Regulatory & Compliance

PDPA Data Breach Notification Malaysia: What You Must Do Within 72 Hours

May 28, 2026
pdpa data breach notification malaysia 1 1024x683

What Is a Data Breach Under the PDPA?

PDPA Data Breach Notification Malaysia requirements became mandatory under the 2024 PDPA amendments, fundamentally changing how Malaysian organisations must respond to data incidents. Under the amended PDPA 2010, a data breach is an incident where personal data is accessed, disclosed, or processed without authorisation, or is lost or damaged in a way that compromises the confidentiality, integrity, or availability of that data. This includes unauthorised access by external attackers, insider threats, accidental disclosures, and loss of unencrypted devices.

The 2024 PDPA amendments introduced mandatory data breach notification — a significant change that every Malaysian data controller must understand and implement immediately.

The Mandatory Breach Notification Requirements

If your organisation experiences a data breach involving personal data of Malaysian residents, you must comply with these mandatory notification obligations:

1. Notify the Personal Data Protection Commissioner (PDPC)

You must notify the PDPC without undue delay following discovery of a data breach that poses a risk to data subjects. The risk threshold is key — not every data breach requires PDPC notification, only those that create a meaningful risk of harm. The PDPC is expected to issue further guidance on what constitutes a “risk to data subjects.”

Notification method: Submit a breach notification to the PDPC via the official notification portal or form available on pdp.gov.my.

Required information in PDPC notification:

  • Name of your organisation and contact details
  • Description of the personal data breached (type, category, volume)
  • Number of individuals affected
  • Date and nature of the breach
  • Breach discovery date
  • Measures taken to mitigate harm (e.g., password resets, account freezes)
  • Contact details for affected individuals to reach you with inquiries

2. Notify Affected Individuals

If the breach poses a risk to affected individuals, you must notify them directly without undue delay. This applies to individuals whose personal data was accessed or disclosed unauthorisedly.

Notification method: Preferably by direct communication — email, SMS, phone call, or letter. At minimum, make a public announcement if direct contact is impossible.

Required information in individual notification:

  • Nature of the breach (what type of data was accessed)
  • Likely consequences for the individual (identity theft risk, financial fraud, etc.)
  • Measures your organisation has taken to mitigate harm
  • Recommended steps the individual should take (change passwords, monitor credit, etc.)
  • Your contact details for questions

PDPA Breach Notification Timeline

The PDPA uses the phrase “without undue delay.” While a specific deadline (e.g., 72 hours as under GDPR) has not been finalised in the PDPC guidance, Malaysian data controllers should treat “without undue delay” as:

  • Within 24–48 hours: Internal incident response activation, containment, and PDPC notification (preferred timeline)
  • Within 72 hours: Notification to affected individuals (aligns with GDPR practice and BNM incident reporting requirements)

Do not delay notification to conduct a lengthy investigation. Notify the PDPC and individuals immediately upon discovery, and provide updates as your investigation progresses.

Penalties for Failure to Notify

Under the 2024 PDPA amendments, failure to notify the PDPC or affected individuals in a data breach carries severe penalties:

  • Fine up to RM 500,000 per offence for failure to notify
  • Imprisonment up to 3 years for responsible officers
  • Ongoing daily penalties: If the breach persists without notification, additional fines may be imposed for each day of non-compliance

Additionally, the PDPC has published enforcement cases showing that organisations failing to notify face public reputational damage, customer loss, and regulatory investigation.

Preparation: Developing a Breach Response Plan

To ensure your organisation can meet the “without undue delay” requirement, develop and test a formal data breach response plan that includes:

  1. Incident Detection: Deploy monitoring and alerting systems (SIEM, DLP, EDR) to detect breaches immediately.
  2. Incident Containment: Isolate affected systems to stop ongoing data loss.
  3. Impact Assessment: Determine the scope of the breach — what data was accessed, how many individuals, what is the risk level?
  4. PDPC Notification: Draft and submit breach notification to PDPC.
  5. Individual Notification: Prepare and send notifications to all affected individuals.
  6. Forensics and Investigation: Conduct a root cause analysis to prevent recurrence.
  7. Regulatory Engagement: Respond to any PDPC inquiries or investigations.
  8. Continuous Monitoring: Monitor for secondary breaches or follow-on attacks.

Cyber Insurance and Breach Notification

If your organisation has cyber insurance, notify your insurer immediately upon breach discovery. Many cyber policies cover breach notification costs, regulatory fines, and forensic investigation — but only if notification occurs promptly and within policy timelines.

Real-World Example: PDPC Enforcement Cases

The PDPC has taken enforcement action against Malaysian organisations for data breaches, including fines for delayed notification. One case involved a financial services provider that failed to notify customers of a breach within a reasonable timeframe — resulting in a significant fine and reputational damage.

Key regulatory bodies for PDPA data breach response in Malaysia: NACSA (National Cyber Security Agency Malaysia) oversees cybersecurity incident response, while MyCERT (Malaysia Computer Emergency Response Team) handles technical breach reporting and coordination.

Don’t let your organisation become a cautionary tale. Deploy a Managed SOC to detect breaches in real-time. Contact us today to build your breach response capability.

About the Author: This article is written and reviewed by the Simply Data cybersecurity team — certified security professionals with expertise in Malaysian cybersecurity regulations, NACSA compliance, BNM RMiT, and enterprise security operations. Simply Data Sdn. Bhd. is a NACSA-licensed cybersecurity service provider based in Kuala Lumpur, Malaysia.

? Related Reading

What Are the Consequences of Failing to Report a Data Breach Under PDPA Malaysia?

While Malaysia’s Personal Data Protection Act (PDPA) 2010 does not yet mandate a specific breach notification timeline (unlike GDPR’s 72-hour rule), the PDPA Amendment Bill proposes mandatory breach notification obligations. Organisations that fail to notify affected individuals or the Personal Data Protection Commissioner may face fines of up to RM500,000 and/or imprisonment. Beyond legal penalties, reputational damage, customer attrition, and regulatory scrutiny from Bank Negara Malaysia (BNM) or the Securities Commission can be severe for regulated entities.

How Should Malaysian Organisations Prepare a PDPA-Compliant Data Breach Response Plan?

Preparation is key. Malaysian organisations should: establish a Data Protection Officer (DPO) or breach response team, document a clear incident response playbook covering detection, containment, and notification steps, conduct annual tabletop exercises simulating breach scenarios, and maintain records of all processing activities under PDPA’s accountability principle. Simply Data IR Retainer service provides Malaysian businesses with on-demand breach response support, ensuring PDPA-compliant notifications are filed accurately and within required timeframes.