Why You Must Take the Personal Data Protection Act 2010 Seriously in 2025
Why You Must Take the Personal Data Protection Act 2010 Seriously in 2025
We live in a world where information is power — and personal data is the new currency. From online shopping to medical check-ups, nearly every interaction involves sharing some form of personal information. But here’s the catch: the misuse or mishandling of that data can come at a hefty cost — both legally and reputationally.
Personal Data Protection Act 2010 (PDPA, Act 709) was introduced to ensure businesses handle personal information responsibly. Fast forward to June 2025, the Personal Data Protection (Amendment) Act 2024 has now been fully enforced, tightening the rules and sending a clear message: businesses can no longer afford to take data protection lightly.
Who Needs to Comply?
The law applies to anyone who processes or has control over personal data in a commercial transaction. That includes:
- A café that collects phone numbers for loyalty programs.
- A tuition centre that stores parents’ and students’ contact details.
- A boutique that records customer addresses for delivery.
- A law firm that keeps clients’ IC numbers, contracts, and financial records.
If you own a business and keep phone numbers, email addresses, payment details, or even delivery addresses, you are processing personal data — and that means the PDPA applies to you.
The 7 Golden Rules of Personal Data Protection
Section 5(1) of the PDPA 1999 provides seven guiding principles for handling personal data:
- General Principle – Always obtain consent before processing personal data. No consent = no processing.
- Notice and Choice Principle – Be transparent. Tell customers why you need their data and how you will use it.
- Disclosure Principle – Data must only be used for the purpose you promised. No sharing with third parties without permission.
- Security Principle – Put proper safeguards in place. Data being processed must be secure, not modified, misused or given to unauthorised parties.
- Retention Principle – Don’t hoard data. Keep it only as long as you need it, then dispose of it properly.
- Data Integrity Principle – Accuracy matters. Update and correct data to avoid misleading or outdated records.
- Access Principle – Give individuals the right to access their personal data and request corrections if it’s wrong.
Who Must Register as a Data Controller?
First of all, what is Data Controller?
Under the PDPA, a Data Controller is any person who processes or has control over, or authorizes the processing of personal data.¹ In other words, if you decide why and how personal data should be collected and used, you are a Data Controller.
Certain industries are given special attention under the PDPA. If you’re in one of the 13 Classes of Data Users, you must register with the Personal Data Protection Commissioner.²
The list includes:
¹ Section 4 of the Personal Data Protection Act 2010 and Section 2 of the Personal Data Protection (Amendment) Act 2024, the word “data user” and “data users” is substituted by the word “data controller” and “data controllers”
² Section 15 of the Personal Data Protection Act 2010, Data Protection (Class of Data Users) Order 2013 and Personal Data Protection (Class of Data Users) (Amendment) Order 2016
- Communications (telcos, internet providers)
- Banking & Financial Institutions
- Insurance
- Healthcare
- Tourism & Hospitality
- Transportation
- Education
- Direct Selling
- Professional Services (lawyers, accountants, auditors, engineers, architects)
- Real Estate
- Utilities
If you fall into any of these categories and have not registered as a Data Controller — you are committing an offence and on conviction, a non-compliant Data Controller is liable for a fine not exceeding RM300,000.00 or to imprisonment for a term not exceeding two (2) years or to both ³
¹ Section 5(2) of the Personal Data Protection Act 2010
Why Should Small Businesses Care?
“But my business is just small, surely PDPA doesn’t apply to me?”
That’s a common misconception. While you may not need to register as a Data Controller, you are still legally required to comply with the principles.
Customers today are more privacy-conscious than ever. A single mishandling of their information, a leaked phone number, a misused email address can damage your credibility overnight. In a competitive market, trust is everything.
Practical Steps to Start Compliance Today
So, where do you begin? Compliance doesn’t have to be complicated. Start with these two simple but powerful steps:
1. Get Customer Consent
- Create a straightforward consent form aligned with the 7 principles.
- Clearly state the purpose of collecting data (e.g., marketing, billing, delivery).
- Always give customers the choice to opt in or opt out.
2. Publish a Personal Data Protection Notice (PDP Notice)
- If you have a website, social media page, or online store, display a clear PDP Notice tailored to your business .
- Let customers know how their data will be collected, used, stored, and protected.
- This not only ensures compliance but also boosts customer confidence.
Compliance Starts with You
In a digital age where data flows seamlessly across platforms, business owners must uphold integrity, accountability and trust. Protecting customer’s personal information and ensuring compliance with the Personal Data Protection Act 2010 should remain a top priority for everyone today. The businesses that take compliance seriously today will be the ones customers trust tomorrow. So, whether you’re a large corporation or a small café owner, remember this: compliance starts with you.
¹ Section 4 of the Personal Data Protection Act 2010 and Section 2 of the Personal Data Protection (Amendment) Act 2024, the word “data user” and “data users” is substited by the word “data controller” and “data controllers”
² Section 15 of the Personal Data Protection Act 2010, Data Protection (Class of Data Users) Order 2013 and Personal Data Protection (Class of Data Users) (Amendment) Order 2016
³ Section 15 of the Personal Data Protection Act 2010, Data Protection (Class of Data Users) Order 2013 and Personal Data Protection (Class of Data Users) (Amendment) Order 2016
Need Help?
Should you have any questions or concerns in relation to consumer rights or contractual matter, please do not hesitate to contact us.
Email us at : admin@bcc.my
Call us at: 03-6416 0102
Written by Jessie Kwong
Disclaimer:This article is provided for general information purposes only and does not constitute legal advice. Specific legal advice should be sought based on your individual circumstances.