What PDPA actually requires of a SaaS
The Personal Data Protection Act 2010 (PDPA) is Malaysia's main data-protection law, in force since 2013 and regulated by the Department of Personal Data Protection (Jabatan Perlindungan Data Peribadi, or JPDP). At its core it's built on seven principles — the General, Notice & Choice, Disclosure, Security, Retention, Data Integrity, and Access principles. For a SaaS, you can translate those into seven practical obligations:
- Process personal data only for purposes the data subject has consented to, and that you can defend as lawful.
- Give a written notice (the Privacy Notice) explaining what you collect, why, and who you share it with — in both English and Malay.
- Don't disclose personal data to third parties beyond what your notice covers without further consent.
- Protect data with appropriate technical and organisational security measures (encryption, access control, audit logs).
- Don't retain personal data longer than necessary; have a retention policy and stick to it.
- Keep personal data accurate, complete, and up to date.
- Give data subjects the right to access, correct, and (since 2024) port their data.
That list looks heavy on paper. In day-to-day practice for a typical SaaS, most of it reduces to four things: a decent Privacy Notice, a reasonable security posture, a working delete/export flow in the product, and someone designated to handle data-subject requests when they come in. The 2024 amendments added a few specific obligations on top.
What the 2024 amendments changed
Malaysia amended the PDPA in 2024, with the changes phased in across 2024–2025. For SaaS founders, the four most important changes are:
- Mandatory DPO appointment for data users meeting thresholds set by the Minister — typically larger-scale processing or processing of sensitive personal data.
- 72-hour breach notification to JPDP once you become aware of a personal data breach, plus separate notification to affected data subjects if the breach is likely to cause significant harm.
- Data portability right — data subjects can ask for their data in a structured, machine-readable format, and ask you to transmit it to another organisation where technically feasible.
- Cross-border transfer regime overhaul — the old "white-list" approach (where only specific countries were approved destinations) was replaced with an adequacy-style framework based on comparable protection or contractual safeguards.
Penalties were also increased — into a meaningfully larger range than the original 2010 ceiling. The practical takeaway is that PDPA enforcement got more teeth in 2024, and the bar for what counts as "reasonable" compliance moved up. If your last compliance review was before 2024, it's outdated.
The Data Protection Officer role
Under the 2024 amendments, certain data users must appoint a Data Protection Officer. The exact thresholds are set by the Minister and have been refined through guidance, but in practice many growing SaaS will fall into scope — either because they process personal data at scale or because they handle sensitive categories (health, financial, biometric).
The DPO doesn't need to be a lawyer. They need to be someone who knows your product and data flows well enough to be the single point of accountability for PDPA matters: handling JPDP enquiries, responding to data-subject requests, advising on new features that touch personal data, and being the named contact in your Privacy Notice.
Pragmatic approach for early-stage SaaS: even before you're legally required, designate a founder or technical lead as the de facto DPO and document the appointment. It costs nothing to do early, and the moment a prospective enterprise customer asks "who's your DPO?" you have an answer instead of a scramble.
Mandatory breach notification — 72 hours
If you suffer a personal data breach — unauthorised access, accidental disclosure, loss of records — you now have 72 hours from becoming aware of it to notify JPDP. If the breach is likely to result in significant harm to affected individuals, you also need to notify those individuals directly.
What "becoming aware" means in practice: the clock starts when someone in your organisation has reasonable certainty that a breach has occurred, not when speculation begins. But you don't get to delay investigating; if you have credible signals, you're expected to investigate promptly.
The way to handle this without panic is to write the breach-response runbook before you ever need it. A simple internal document with: who decides it's a breach, who they tell first, the template JPDP notification email, the template customer notification email, and the technical steps to contain the breach. We've seen well-run SaaS handle breaches calmly because they had this runbook. We've also seen others lose days arguing over who should do what — those are the cases that turn into press stories.
Cross-border data transfer
Most SEA SaaS host on AWS, GCP, or Azure regions in Singapore — sometimes also Indonesia or Hong Kong. PDPA does regulate where personal data can go outside Malaysia, and the 2024 amendments changed how this works.
Under the new framework, you can transfer personal data outside Malaysia if any of these apply: the receiving jurisdiction provides protection comparable to Malaysia's; you've put in place contractual safeguards (similar in spirit to GDPR Standard Contractual Clauses); the data subject has consented to the transfer; or specific exceptions apply (e.g. the transfer is necessary for performance of a contract with the data subject).
For Singapore-hosted SaaS, the practical position is that Singapore's PDPA is widely accepted as offering comparable protection. Document that you've considered it and why your transfer is appropriate. Keep records — JPDP can ask.
Privacy Notice + consent in practice
The Privacy Notice is the most visible piece of PDPA compliance. It must be available in English and Malay (Chinese is optional but recommended if you have Chinese-speaking users), and it must accurately describe what your product actually does — not a generic template you copied from another SaaS.
Things a good Privacy Notice for a Malaysian SaaS contains:
- What categories of personal data you collect (account info, usage data, integrations with third-party tools, etc.)
- Why you collect each category and the lawful basis
- Who you share it with — name your sub-processors (Stripe, AWS, Resend, etc.) and what each receives
- How long you keep each category, and what triggers deletion
- The data-subject rights available, with a clear way to exercise them (typically an email address)
- Cross-border transfer disclosure if data leaves Malaysia (which it almost always does for SaaS)
- Your DPO's contact details once you have one
- The date of last update — and a habit of actually keeping it current
On consent: PDPA does require consent for collection, but consent doesn't have to be a 50-page modal that nobody reads. A clear statement at signup like "By creating an account, you agree to our Privacy Notice and Terms of Service" with the linked notice satisfies the principle for ordinary processing. Sensitive personal data (health, religious belief, biometric) needs explicit consent, separately given.
Data subject rights you must support
Data subjects — your users — have rights you have to support. As of the 2024 amendments these are:
- Access — they can ask what data you hold about them.
- Correction — they can ask you to correct inaccurate data.
- Deletion — they can ask you to delete their data when retention is no longer justified.
- Portability (new in 2024) — they can ask for their data in a machine-readable format, and ask you to transmit it to another organisation where technically feasible.
- Withdrawal of consent — they can withdraw consent at any time, which typically means deletion follows.
For a well-built SaaS, all five reduce to two product features: an in-app "Download my data" button (covers access and portability) and an in-app "Delete my account and data" flow (covers deletion and consent withdrawal). Correction is usually just editable profile fields. Build these into the product from day one — retrofitting them years later is genuinely painful, and they're the single most common ask from enterprise customers doing their own vendor due-diligence.
The pre-launch checklist
If you're shipping a new Malaysian SaaS in 2026, this is the minimum compliance posture we'd recommend before public launch:
| Item | Why it matters | Effort |
|---|---|---|
| Privacy Notice in EN + Malay (matches reality) | Required by Notice & Choice principle | 1–2 days |
| Terms of Service | Not strictly PDPA, but inseparable in practice | 1–2 days |
| Designate a DPO (even if not yet mandatory) | 2024 requirement above scale thresholds; enterprise buyers ask for it | ~1 hour |
| "Download my data" + "Delete my account" flows in product | Access, portability, deletion rights — and the biggest enterprise procurement question | 3–5 days at build time |
| Encryption in transit (TLS) + at rest (database) | Security principle baseline | Standard with modern hosting |
| Audit logs for sensitive actions | Helps with breach investigation + customer trust | 2–4 days |
| Breach-response runbook (internal doc) | 72-hour notification deadline; you don't want to figure this out under pressure | ~1 day |
| Sub-processor list, kept current | Disclosure principle; needed for Privacy Notice accuracy | ~2 hours, then ongoing |
| Cross-border transfer documentation | Justifies your hosting region under 2024 framework | ~1 day |
| Retention policy (per data category) | Retention principle; pairs with deletion flow | ~half a day |
Total realistic effort to get this in place for a brand-new SaaS: about two engineering weeks, spread across build time. Most of it gets cheaper if you build it in from day one rather than bolt it on after launch.
PDPA 对 SaaS 究竟有什么要求
2010 年个人资料保护法(PDPA)是马来西亚主要的数据保护法律,2013 年起生效,由个人资料保护局(Jabatan Perlindungan Data Peribadi,JPDP)监管。它的核心是七大原则——一般原则、通知与选择原则、披露原则、安全原则、保留原则、资料完整原则、访问原则。对 SaaS 来说,可以翻译成七条实际义务:
- 只为资料当事人同意过、且您能证明合法的目的处理个人资料。
- 给一份书面通知(隐私通知),说明您收集什么、为什么、跟谁分享——英语和马来语都要有。
- 不要超出通知范围向第三方披露个人资料,除非取得进一步同意。
- 用适当的技术和组织措施保护数据(加密、访问控制、操作记录)。
- 个人资料保留时间不要超过必要;要有保留政策并真的遵守。
- 保持个人资料准确、完整、最新。
- 给资料当事人访问、更正、以及(2024 年起)携带数据的权利。
这清单看起来很重。实际操作中,对一般 SaaS 来说,大部分可以归结为四件事:一份像样的隐私通知、合理的安全姿态、产品里有效的删除/导出流程,以及指定一个人负责处理资料当事人的请求。2024 年修订在这之上加了几项具体义务。
2024 年修订改了什么
马来西亚在 2024 年修订了 PDPA,相关改动在 2024–2025 年分阶段生效。对 SaaS 创业者最重要的四项改动是:
- 强制任命 DPO(数据保护官)——达到部长设定门槛的资料用户必须任命,通常是大规模处理或处理敏感个人资料的情况。
- 72 小时数据泄露通报——一旦察觉到个人资料泄露,必须在 72 小时内通报 JPDP,如果泄露可能对当事人造成重大伤害,还要另外通知受影响的人。
- 数据可携权——资料当事人可以要求以结构化、机器可读的格式获取自己的数据,并要求您在技术可行的前提下传输到另一个机构。
- 跨境传输制度大改——旧的"白名单"做法(只能传到部长批准的国家列表)被换成了基于可比保护或合同保障的适当性框架。
罚款也被显著提高——比 2010 年原来的上限高出一大截。实际意义是:PDPA 在 2024 年变得更有"牙齿",对"合理合规"的标准提高了。如果您上一次合规审查是在 2024 年之前,那已经过时了。
数据保护官(DPO)这个角色
根据 2024 年修订,特定资料用户必须任命数据保护官。具体门槛由部长设定,通过指导文件细化,但实际操作中,很多成长中的 SaaS 都会被纳入——要么是因为处理规模大,要么是因为涉及敏感类别(健康、财务、生物特征)。
DPO 不需要是律师。需要的是一个对您的产品和数据流足够熟悉的人,可以作为 PDPA 事务的唯一问责点:处理 JPDP 的询问、回应资料当事人请求、对涉及个人资料的新功能给意见、并在隐私通知里作为指定联系人。
早期 SaaS 的实用做法:就算法律还没要求,也指定一位创始人或技术负责人作为事实上的 DPO,并把任命记录下来。提早做不花钱,而一旦有潜在企业客户问"你们 DPO 是谁?",您就有答案,不会临时手忙脚乱。
强制性数据泄露通报——72 小时
如果发生个人资料泄露——未授权访问、意外披露、记录丢失——您现在有 72 小时从察觉算起去通报 JPDP。如果泄露可能对受影响个人造成重大伤害,还需要直接通知那些人。
实际中"察觉"的意思是:您组织里有人合理确定泄露已经发生,时钟才开始走,不是开始猜测就要算。但您不能拖着不调查;只要有可信信号,您就被期望及时调查。
处理这件事不慌张的方法是:在需要之前就写好泄露应对手册。一份简单的内部文件,写明:谁来判断这是泄露、他们先告诉谁、给 JPDP 的通报邮件模板、给客户的通知模板、以及控制泄露的技术步骤。我们见过经营良好的 SaaS 在泄露发生时冷静处理——因为他们有这份手册。也见过另一些公司花了好几天在争论"谁该做什么"——那些就是变成新闻头条的案例。
跨境数据传输
大部分东南亚 SaaS 托管在 AWS、GCP 或 Azure 的新加坡区域——有时候也在印尼或香港。PDPA 确实管制个人资料能否流出马来西亚,2024 年修订改变了运作方式。
在新框架下,您可以把个人资料传到马来西亚以外,只要满足以下任一条件:接收方司法管辖区提供与马来西亚相当的保护;您已经建立合同保障(精神上类似 GDPR 标准合同条款);资料当事人已同意传输;或者适用特定例外(例如传输对履行与当事人的合同是必要的)。
对托管在新加坡的 SaaS,实际位置是:新加坡 PDPA 普遍被认为提供相当的保护。把您考虑过这件事、以及为什么您的传输是适当的,记录下来。保留记录——JPDP 可能会问。
隐私通知和同意的实际操作
隐私通知是 PDPA 合规最显眼的一块。必须有英语和马来语两个版本(中文可选,但如果您有华语用户建议加上),而且必须准确描述您的产品实际做什么——不是从另一个 SaaS 复制来的通用模板。
给马来西亚 SaaS 的好隐私通知应该包含:
- 收集哪些类别的个人资料(账户资料、使用数据、与第三方工具的整合等)
- 为什么收集每一类,以及合法依据
- 跟谁分享——列出您的子处理者(Stripe、AWS、Resend 等),以及每方接收什么
- 每一类保留多久,什么触发删除
- 可用的资料当事人权利,以及行使的清楚途径(通常是一个邮箱地址)
- 如果数据离开马来西亚就要披露跨境传输(对 SaaS 来说几乎总是会)
- 有 DPO 之后,DPO 的联系方式
- 最后更新日期——并养成真的保持更新的习惯
关于同意:PDPA 确实要求收集时取得同意,但同意不必是一个没人看的 50 页弹窗。注册时一句清楚的"创建账户即表示您同意我们的隐私通知和服务条款",配上链接,对一般处理就满足原则。敏感个人资料(健康、宗教信仰、生物特征)需要明确同意,要单独取得。
必须支持的数据主体权利
资料当事人——您的用户——有您必须支持的权利。2024 年修订之后,这些权利是:
- 访问 —— 他们可以问您持有他们的什么数据。
- 更正 —— 他们可以要求您改正不准确的数据。
- 删除 —— 当保留不再有正当理由时,他们可以要求您删除。
- 可携(2024 年新增)—— 他们可以要求以机器可读格式获取数据,并要求您在技术可行的前提下传输给另一个机构。
- 撤回同意 —— 他们随时可以撤回同意,通常意味着随之而来的删除。
对一个建得好的 SaaS 来说,这五项可以归结为两个产品功能:应用内"下载我的数据"按钮(覆盖访问和可携)+ 应用内"删除我的账户和数据"流程(覆盖删除和撤回同意)。更正一般就是可编辑的资料字段。这些功能从第一天就内建进产品——几年后再补,真的很痛苦,而且是企业客户做供应商尽职调查时最常问的需求。
上线前清单
如果您 2026 年要在马来西亚推出一个新 SaaS,下面是公开上线前我们建议的最低合规姿态:
| 项目 | 为什么重要 | 所需工作量 |
|---|---|---|
| 英语 + 马来语隐私通知(与实际相符) | 通知与选择原则要求 | 1–2 天 |
| 服务条款 | 严格来说不属 PDPA,但实际上不可分割 | 1–2 天 |
| 指定 DPO(即使尚未强制) | 2024 年规模门槛以上需要;企业买家会问 | 约 1 小时 |
| 产品内"下载我的数据" + "删除我的账户"流程 | 访问、可携、删除权利——也是企业采购最大的问题 | 建站时 3–5 天 |
| 传输加密(TLS)+ 存储加密(数据库) | 安全原则的基线 | 现代主机标配 |
| 敏感操作的操作记录(audit logs) | 有助于泄露调查 + 客户信任 | 2–4 天 |
| 泄露应对手册(内部文件) | 72 小时通报期限;不要在压力下才琢磨这件事 | 约 1 天 |
| 子处理者列表,保持更新 | 披露原则;隐私通知准确性需要 | 约 2 小时,之后持续维护 |
| 跨境传输文件 | 在 2024 框架下为您的主机区域做合理解释 | 约 1 天 |
| 保留政策(按数据类别) | 保留原则;跟删除流程配套 | 约半天 |
把这些都做齐,对一个全新的 SaaS 来说,实际工作量大约 两个工程周,分散在建站时间内。如果从第一天就内建,大部分会便宜得多——上线后再补会贵很多。
Frequently asked questions常见问题
Do I need to register with JPDP for my SaaS?我的 SaaS 需要向 JPDP 注册吗?
Only if your SaaS falls into one of the data-user classes the Minister has prescribed for registration — currently industries like banking, insurance, healthcare, telecommunications, education, transportation, utilities, real estate, retail/wholesale, services (legal/accounting), tourism, and direct sales. Pure SaaS isn't a registered class on its own, but if your product handles data on behalf of clients in a registered class, the registration obligation typically sits with your client (the data user), not you (the data processor). When in doubt, check the current JPDP registration list on the official site or consult a Malaysian PDPA lawyer.
只有当您的 SaaS 属于部长指定的注册资料用户类别之一时才需要——目前的行业包括银行、保险、医疗、电信、教育、运输、公用事业、房地产、零售/批发、服务(法律/会计)、旅游、直销。纯 SaaS 本身不是一个注册类别,但如果您的产品是代表某个注册类别的客户处理数据,注册义务通常在您客户那边(资料用户),不在您(资料处理者)。不确定时,去 JPDP 官方网站查最新注册类别列表,或咨询马来西亚 PDPA 律师。
We're hosted on AWS Singapore — does that comply with PDPA cross-border rules?我们托管在 AWS 新加坡——这符合 PDPA 跨境规则吗?
Generally yes, but the answer changed with the 2024 amendments. The old "white-list" approach was replaced with an adequacy-style framework — you can transfer if the receiving jurisdiction has comparable protections, OR if you've put in place equivalent contractual safeguards (similar to GDPR Standard Contractual Clauses), OR if the data subject has consented. Singapore's PDPA is widely considered comparable, but document your reasoning either way. AWS Singapore region is fine for most SEA SaaS use cases; document the choice in your data-protection records.
一般来说是的,但 2024 年修订后答案变了。旧的"白名单"做法被换成了适当性框架——可以传输的条件是:接收方司法管辖区有相当保护,或者您已建立等效合同保障(类似 GDPR 标准合同条款),或者资料当事人已同意。新加坡 PDPA 普遍被认为相当——但不管怎样要把您的推理记录下来。AWS 新加坡区域对大部分东南亚 SaaS 来说没问题;把这个选择记到您的数据保护记录里。
What's the difference between PDPA Malaysia and PDPA Singapore?马来西亚 PDPA 跟新加坡 PDPA 有什么不同?
Both follow similar OECD-style principles but differ in enforcement, breach-notification thresholds, and DPO requirements. Singapore's PDPA is generally regarded as more mature and prescriptive (e.g. tiered breach notification with clear materiality thresholds, mandatory DPO for all organisations). Malaysia's 2024 amendments narrowed the gap significantly. If you operate in both countries, write your Privacy Notice and your internal controls to satisfy the stricter of the two — that's almost always Singapore.
两者都遵循类似 OECD 风格的原则,但在执法、泄露通报门槛、DPO 要求上有差别。新加坡 PDPA 普遍被认为更成熟、规定更细(例如分级泄露通报有清楚的重大性门槛、所有机构都强制 DPO)。马来西亚 2024 年修订大幅缩小了差距。如果两个国家都运营,您的隐私通知和内控就按更严的那个写——几乎总是新加坡。
How much do PDPA violations cost in fines?PDPA 违规的罚款大概多少?
The 2024 amendments raised the ceiling significantly — into the high six-figure to low seven-figure ringgit range for serious offences, plus potential imprisonment for officers in the most serious cases. The bigger practical risk for most SaaS isn't the fine itself, though — it's the reputational and contract-renewal damage when enterprise customers see a breach in the news. For exact current fine amounts, always check the latest JPDP guidance or consult a lawyer; they shift as enforcement matures.
2024 年修订显著提高了上限——严重违规可达六位数高位到七位数低位令吉,最严重的情况下负责人还可能面临监禁。但对大部分 SaaS 来说,更大的实际风险不是罚款本身——而是企业客户在新闻看到泄露事件后,对您的名声和续约造成的伤害。具体当前罚款金额,请查最新的 JPDP 指导文件或咨询律师;随着执法成熟,这些金额会变。
Do I need a Data Protection Officer (DPO) for my early-stage SaaS?早期 SaaS 需要任命 DPO 吗?
Under the 2024 amendments, DPO appointment is mandatory for data users meeting thresholds set by the Minister — typically organisations processing personal data at a certain scale or in sensitive categories. Many SaaS will fall in scope as they grow. Pragmatic approach: even before you're legally required, designate someone internally (could be the CTO or a founder initially) as the de facto DPO and document the appointment. When your scale crosses the threshold or you start selling to clients who'll ask, you'll already have the role in place.
2024 年修订下,达到部长设定门槛的资料用户必须任命 DPO——通常是大规模处理或敏感类别处理的机构。很多 SaaS 长大后都会被纳入。实用做法:就算法律还没要求,也内部指定一个人(早期可以是 CTO 或创始人)作为事实上的 DPO,并把任命记录下来。等规模过门槛或者开始卖给会问的客户时,这个角色已经在位了。
Our SaaS has a free tier — do PDPA rules still apply to free users?我们 SaaS 有免费档——PDPA 规则也适用于免费用户吗?
Yes — PDPA applies to processing personal data in commercial transactions, and a free tier is still part of a commercial offering. The same Privacy Notice, the same retention rules, the same security obligations, the same deletion and access rights all apply. The only practical difference is that the contractual layer is usually thinner for free users, so make sure your Terms of Service + Privacy Notice cover them explicitly.
适用——PDPA 管的是商业交易中处理个人资料,免费档仍然是商业产品的一部分。同样的隐私通知、同样的保留规则、同样的安全义务、同样的删除和访问权利都适用。唯一实际差别是免费用户的合约层一般比较薄,所以要确保服务条款和隐私通知明确覆盖到他们。
