What Recruiters Need to Know About Malaysia's PDPA Amendments

Data protection is rising rapidly up the regulatory agenda across Southeast Asia. Malaysia has now passed significant changes to its Personal Data Protection Act 2010 (PDPA), bringing the law in line with international standards and placing tougher obligations on businesses.

For staffing firms operating in Malaysia – and even those in neighbouring markets such as Singapore that handle Malaysian candidates – these changes have immediate consequences for compliance and day-to-day operations.

In a recent APSCo member-exclusive webinar, legal experts walked through the amendments in detail. While full insights are available to members only, here’s a factual overview of the key changes recruiters need to be aware of.

A Refresher: The PDPA Framework

The PDPA regulates the processing of personal data in commercial transactions. Recruiters routinely process sensitive personal information such as CVs, contact details, identification documents, and sometimes health or biometric data.

The Act is built around seven key principles: general, notice & choice, disclosure, security, retention, data integrity, and access. These principles remain at the core of the framework but have now been bolstered through the 2024 amendments.

The 2024 Amendments: Key Updates

1. From “Data Users” to “Data Controllers”
   The law has updated its terminology, replacing “data user” with “data controller” to align with international norms such as the EU’s GDPR and Singapore’s PDPA.
   
   
2. Direct Obligations for Data Processors
   Perhaps the most impactful change: data processors now have direct obligations under the PDPA. This means vendors and service providers that handle data on behalf of recruiters – such as applicant tracking systems, outsourced payroll providers, or background-check firms – can now be held directly accountable.
   
   
3. Tougher Penalties
   The maximum penalties have increased substantially: fines of up to RM1 million and/or three years’ imprisonment for serious breaches. This is a significant step up from the previous ceiling of RM300,000.
   
   
4. Explicit Consent for Sensitive Data
   The amended Act strengthens requirements for explicit consent when processing sensitive categories of data. For recruiters, this covers areas such as medical information, biometric identifiers, or racial/ethnic background details that may arise in vetting processes.
   
   
5. Mandatory Data Breach Notification
   Organisations are now required to notify the regulator – and in some cases, the individuals affected – of data breaches. Recruiters must therefore ensure they have incident response plans in place.
   
   
6. Cross-Border Data Transfers
   The PDPA has always restricted transfers of personal data abroad unless the destination country provides adequate protection or the individual consents. The amendments reaffirm and clarify this requirement – a point of particular importance for firms operating across Malaysia and Singapore, where candidate data frequently crosses borders.
   
   
7. Enhanced Data Subject Rights
   Individuals now have stronger rights to access, correct, and, in certain cases, erase their data. Recruiters will need to manage such requests promptly and consistently.

Why This Matters for Recruitment Businesses

Staffing firms are uniquely exposed to personal data risks: the very nature of the business involves collecting, storing, and transferring sensitive candidate information. The amendments increase both legal accountability and the potential consequences of non-compliance.

For Malaysia-based recruiters, this means reviewing policies, contracts, and processes to ensure alignment with the updated PDPA. For Singapore or regional firms that handle Malaysian candidate data, the crossover effects are also clear: compliance doesn’t stop at the border.

Key questions firms should now be asking include:

• Are consent forms and privacy notices sufficiently clear and robust?
• Do contracts with third-party processors reflect their new obligations?
• Is there a breach reporting process that meets the notification requirements?
• How will the business handle candidate requests to access or correct their data?

Member-Exclusive Guidance

This blog highlights the main changes to Malaysia’s PDPA, but it only scratches the surface. In our exclusive webinar, APSCo members received in-depth guidance on the practical steps recruiters should take, examples of compliance pitfalls, and advice on preparing for regulator scrutiny.

APSCo members can access the full webinar recording here.

For membership enquiries, please contact Baz Sultana, Global Services and Development Manager, at bazgha.sultana@apsco.org, or Gareth Bibby, Member Service Manager, at gareth.bibby@apsco.org.