Ever since the Personal Data Protection (Amendment) Act 2024 came into full implementation on 1 June 2025, organizations operating in Malaysia have entered a new era of compliance under the Personal Data Protection Act 2010 (“PDPA”). Beyond the new mandatory appointment of a Data Protection Officer (“DPO”), arguably one of the most significant and far-reaching developments is the introduction of mandatory personal data breach notification obligations, as it is without doubt a change that will have a profound impact on how organizations manage and respond to personal data breaches.
In relation to personal data breaches, there is a common saying in the industry: “it is not a matter of if, but when.” This statement holds true, as there is nothing embarrassing about experiencing a personal data breach, but what truly matters is how an organization manages and responds to it in compliance with the PDPA.
Importantly, the law is clear that a data controller who fails to comply with the personal data breach notification obligation commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred and fifty thousand ringgit or imprisonment for a term not exceeding two years, or to both. This is not a matter that any organization can afford to overlook or take lightly, given the potential legal, financial, and reputational consequences that may follow.
Given the importance of these new notification obligations, the relevant provision under Section 12B of the PDPA is reproduced below for ease of reference:
“(1) Where a data controller has reason to believe that a personal data breach has occurred, the data controller shall, as soon as practicable, notify the Commissioner in the manner and form as determined by the Commissioner.
(2) Where the personal data breach under subsection (1) causes or is likely to cause any significant harm to the data subject, the data controller shall notify the personal data breach to the data subject in the manner and form as determined by the Commissioner without unnecessary delay.
(3) A data controller who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred and fifty thousand ringgit or imprisonment for a term not exceeding two years or to both.”
Therefore, in this article, we aim to provide a clear, step-by-step legal and practical framework to assist companies, general counsels, in-house teams, and DPOs in understanding how to effectively discharge their personal data breach notification obligations under the PDPA. While we certainly hope that such incidents never occur, should they happen, we trust that this article will serve as a practical and reliable guide to navigate the process with confidence and compliance.
We have structured this article into 3 key sections:
• Understanding what constitutes a personal data breach;
• Identifying the circumstances in which the mandatory personal data breach notification obligation to the Commissioner is triggered; and
• Identifying the circumstances in which the mandatory personal data breach notification obligation to affected data subjects is triggered.
Part (i): Understanding What Constitutes a Personal Data Breach
In the event of a suspected personal data breach, the most crucial first step for any organization is to determine whether the alleged incident genuinely qualifies and constitutes a “personal data breach” under the PDPA. Only if the incident falls within this definition will the subsequent notification obligations be triggered. Therefore, understanding what amounts to a “personal data breach” forms the very foundation and essential starting point of the entire process.
The term “personal data breach” is expressly defined under the PDPA. For ease of reference, the legal definition is set out below:
“Personal data breach” means any breach of personal data, loss of personal data, misuse of personal data or unauthorised access of personal data.
In accordance with the definition of “personal data breach” under the PDPA, a “personal data breach” broadly encompasses four key circumstances involving personal data:
• Any breach of personal data,
• Any loss of personal data,
• Any misuse of personal data, or
• Any unauthorised access of personal data.
In essence, as long as an incident concerning personal data falls within any one of these four circumstances, whether it involves a breach, loss, misuse, or unauthorised access, it will be regarded as a “personal data breach” within the meaning of the PDPA.
A critical point to emphasise is that the law is agnostic as to the source, intent, or manner in which the breach arises. The PDPA makes no distinction between internal or external causes, accidental or deliberate acts, or whether the incident originates from employees, contractors, service providers, or external threat actors. What matters is the fact that the personal data has been compromised in one of the four ways prescribed by law.
This understanding that the law is neutral as to the source, intent, or nature of the incident is extremely important, as a common misconception is that a personal data breach is confined only to external cybersecurity threats such as ransomware attacks, phishing campaigns, distributed denial-of-service (DDoS) incidents, or SQL injection exploits. In reality, many personal data breaches stem from internal or operational lapses, such as human error, system misconfigurations, misplaced devices, or inadvertent disclosure of personal data to unintended recipients. Recognizing this breadth of coverage is key for organizations to establish effective internal reporting, escalation, and response mechanisms from the outset in the event of a personal data breach.
Part (ii): Identifying When the Mandatory Notification Obligation to the Commissioner Is Triggered
Once it has been properly determined that an incident constitutes a personal data breach, the next critical step is to assess whether it triggers a mandatory notification obligation to the Commissioner.
It is important to emphasise that not every personal data breach requires notification, as the statutory obligation to notify the Commissioner is only triggered where the personal data breach causes, or is likely to cause, “significant harm”.
Assessing whether a personal data breach causes, or is likely to cause, “significant harm” is a legal determination that requires careful consideration of both qualitative and quantitative factors. In practice, there are 5 key criteria to be evaluated, and the personal data breach is regarded as causing, or being likely to cause, “significant harm” if any one of the following criteria is satisfied.
A personal data breach is considered to cause, or be likely to cause, “significant harm” if there is a risk that the compromised personal data:
i) May result in physical harm, financial loss, a negative effect on credit records, or damage to or loss of property;
ii) May be misused for illegal purposes;
iii) Consists of sensitive personal data;
iv) Consists of personal data and other personal information which, when combined, could potentially enable identity fraud; or
v) Is of significant scale. A personal data breach is considered to be of “significant scale” if the number of affected data subjects exceeds one thousand (1,000).
In assessing whether a personal data breach causes, or is likely to cause, “significant harm”, it is important to appreciate that this is ultimately a legal assessment, as the outcome of this assessment will determine whether the mandatory personal data breach notification obligation to the Commissioner is triggered.
Therefore, especially in situations where the internal findings are unclear or ambiguous as to whether the threshold of “significant harm” has been met, it is prudent to err on the side of caution and seek professional legal assistance because a misjudgement may potentially expose the organisation to unnecessary regulatory scrutiny and potential enforcement action, carrying legal and reputational risks that may far outweigh any perceived short-term benefit of self-assessment.
If the assessment concludes that a personal data breach meets the criteria of “significant harm,” the mandatory obligation to notify the Commissioner is immediately triggered, and in such circumstances, the organisation is under a strict legal duty to notify the Commissioner as soon as practicable, and in any event no later than 72 hours from the occurrence of the personal data breach.
It is crucial to emphasise that this 72-hour period runs from the occurrence of the personal data breach itself, and not from the point at which the organisation later reaches the conclusion that the personal data breach causes, or is likely to cause, significant harm. This distinction, though subtle, carries profound compliance implications and underscores the need for swift internal escalation, prompt incident assessment, and timely notification once a personal data breach is suspected.
Part (iii): Identifying When the Mandatory Notification Obligation to Affected Data Subjects Is Triggered
It is important to appreciate and understand that the company’s mandatory personal data breach notification obligation does not end with notifying the Commissioner, as the next step is for the company to carefully assess and evaluate whether the statutory obligation to notify the affected data subjects is triggered. If such a personal data breach notification obligation to the affected data subjects is triggered, the company must also notify the affected data subjects in accordance with the prescribed timelines and methods.
Similarly, the assessment of whether the mandatory personal data breach notification obligation to affected data subjects is triggered follows the “significant harm” test, where the company must consider whether the personal data breach causes, or is likely to cause, “significant harm” to the affected data subjects. Where this threshold is triggered, the company is required under the PDPA to notify the affected data subjects accordingly.
The legal assessment of “significant harm” requires the company to examine whether any of the following four criteria are satisfied. A personal data breach will be considered to cause, or be likely to cause, “significant harm” to affected data subjects if there is a risk that the compromised personal data:
i) May result in physical harm, financial loss, a negative effect on credit records, or damage to or loss of property;
ii) May be misused for illegal purposes;
iii) Consists of sensitive personal data; or
iv) Consists of personal data and other information which, when combined, could potentially enable identity fraud.
It is worth noting that the four criteria listed above for assessing whether a personal data breach causes, or is likely to cause, “significant harm” to affected data subjects are substantially similar to the criteria applied when determining whether a breach triggers the notification obligation to the Commissioner.
However, the key focus of the analysis differs. The legal assessment for notifying the Commissioner considers whether the personal data breach, taken as a whole, meets the threshold of “significant harm”. By contrast, the assessment for notifying affected data subjects specifically examines whether the breach is likely to cause “significant harm” to those individuals directly impacted.
Therefore, in the event of a personal data breach, the company should not simply rely on the outcome of the “significant harm” assessment for the Commissioner. Regardless of the outcomes, the company must also independently conduct a separate and focused legal assessment to determine whether the “significant harm” threshold for notifying affected data subjects has also been triggered to ensure that the company discharges its statutory notification obligations with clarity and precision.
If the company confirms that the significant harm criteria for notifying affected data subjects is triggered, it must then notify the affected data subjects without undue delay, and in any event no later than seven (7) days after the initial notification is made to the Commissioner, as referenced above.
For ease of reference, we set out below an illustrative timeline to demonstrate the statutory notification requirements, assuming both obligations are triggered, following an example where a personal data breach occurs on 1 January 2026 (with the precise time of occurrence disregarded for simplicity):
Illustrative Timeline – Personal Data Breach Notification to Commissioner and Affected Data Subjects
Scenario Assumption:
• Personal data breach occurs on 1 January 2026 (precise time disregarded for simplicity).
• Both “significant harm” tests for the Commissioner and for affected data subjects are triggered.
Step 1 – Initial Notification to Commissioner
• Requirement: Submit the Notification Form to the Commissioner, together with any available supplementary personal data breach information.
• Deadline: Within 72 hours of the occurrence of the personal data breach.
• Date (Illustration): 4 January 2026.
Step 2 – Notification to Affected Data Subjects
• Requirement: Notify affected data subjects without undue delay, and in any event within 7 days after the initial notification is made to the Commissioner.
• Deadline: Seven days from the initial notification date.
• Date (Illustration): 11 January 2026, calculated from the initial notification on 4 January 2026.
Conclusion
In conclusion, personal data breaches are undeniably on the rise, not only in Malaysia but globally. What makes this development particularly significant is that personal data breach notification is now a mandatory obligation under the PDPA, and failure to comply can attract both substantial financial penalties and imprisonment, as an infringement of the PDPA constitutes a quasi-criminal offence in Malaysia.
Given the seriousness of these notification obligations, it is imperative for organizations to treat personal data breach preparedness as a core aspect of their compliance framework. As a starting point, companies should at least implement a clear internal personal data breach protocol that outlines reporting lines, escalation procedures, and responsibilities across the organization. Additionally, conducting regular personal data breach simulations and training ensures that all employees, from executives to operational teams, are fully aware of their roles and can respond swiftly and effectively should an incident occur.
By taking these proactive steps, organizations not only safeguard themselves against regulatory exposure but also foster a culture of strong personal data awareness, accountability, and resilience across all levels of the organization.
The Technology Practice Group of Halim Hong & Quek continues to be recognised by leading legal directories and industry benchmarks. Recent accolades include FinTech Law Firm of the Year at the ALB Malaysia Law Awards (2024 and 2025), Law Firm of the Year for Technology, Media and Telecommunications by the In-House Community, FinTech Law Firm of the Year by the Asia Business Law Journal, a Band 2 ranking for FinTech by Chambers and Partners, and a Tier 3 ranking by Legal 500.
If you have any questions on personal data protection, please feel free to reach out to the partners at the Technology Practice Group, Ong Johnson and Lo Khai Yi, for consultation.
About the authors
Ong Johnson
Partner
Head of Technology Practice Group
Fintech, Data Protection,
Technology, Media & Telecommunications (“TMT”),
IP and Competition Law
johnson.ong@hhq.com.my
◦
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.
More of our Tech articles that you should read:
