Your Sdn Bhd Is Already in Scope for PDPA — Even If You Think You're Too Small

Your Sdn Bhd is in scope for Malaysia's Personal Data Protection Act right now. Yes, even if you have 50 customers. Yes, even if you've never processed a medical record in your life. Yes, even if you only heard about the 2024 amendment five seconds ago reading this sentence.

Most SME owners have a mental model of PDPA that goes something like this: it's a big-company thing, it applies to banks and hospitals, and as long as we don't sell our customer list we're fine. That model was wrong before 2024. After the Personal Data Protection (Amendment) Act 2024 (Act A1742) came fully into force, it is dangerously wrong — and enforcement is no longer theoretical.

The Personal Data Protection Commissioner published its first penalty list in March 2025. All transitional periods under Act A1742 expired in June 2025. As of April 2026, there are no grace periods left. Enforcement is live and escalating. The penalties have tripled. And the trigger that catches the most SMEs has nothing to do with how many customers you have.

Here is what you need to know.

What Changed: Act A1742 in Plain English

Malaysia's data protection law is the Personal Data Protection Act 2010 (Act 709). The framework has been in place for over a decade, but most of the enforcement teeth were blunt. The Personal Data Protection (Amendment) Act 2024 (Act A1742) sharpened them considerably.

Act A1742 was gazetted and came into force in phases through 2024 and 2025. The final phase — covering the DPO mandate and breach notification requirements — commenced in June 2025. There are no remaining implementation phases. Every obligation is active.

The three headline changes that matter most to SMEs:

1. Mandatory appointment of a Data Protection Officer (DPO) for companies that meet certain triggers
2. Mandatory data breach notification to the Personal Data Protection Commissioner (PDPC)
3. Sharply higher penalties — the maximum fine for breaching the Data Protection Principles went from RM300,000 to RM1,000,000, and imprisonment went from 2 years to 3 years

Let's go through each one.

The Three DPO Triggers — Any One Is Enough

Under s.129A–s.129E PDPA (inserted by Act A1742), you must appoint a DPO if your organisation meets any one of three triggers. You do not need to meet all three.

Trigger 1: Processing personal data of 20,000 or more individuals

This is the number most SME owners focus on, and then immediately dismiss. "We only have 3,000 customers, we're fine."

Here's the calculation they miss: PDPA doesn't say "20,000 customers." It says 20,000 individuals whose personal data you process. Count your customers, yes — but also count your employees (and their family members if you administer medical benefits), vendors and suppliers, job applicants (every CV you have ever received), subscribers to your mailing list, former customers, and contacts in your CRM.

A five-year-old Sdn Bhd with 200 active customers but a mailing list built from trade expos, a few hundred past employees, 50 active vendors, and 3,000 historical job applicants might already be sitting at 5,000–8,000 individuals. Add website visitors tracked by Google Analytics — it adds up faster than you think.

Trigger 2: Processing sensitive personal data of 10,000 or more individuals

"Sensitive personal data" under PDPA includes health information, financial information, religious beliefs, political opinions, and data relating to criminal offences.

If you run payroll, you hold financial data on every employee. If you administer medical or hospitalisation benefits, you hold health data. A company with 200 staff plus their dependents can reach 600–800 individuals with sensitive data quickly. If your business touches healthcare, education, finance, or insurance even tangentially — the 10,000 threshold is more relevant than you might expect.

Trigger 3: Systematic monitoring — no headcount floor whatsoever

This is the one that catches almost everyone, and it has no size threshold at all.

"Systematic monitoring" under the PDPC DPO Guidelines covers:

• CCTV surveillance at your office, warehouse, or retail outlet
• Online tracking via website cookies, Google Analytics, Meta Pixel, or any similar tool
• Behavioural profiling — remarketing lists, email open tracking, click heatmaps

Do you have a camera in your office reception? Systematic monitoring. Do you have Google Analytics on your website? Systematic monitoring. Do you run Facebook retargeting ads? Systematic monitoring.

This trigger doesn't care whether you have 50 customers or 50,000. A two-person Sdn Bhd with a website and a CCTV camera at the front door is in scope.

Pause here for a second. If there is a camera in your office, or an analytics tag on your website, you have just confirmed your own trigger.

What "Appointing a DPO" Actually Means

A lot of SME owners hear "DPO" and picture a full-time hire with a data protection law degree. That is not required.

The PDPC Guidelines explicitly permit outsourced and shared DPO arrangements. You can appoint an individual from your existing team, or you can engage an external party — a consultancy, your company secretary firm, or a specialist — to fill the role on a shared-service basis. For most SMEs, an outsourced DPO arrangement is the cost-realistic path. It is compliant, it is explicitly sanctioned by the regulator, and it does not require a full-time salary.

What the role requires functionally: someone who can map your data flows, advise on compliance, handle subject access requests, and run your breach response procedure. It is a governance role, not a full-time operational one, for most SMEs.

The part most companies get wrong even after they make the appointment: you must register the DPO with the Personal Data Protection Commissioner within 21 days of appointment (s.129A PDPA). Internal designation alone is not sufficient. The clock starts running the day you formally appoint the person, and failure to register within 21 days is a separate compliance failure from the appointment itself.

Mandatory Data Breach Notification: s.12A

s.12A PDPA (inserted by Act A1742) creates a mandatory obligation to notify the Commissioner when a data breach occurs. The trigger that most companies misread is this:

Notification is required upon reasonable belief that a breach has occurred — not upon confirmed, forensically-verified certainty.

This matters enormously in practice. If your server logs show anomalous data access at 3am, or an employee reports a phishing email in which credentials were entered, or a laptop with customer data goes missing — any of these is likely to constitute "reasonable belief" of a breach, and the notification obligation starts from that moment.

The notification must be made "as soon as practicable" after reasonable belief arises. Companies that wait for their IT team to complete a forensic investigation before notifying are very likely already in default of s.12A by the time they report. The obligation is triggered by belief, not certainty.

What notification requires: the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address it. You cannot provide most of this information promptly without a documented breach response procedure standing ready before an incident occurs.

Penalty Maths Under Act A1742

Let's be concrete about what non-compliance costs.

Before Act A1742, the maximum fine for breaching the Data Protection Principles was RM300,000. After Act A1742, it is RM1,000,000, with imprisonment of up to 3 years (up from 2).

Failure to notify a breach under s.12A is a separate offence — it does not fold into the Data Protection Principles breach. A company that suffers a breach and fails to notify in time can face:

• Penalty for the underlying Data Protection Principles breach (up to RM1m)
• Penalty for failure to notify (separate offence, separate fine)
• Reputational exposure once breach notifications eventually reach affected individuals

For a small Sdn Bhd, a RM500,000 fine — well below the maximum — would be existential. The Personal Data Protection Commissioner has begun publishing penalty decisions. This is no longer a theoretical risk.

5-Step Self-Check for SME Owners

Run through these five steps today. This is not a formal legal audit — it is a first-pass check that will tell you whether you are exposed.

Step 1: Map your personal data flows. Write down every category of individuals whose data you hold: customers, employees, vendors, job applicants, website visitors, CCTV subjects. Get rough count estimates. Don't forget the data you're not actively using — archived email lists, old CVs on a shared drive, employee records from five years ago.

Step 2: Check your triggers. Do you hold data on 20,000-plus individuals in total? Do you hold sensitive data on 10,000-plus? Or — do you have a CCTV camera, a website with any tracking tool, or any behavioural targeting in place? If yes to any one of these, you are in scope and need a DPO.

Step 3: Decide — internal designee or outsourced DPO. For most SMEs, outsourced is the practical answer. The regulator explicitly permits it. Identify the arrangement, document the appointment formally with a clear date, and retain that documentation.

Step 4: Register with the Commissioner within 21 days. The appointment itself does not complete compliance. Registration with PDPC is mandatory under s.129A. Set a hard calendar reminder the day you appoint — the 21-day window does not bend.

Step 5: Stand up a breach response procedure. The procedure needs to define: what constitutes reasonable belief of a breach in your context, who is notified internally, who contacts the Commissioner, what information is gathered, and the timeline. This procedure needs to exist before a breach occurs, because "as soon as practicable" does not allow time to build one from scratch in the middle of an incident.

Five Mistakes That Will Cost You

These are the five gaps that come up most often among SMEs that have not yet addressed PDPA:

1. "We're too small — the 20,000 threshold doesn't apply to us."

The systematic monitoring trigger has no headcount floor. Size is irrelevant once you have CCTV or website analytics. This assumption is the single most common and most expensive gap.

2. "We'll wait until we're sure there's been a breach before notifying."

The legal trigger is reasonable belief, not confirmed certainty. Waiting for forensic confirmation means you are already in default of s.12A from the moment reasonable belief arose. The obligation fires before the investigation concludes.

3. "We appointed a DPO internally — we're done."

Appointment without PDPC registration within 21 days is non-compliance. The Commissioner needs to know who the DPO is. Internal designation alone, without the registration step, does not satisfy s.129A.

4. "PDPA doesn't apply to SMEs — it's for big corporates."

Act A1742 was specifically designed to extend practical reach to SMEs that previously operated under small-business assumptions. The systematic monitoring trigger exists precisely to catch companies that believed they were exempt due to their size.

5. "We can't afford a DPO."

You can outsource the role. The PDPC Guidelines explicitly permit it. An outsourced DPO arrangement through a cosec firm or compliance specialist is a real, legal, and cost-proportionate solution. The cost of a shared-DPO arrangement is a fraction of the cost of a single enforcement action.

What to Do Next

The five-step self-check above will tell you whether you are in scope. If you are — and if you haven't yet appointed and registered a DPO, or if you don't have a breach response procedure in place — the clock is running today. Not from when you get around to it. Today.

Muchen can run the initial trigger assessment with you, help scope the DPO role, handle registration with the Commissioner, and document a breach response procedure that is proportionate to your business size. If you want to move this from the "I'll get to it" pile to the "handled" pile, book a 15-minute call and we'll tell you exactly where you stand.

Always verify the specifics with your engaged legal counsel before acting — this article is general information, not legal advice.

References: Personal Data Protection Act 2010 (Act 709); Personal Data Protection (Amendment) Act 2024 (Act A1742); PDPC Malaysia (pdp.gov.my); Federal Gazette (federalgazette.agc.gov.my). Enforcement commencement and penalty details cross-referenced with ASEAN Briefing (June 2025), Baker McKenzie implementation summary, and Mayer Brown cross-border transfer guidelines.