personal Data Protection Regulations 2013 will be officially implemented and come into force, based on our understanding of the regulatory climate and the current momentum in Malaysia’s data protection framework, it would be reasonable to anticipate that drafting of the amendments will commence shortly after the public consultation period concludes. Therefore, organisations are advised to monitor these developments closely, as the amendments to the Personal Data Protection Regulations 2013 may potentially come into force in the relatively near future.
Key Takeaway 2: Introducing the Definition of “Personal Data Protection Notice”
A notable proposal in the Consultation Paper is the formal introduction of the term “Personal Data Protection Notice” within the Personal Data Protection Regulations 2013.
While most are familiar with the concept of “Personal Data Protection Notice”, yet, there has long been confusion in terminology in the industry, as some have referred to it as a “privacy notice,” others as a “personal data protection policy,” and some even as a “privacy statement.” Therefore, the proposed standardisation under the term “Personal Data Protection Notice” is certainly most welcome, as it provides much-needed clarity and certainty in the use of terminology within the industry.
Key Takeaway 3: Aligning Terminology From “Data User” to “Data Controller”
Another key proposed amendment relates to the proposed alignment of terminology within the Personal Data Protection Regulations 2013 by changing the term “data user” to “data controller.”
This amendment is both expected and necessary, especially following the implementation of the Personal Data Protection (Amendment) Act 2024, which has already changed “data user” to “data controller.” Hence, aligning the terminology of “data controller” across the Personal Data Protection Regulations 2013 is truly essential for legal clarity and consistency.
Key Takeaway 4: Clearer Guidance on Obtaining Valid Consent
The Public Consultation Paper proposes an amendment to provide clearer guidance on how to obtain valid consent from data subjects.
While the Public Consultation Paper does not elaborate further on the precise mechanics of obtaining “valid consent”, and at present, the legal requirement is that consent must be “recorded and maintained”, yet at the same time, we also recognise that other forms of consent, such as consent by conduct or performance, or even verbal consent, are generally accepted as valid consent as well. We trust that it is possible that the forthcoming amendments will reconcile these varying forms and set out greater clarity on the acceptable forms of consent within the Personal Data Protection Regulations 2013.
Key Takeaway 5: Processing Personal Data Without Consent in Limited Circumstances
Another significant proposal is to formally introduce provisions into the Personal Data Protection Regulations 2013 that recognise personal data may be processed without consent in specific situations, reflecting the exceptions already embedded in the Personal Data Protection Act 2010.
This proposal is both expected and necessary, as while the general rule is that personal data should only be processed with the consent of data subjects, the Personal Data Protection Act 2010 itself sets out a range of exceptions under which data controller may lawfully process personal data and even sensitive personal data without consent. Therefore, aligning the Personal Data Protection Regulations 2013 with the Personal Data Protection Act 2010 will provide legal consistency, reducing uncertainty and ensuring that organisations have a clear and consistent reference point when determining their compliance obligations.
Key Takeaway 6: Verification of Consent for Data Subjects Under 18
The Public Consultation Paper also proposes the introduction of specific provisions to establish requirements for data controllers to take reasonable verification steps when obtaining consent from parents, guardians, or individuals with parental responsibility for data subjects under the age of 18.
This development is particularly welcome, as at present, the law merely requires data controller to obtain such consent before processing the personal data of data subjects under the age of 18, but it does not offers further guidance on how this should be achieved. Therefore, by establishing a framework of reasonable verification steps, the proposed amendment would bring greater clarity and a more complete legal framework for organisations handling the personal data of minors.
Key Takeaway 7: Displaying the Data Protection Officer’s Contact Information
The Public Consultation Paper proposes that the business contact information of the appointed Data Protection Officer (“DPO”) must be displayed within the Personal Data Protection Notice.
This is both necessary and timely, as following the mandatory appointment of a DPO under the Personal Data Protection (Amendment) Act 2024, the Appointment of DPO Guideline also stipulates that the business contact details of the DPO should be included in the Notice. As the DPO serves as a facilitator and point of contact between data subjects and data controllers, this proposed amendment will bring the regulations into alignment with existing guidance.
Key Takeaway 8: Security Policies Must Address Data Breach Management
The Public Consultation Paper further proposes that all security policies should explicitly include procedures for managing data breaches.
This amendment is directly connected to the new personal data breach notification requirements introduced by the Personal Data Protection (Amendment) Act 2024, and it is certainly a welcome step, as it pushes organisations to embed personal data breach response into their compliance architecture. However, we also recognise that some organisations may already maintain an independent Data Breach Management Policy, therefore, it would be useful if the regulation allows flexibility for the security policy to reference such standalone policies, in order to avoid duplication while still ensuring compliance.
Key Takeaway 9: Written Contracts Between Data Controllers and Data Processors
The proposed amendments would make it a requirement for data controllers to enter into a written contract with data processors whenever personal data processing is outsourced to a third party.
This amendment is particularly important in view of the changes introduced by the Personal Data Protection (Amendment) Act 2024, which extended obligations to data processors, requiring them to comply with the Security Principle under the Personal Data Protection Act 2010.
Key Takeaway 10: Direct Liability for Data Processors
Finally, the Public Consultation Paper proposes to introduce a new provision placing direct liability on data processors, making them subject to the same penalties as data controllers in cases of breach of the Security Principle under Personal Data Protection Regulations 2013. Upon conviction, this may include a fine not exceeding RM250,000, imprisonment for a term not exceeding two years, or both.
This proposal ties closely with the ninth key takeaway, reflecting a consistent effort to expand and formalise the obligations and responsibilities of data processors under the personal data protection framework.
Conclusion
The proposed amendments to the Personal Data Protection Regulations 2013 mark a significant step in strengthening Malaysia’s data protection framework, bringing greater clarity, consistency, and accountability across the board.
As the consultation period closes and the final amendments are introduced, it will be essential for legal teams and senior management to stay ahead of the curve. Preparing early will not only reduce compliance risk but also build trust with regulators, customers, and stakeholders.
If your organization needs help with further insights and legal guidance on Personal Data Protection (Amendment) Act 2024 or Data Protection Officer outsourcing services, please feel free to reach out to the firm’s Technology Practice Group. Lawyers from the Technology Practice Group have a wealth of experience assisting clients with their legal needs, particularly pertaining to compliance with the Personal Data Protection Act 2010, and will certainly be able to assist.
Our Technology Practice continues to be recognised by leading legal directories and industry benchmarks. Recent accolades include FinTech Law Firm of the Year at the ALB Malaysia Law Awards (2024 and 2025), Law Firm of the Year for Technology, Media and Telecommunications by the In-House Community, FinTech Law Firm of the Year by the Asia Business Law Journal, a Band 2 ranking for FinTech by Chambers and Partners, and a Tier 3 ranking by Legal 500.
About the authors
Ong Johnson
Partner
Head of Technology Practice Group
Fintech, Data Protection,
Technology, Media & Telecommunications (“TMT”),
IP and Competition Law
johnson.ong@hhq.com.my
◦
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.
More of our Tech articles that you should read:
