The Malaysia Personal Data Protection Act applies to all companies operating in Malaysia, as well as persons not established in Malaysia, if they use equipment in Malaysia for the processing of personal data otherwise than for the purposes of transit through Malaysia.

Malaysia is planning to amend its data protection laws to introduce a data breach notification regime and a wide expansion of the rights of data subjects. Once in effect, companies are required to, among other things, 1) provide detailed summaries of data breaches to the Malaysian Personal Data Protection Commissioner (the Commissioner), including the type and amount of personal data compromised; 2) implement containment and control measures and outline in detail the measures taken to minimize the impact of the breach; 3) notify the Commissioner within 72 hours of becoming aware of a breach, providing details on the method in which the company is notifying the affected data subjects and the advice it is giving to those subjects; and 4) instill data protection training programs and provide details to the Commissioner about the content of those programs, including whether company employees received training in the last 24 months.

The Communications and Multimedia Minister has stressed the need for a refresh of the legislation, in a process that should take the EU’s General Data Protection Regulation (GDPR) into consideration. The proposed amendments could mean wide-scale alterations to business practices and the need to adopt practices similar to those required by the GDPR.