Navigating privacy compliance: the Gulf and beyond

December 2025  |  SPOTLIGHT | DATA PRIVACY

Financier Worldwide Magazine

December 2025 Issue

This article explores the recent data privacy regulatory developments in Malaysia, highlighting some of the differences between the requirements under the Malaysian Personal Data Protection Act 2010 (MY PDPA) and the requirements in the Gulf Cooperation Council (GCC) and Europe.

MY PDPA – an amended overview

On 31 July 2024, the Malaysian parliament passed the Personal Data Protection (Amendment) Bill 2024 (MY PDPA), introducing a series of reforms to the MY PDPA. All amendments took legal effect by 1 June 2025.

The MY PDPA remains Malaysia’s fundamental personal data legislative framework, addressing familiar topics such as data subject rights, international data transfers and processor engagement.

The MY PDPA applies to the personal data processed in commercial transactions by persons established in Malaysia (including those with a regular practice in Malaysia), and persons not established in Malaysia but using equipment in Malaysia to process personal data other than for transit purposes through Malaysia.

Personal data processed outside Malaysia falls outside the scope of MY PDPA, unless it is intended to be further processed within Malaysia.

The amendments have significantly enhanced the compliance requirements under the MY PDPA. Below is a non-exhaustive summary of key post-amendment MY PDPA compliance considerations.

Data protection officer (DPO). The MY PDPA previously had no requirements regarding the appointment of a DPO. The changes introduce a new requirement for data controllers and data processors to appoint a DPO.

Data breach notification. Reporting data breaches were previously voluntary. The amendments introduce a new mandatory breach reporting obligation for data controllers.

Data subject rights. Prior to the amendments to the MY PDPA, data subjects only had five express data subject rights under the MY PDPA: (i) the right to access personal data; (ii) the right to correct personal data; (iii) the right to withdraw consent to the processing of personal data; (iv) the right to prevent processing for direct marketing purposes; and (v) the right to prevent processing likely to cause damage or distress.

The amendments to the MY PDPA outlined below introduce a new data portability right for data subjects.

Cross-border personal data transfers. Prior to amendments to the MY PDPA, outbound transfers of personal data from Malaysia were permitted if prescribed conditions under the MY PDPA were met, such as transferring to a whitelisted country deemed to have substantially similar laws or adequate protection, or where the data subject had provided consent.

The latest amendments remove the whitelisting regime and introduce a new mechanism allowing data controllers to make outbound transfers where the recipient jurisdiction’s laws are substantially similar to or offer an adequate level of protection in line with the MY PDPA.

Data processor obligations. Previously, data processors were not directly regulated under the MY PDPA and were only subject to security requirements indirectly through agreements with data controllers. The latest amendments impose direct obligations on data processors to comply with the security requirements under the MY PDPA.

Biometric data. While the definition of ‘sensitive personal data’ under the MY PDPA covers information relating to the health or condition of data subjects, a new specific concept of ‘biometric data’ was introduced as a subcategory of ‘sensitive personal data’.

Regulatory penalties. Previously, non-compliance with core provisions (specifically the seven personal data protection principles (sections 6 of 12 under the MY PDPA)) was subject to penalties of up to RM300,000 (approximately US$70,000) and/or imprisonment for up to two years. The regulatory penalties have been significantly enhanced following recent amendments, with fines now reaching up to RM1m (approximately US$240,000) and/or imprisonment for up to three years for failure to comply with these provisions.

Alongside the amendments detailed above, the Malaysian personal data protection commissioner issued guidelines earlier this year on DPO appointments, breach notification and cross-border transfers of personal data, providing much needed clarity on the application of the new MY PDPA provisions.

This was followed by the publication of additional DPO-related guidance, including the ‘DPO Competency Guideline’, ‘DPO Professional Development Pathway & Training Roadmap’ and the ‘Management of DPO Training Service Provider Guideline’.

Looking ahead to the end of 2025, we expect to see a continued surge of activity in the Malaysia data privacy regulatory landscape through the anticipated release of new guidance on data protection impact assessments, data protection by design and automated decision making and profiling, and a revamped set of binding personal data protection standards.

These developments may be followed by further amendments to the MY PDPA and related regulations in the coming year. In light of these significant changes, entities processing personal data under the MY PDPA should review their existing compliance frameworks and implement the appropriate compliance uplifts.

Divergence – MY PDPA versus GCC (and wider) regulations

Recent developments in Malaysia highlight a global appetite for robust, General Data Protection Regulation (GDPR)-inspired regulation and data protection standards.

While the MY PDPA has provided substantive data privacy provisions since 2010, recent years have seen the United Arab Emirates (particularly through the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Markets (ADGM)), Bahrain and Oman introduce their own dedicated personal data protection laws, with the DIFC and ADGM data privacy frameworks closely resembling ‘GDPR-style’ regulatory requirements.

Despite the GDPR-inspired, ‘Brussels Effect’, we are increasingly seeing multinational privacy laws drafted to reflect local expectations, compliance appetites and preferences. This has resulted in practical divergences and differing regulatory obligations, which entities well-adapted to GDPR compliance should still carefully consider, as successful multinational privacy compliance therefore requires a bespoke rather than ‘one size fits all’ approach.

Practical divergences between MY PDPA and GCC (and wider) regulations

Data transfer impact assessments (DTIA). While the requirement to perform DTIAs (aimed at assessing the safeguards personal data will receive under the importing jurisdiction’s frameworks) is well-established under GDPR and certain GCC requirements, the Malaysian Personal Data Protection Guidelines on Cross Border Transfers of Personal Data provides that DTIA findings carried out under the MY PDPA are valid for three years only and, as such, DTIA findings must effectively be refreshed every three years.

Data subject rights of access. Both the ADGM Data Privacy Regulations 2021 (ADGM DPR) and MY PDPA grant data subjects rights to access their personal data. However, the scope of accessible information, compliance obligations and timeline differ. Under the ADGM DPR, data controllers must inform data subjects of the action taken on a request within two months of receiving the request. If the data controller does not action the request or requires more time, data controllers must inform data subjects of the extension required to provide the information or refuse to act, together with the reasons for the delay or inaction, within the same period.

By contrast, the MY PDPA generally requires data controllers to comply with data subject access requests within 21 days of receipt of the request, and in any event no later than 14 days thereafter. If the data controller refuses to take action or is unable to comply within the 21-day period, the data controller must inform the data subject of the refusal or inability to comply, within this period.

Data controller registration and notification obligations. Under the Bahrain Law No. 30 of 2018 with Respect to Personal Data Protection, data controllers are (subject to certain exemptions, such as employee-related data processing or where a data protection guardian (similar to a DPO) has been appointed) required to notify the Bahrain Personal Data Protection Authority of most “automated processing operations”, providing details on categories of proposed personal data processing and affected data subjects.

This obligation materially differs from the MY PDPA data controller registration requirements, which only require prescribed classes of data controllers to register with the Malaysian data protection commissioner, such as licensed financial institutions or licensed telecommunications providers.

Wider considerations for multinational compliance

Effective multinational compliance strategies across the GCC, Southeast Asia and beyond must account for wider considerations, including: (i) the extraterritoriality of data protection laws which may trigger a wider scope of compliance requirements; (ii) varying data localisation requirements (such as the United Arab Emirates requirements for payment processing data and health information to be held locally); and (iii) other sector-specific requirements for organisations in highly regulated sectors, such as banking and financial services, or telecommunications.

What next?

Entities (in particular those with a GCC or European Union nexus) processing personal data under the MY PDPA are advised to reassess their compliance processes, procedures and agreements to ensure alignment with all relevant data privacy requirements, while remaining vigilant of any future regulatory changes.

Given the trend toward regulatory divergence, effective multinational privacy compliance rarely permits a ‘one size fits all’ analysis. Finding a robust, effective and defensible position – especially for organisations seeking to adopt a uniform approach globally – requires careful consideration and balancing evolving regulatory developments with a sound understanding of risk exposure, enforcement realities, and internal governance and risk appetites.

 

Saleem Adam is a managing partner, Alex Ford-Cox is a senior associate and Xin Yi Yu is an associate at Trowers & Hamlins LLP. Mr Adam can be contacted on +971 2 410 7611 or by email: sadam@trowers.com. Mr Ford-Cox can be contacted on +971 2 410 7627 or by email: afordcox@trowers.com. Ms Yu can be contacted on +60 3 2717 3820 or by email: xyu@trowers.com.

© Financier Worldwide

BY

Saleem Adam, Alex Ford-Cox and Xin Yi Yu

Trowers & Hamlins LLP

©2001-2025 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.