Malaysia: Personal Data Protection Commissioner guidelines on personal data breach notification

On 25 February 2025, the Personal Data Protection Commissioner of Malaysia adopted guidelines on personal data breach notification. This document outlines the requirements and procedures for notifying the Commissioner and affected data subjects in the event of a personal data breach, as mandated by the Personal Data Protection Act 2010 (Act 709). The guidelines emphasise the importance of recognising and reporting personal data breaches, which are defined as incidents that lead to unauthorised access, loss, misuse, or alteration of personal data. Entities are required to report breaches that may cause "significant harm" to affected individuals. Significant harm includes risks of physical injury, financial loss, identity theft, or misuse of sensitive personal data. Data controllers are obligated to notify the Commissioner within 72 hours of discovering a breach. The notification process involves submitting detailed information about the breach, including the type of data compromised, the number of affected individuals, and the measures taken to mitigate the breach. Affected individuals must also be notified directly and promptly to allow them to take protective actions.