Skip to content
ObieOnline

Field notes · 11 min read

PDPA for Small Businesses in Malaysia: A Non-Lawyer's Guide

Malaysia's Personal Data Protection Act 2010 (PDPA) applies to most KL small businesses, but the language of the Act is legal-flavoured and intimidating. This post translates it into what actually matters for a small business owner. Plain English, no fluff, no legal advice — but enough that you'll know what's worth doing this week.

Published · by Obie

Not legal advice. This is a practical plain-language summary written by an IT consultant, not a lawyer. If your business handles especially sensitive data (healthcare, finance, large customer databases) or you've received a regulatory notice, consult a Malaysian PDPA-licensed lawyer or data protection officer. Everything below is the kind of guidance we give clients in our free IT Health Check, not a legal opinion.

What is PDPA?

The Personal Data Protection Act 2010 ("PDPA") is Malaysia's federal privacy law for commercial activities. It governs how businesses collect, use, store, share, and dispose of personal data. It came into force in November 2013 and was significantly updated by the PDPA (Amendment) Act 2024, which Parliament passed in July 2024.

Personal data, in PDPA's language, is any information about a living individual that can be used to identify them — name, IC number, phone number, email, address, photograph, customer purchase history, IP address in many contexts. Not corporate data ("ABC Sdn Bhd's revenue was X") but data about people.

Does PDPA apply to my small business?

Almost certainly yes. PDPA applies to any business that processes personal data for commercial purposes in Malaysia — which covers basically every business with a customer list, a CRM, an e-commerce site, an HR file, or an employee email directory.

Some sectors have additional registration requirements (the Personal Data User Registration list, e.g. real estate, healthcare, financial services). Most small businesses outside those sectors are still covered by PDPA — they just don't have to formally register as a "data user."

The practical answer: if you have customer phone numbers stored anywhere, PDPA applies to you.

The 7 PDPA principles in plain English

The Act spells out seven obligations. In small-business translation:

1. General principle: don't collect or use personal data without consent

If a customer gives you their phone number to send a quote, you can use it to send the quote. You cannot suddenly add them to your monthly mailing list a year later without their explicit OK. Consent has to be for a specific purpose; reusing data for a new purpose needs new consent.

2. Notice and choice: tell people what you're collecting and why

When you collect personal data, you have to make clear (in writing, in plain language) what you're collecting, why, and how the person can withdraw their consent later. This is what a privacy policy on your website is for. Most small businesses get this wrong by either having no privacy policy at all, or by having one copy-pasted from a generic template that doesn't describe what their business actually does.

3. Disclosure: don't share data without permission

You can't share customer data with third parties — a marketing agency, an analytics vendor, a delivery company — unless either (a) you've told the customer and they agreed, or (b) it's required to fulfil the purpose (e.g. the delivery company needs the address to deliver).

4. Security: protect it

Reasonable technical and organisational measures to prevent unauthorised access. Locked filing cabinet for paper, password-protected systems for digital, encryption for sensitive data, access controls so only people who need to see customer data can.

5. Retention: don't keep it forever

Personal data should be kept only as long as necessary for the purpose it was collected. After that, destroy or anonymise. There's no universal time period — it depends on your business and legal obligations (Income Tax Act requires 7-year retention for tax records, for example).

6. Data integrity: keep it accurate

Reasonable steps to ensure personal data is accurate, complete, not misleading, and up-to-date for the purpose. If a customer tells you their phone number changed, update it.

7. Access: people can ask to see + correct their data

Any individual whose data you hold can write to you asking what data you have on them. You have to respond within 21 days. They can also ask you to correct errors. The 2024 amendment also gave individuals a formal right to "data portability" (asking you to send their data to another business).

What the 2024 amendment changed

Worth knowing because the rules tightened. The 2024 amendments (in force from June 2025, with a 24-month transition window for some provisions) added or clarified:

  • Mandatory data breach notification — if there's a security breach involving personal data, you must notify the Personal Data Protection Commissioner AND affected individuals within specified timeframes. This is new — previously there was no mandatory notification.
  • Mandatory data protection officer (DPO) appointment for certain "data users" (large processors). Small businesses generally do not need a formal DPO, but the threshold is being clarified via regulations.
  • Data portability — formalised the right for individuals to request that you transfer their data to another business (e.g. switching gym memberships, switching banks).
  • Higher fines — maximum fines for serious offences increased significantly (up to RM 1,000,000 per offence in some cases).
  • Direct accountability for "data processors" — previously only "data users" were liable. Outsourced IT, cloud providers, payroll vendors now also have direct PDPA obligations.

For most small businesses, the practically important change is mandatory breach notification + higher penalties. Both signal that PDPA enforcement is being taken more seriously than it was historically.

What most KL SMBs already do right

Good news: most small businesses we work with are already compliant with the spirit of PDPA without knowing it. Specifically:

  • Storing customer data in reasonable systems (not stickied on the office whiteboard)
  • Not sharing customer phone numbers with random third parties
  • Reasonable passwords on customer-data systems
  • Cleaning out old paper files periodically
  • Honouring customer requests to delete their data when asked

If you do those things, you're 70-80% PDPA-compliant already. The remaining gap is mostly documentation — you do the right things, you just don't have written policies stating you do them.

What most KL SMBs still need to fix

The five things we most commonly flag in IT Health Checks for SMBs concerned about PDPA:

1. A real privacy policy on your website

Not a template that says "we value your privacy and protect your data." A real one that lists: what data you collect, why, where it's stored, how long, who else sees it, how to ask for a copy or deletion. Should be linked from the footer of every page. If you collect data via web forms, the form should link to the policy too.

2. Consent language on web forms

Every contact form, quote-request form, newsletter signup needs a short consent line near the submit button. Common version: "By submitting, you agree we may contact you about your enquiry and store your details for [X months]. See our privacy policy." Untick by default; let the user tick.

3. Two-factor authentication on systems holding customer data

Your email, your CRM, your accounting software — any cloud system with customer data — should have 2FA on for every user. This is the single biggest "reasonable security measures" item under principle 4. Free, 15-minute setup, dramatic risk reduction. Most SMB owners haven't done this.

4. Backup separated from production

If your customer database lives on one server and the only backup is on the same server (or on a sync to Google Drive that mirrors deletions), you're not really backed up. PDPA's "reasonable security measures" implicitly requires you to be able to recover personal data after an incident. A separate, snapshot-able, ideally off-site backup is the practical answer. (We covered this in detail in our IT mistakes post.)

5. A documented breach response (even a simple one)

Post-2024 amendment, you have to notify the Commissioner + affected individuals when there's a breach. You don't need a 50-page incident response plan — but you should know in advance: who calls the Commissioner, what you say to affected customers, which lawyer you'd call. A half-page document that answers those three questions is fine.

Cookies + website tracking

PDPA doesn't have a "cookie banner" requirement the way GDPR does. But if you use Google Analytics, Meta Pixel, or other third-party tracking that captures IP addresses (which are personal data in some contexts), the safe practice is:

  • Add a short notice about cookies + tracking in your privacy policy
  • Where the tracking captures sensitive data (e-commerce purchase history, healthcare info), add an explicit opt-in
  • For purely-analytical tracking with anonymised IPs, a privacy-policy mention is usually sufficient

Tools like Plausible or Simple Analytics are privacy-friendly analytics that don't use cookies at all — worth considering if you don't want to think about this.

Chatbots and PDPA

If you have a chatbot on your website that captures leads (phone, email, enquiry), PDPA applies the same way it does to any contact form. Three things to check:

  • Consent at the point of capture. The chatbot should display a short consent line before or as data is captured. (For ObieChat — our own platform — this is built in: every chat widget shows a PDPA-style consent footer in the visitor's language.)
  • Reasonable retention. Lead data should be deleted or anonymised when no longer useful. (ObieChat retains lead transcripts for 365 days by default; configurable.)
  • Tenant isolation. If you're using a SaaS chatbot, your customer data should be isolated from other businesses on the same platform. (Worth asking the vendor explicitly. ObieChat enforces tenant isolation at the Postgres Row-Level Security layer — not as common as you'd think.)

What the actual penalties look like

The 2024 amendments raised maximums significantly:

  • Failure to comply with PDPA principles: up to RM 1,000,000 fine + imprisonment up to 3 years
  • Failure to notify a data breach: up to RM 250,000
  • Selling personal data without consent: RM 200,000 fine + 2 years imprisonment

In practice, the Commissioner has historically focused enforcement on large data users (telecoms, banks, e-commerce platforms). For small businesses, the realistic risk is not a six-figure fine — it's a complaint from an unhappy customer triggering an investigation that costs you 20-40 hours of stress and lawyer fees even if you're ultimately compliant. That alone is a good reason to get the documentation right.

SMB PDPA Checklist (30-minute self-audit)

  1. Is there a privacy policy on your website? Is it actually about your business, not a copy-pasted template?
  2. Do your web forms have a consent line near the submit button, linking to that policy?
  3. Is 2FA enabled on email + the cloud services holding customer data?
  4. Do you have backups that you could recover from if a system was compromised?
  5. Do you know who you'd call if a breach happened tomorrow morning?
  6. Are customer phone/email lists actually held in a system that has access controls — or are they in a shared Excel file that 12 ex-employees still have copies of?
  7. When was the last time you deleted old data you don't need anymore?
  8. If a customer wrote to you tomorrow saying "delete all my data," do you know how you'd do that, and how long it would take?

Score yourself out of 8. Under 4: you have meaningful gaps worth fixing this month. 4-6: typical for KL SMBs, prioritise the highest-risk gaps. 7-8: you're in very good shape.

How we help KL businesses with PDPA fundamentals

Our Managed IT Support service includes the technical PDPA fundamentals — 2FA setup, backup separation, access control, basic encryption, password hygiene — as part of the standard ongoing work. We don't do legal documentation (we're an IT firm, not a law firm), but we can point you at the right local lawyer for that side and give you a checklist of what to ask them.

Our free IT Health Check includes a PDPA touch-point review — flagging the biggest "this would fail an audit" items in your current setup. No legal opinion, just "this thing here would worry me if I were the Commissioner."

Bottom line

Most KL small businesses are 70-80% PDPA-compliant already and don't realise it. The remaining gap is mostly: writing things down, adding consent language to forms, enabling 2FA, and being able to recover from a backup. None of these are expensive. None require lawyers. All are worth doing this month.

Book a free IT Health Check See Managed IT Support

About the author: Obie has 17 years across telco (where PDPA-compliance was bread-and-butter) and software development. ObieOnline includes basic PDPA-fundamentals support in its Managed IT plans for KL & Selangor small businesses. More about Obie →

Disclaimer: This article is general guidance, not legal advice. PDPA is interpreted by the Personal Data Protection Commissioner and Malaysian courts; specific advice requires a Malaysian-licensed lawyer. Consult one for your specific situation.