Malaysia PDPA 2025 Amendments and AI Governance: What Companies Need to Know

Malaysia's Evolving AI Regulatory Landscape

Malaysia is rapidly developing its AI governance framework. Two key developments shape how businesses must handle AI:

1. PDPA 2025 Amendments (effective June 2025): Major updates to data protection that directly affect AI systems
2. National AI Governance and Ethics Guidelines (AIGE) (September 2024): Voluntary AI ethics framework

Additionally, the newly established National AI Office (NAIO) is developing a dedicated AI law potentially by the second half of 2026, and Bank Negara Malaysia (BNM) has released AI governance guidelines for financial services.

PDPA 2025 Amendments: What Changed

Malaysia's Personal Data Protection Act 2010 underwent its most significant update with Phase 3 amendments taking effect in June 2025:

Mandatory Data Protection Officer (DPO)

Organizations processing personal data must now appoint a Data Protection Officer. For companies using AI:

• The DPO must oversee AI-related data processing
• Must ensure AI training data complies with PDPA requirements
• Must be involved in privacy impact assessments for AI systems
• Can be an existing employee or outsourced, but must have adequate authority and resources

Mandatory Data Breach Notification

Organizations must now notify the Personal Data Protection Commissioner and affected individuals when a data breach occurs. For AI systems:

• AI system breaches (training data, model outputs containing personal data) are covered
• Notification must be made "as soon as practicable"
• Must include description of the breach, types of data affected, and remedial steps

Data Portability

Individuals now have the right to request their personal data in a portable format. Implications for AI:

• If your AI system maintains user profiles or preferences, those must be portable
• Data used to personalize AI experiences may need to be transferable
• Technical implementation of portability mechanisms may be required

Cross-Border Data Transfer

Stricter requirements for transferring personal data outside Malaysia. For AI:

• Cloud-based AI processing in foreign data centers must comply
• AI model training using data from Malaysian users must ensure adequate protections
• Companies must verify that destination countries have adequate data protection

National AI Governance and Ethics Guidelines (AIGE)

Released by MOSTI in September 2024, the AIGE Guidelines establish seven principles for AI in Malaysia:

1. Based on Malaysian values: AI should align with national principles including Rukun Negara
2. Beneficial: AI should create value for society and the economy
3. Fair and just: AI should not discriminate or create unjust outcomes
4. Accountable: Clear responsibility for AI decisions and outcomes
5. Transparent and explainable: AI decision-making should be understandable
6. Resilient and secure: AI systems should be robust against failures and attacks
7. Inclusive: AI should be accessible and benefit all segments of society

Scope and Status

• Status: Voluntary guidelines (not legally binding — yet)
• Designed as: A living document that will be periodically updated
• Applies to: All organizations developing or deploying AI in Malaysia
• Future: May evolve into enforceable requirements as Malaysia develops AI legislation

The National AI Office (NAIO)

Established in December 2024, NAIO is Malaysia's central coordination body for AI policy:

Key Deliverables (Expected 2026)

• AI Technology Action Plan 2026-2030: Five-year strategic roadmap
• AI Code of Ethics: Potentially enforceable ethical standards
• AI Adoption Regulatory Framework: Framework for regulatory oversight
• Consolidated Government Datasets: Open data for AI development

Potential AI Legislation

Malaysia is actively considering dedicated AI legislation, with potential enactment by the second half of 2026. The government is weighing options including:

• Standalone AI legislation
• Enforceable regulations under existing laws
• Expanded voluntary standards with enforcement mechanisms

Bank Negara Malaysia (BNM) AI Guidelines

Released in August 2025, BNM's AI governance guidelines apply to financial institutions:

• Scope: Banks, insurance/takaful operators, fintech companies
• Status: Proposed (10-week consultation ended October 2025)
• Current adoption: 71% of banking institutions and 77% of insurance operators already use AI
• Key areas: Customer analytics, fraud detection, credit scoring, compliance automation

How to Comply

Step 1: PDPA Compliance Foundation

• Appoint a Data Protection Officer if you haven't already
• Implement data breach notification procedures
• Review cross-border data transfer arrangements for AI systems
• Implement data portability mechanisms

Step 2: AI Data Audit

• Map all personal data used in AI training, operation, and outputs
• Identify the lawful basis for each data processing activity
• Assess whether consent is current and adequate for AI-related uses
• Document data retention policies for AI training data

Step 3: AIGE Alignment

• Map your AI systems against the seven AIGE principles
• Identify gaps, particularly in fairness, transparency, and accountability
• Implement governance measures to address gaps
• Document your alignment for future regulatory requirements

Step 4: Prepare for AI Legislation

• Monitor NAIO announcements and consultations
• Participate in public consultations when available
• Build governance infrastructure now that can be adapted to binding requirements
• Engage with industry associations and NAIO working groups

Related Regulations

• Singapore PDPA and AI: Comparable data protection requirements with more mature AI governance
• Indonesia PDP Law: Similar GDPR-inspired data protection in neighboring market
• ASEAN AI Governance Guide: Regional framework that AIGE guidelines align with
• HRDF: Malaysia's Human Resources Development Fund supports AI training programs that complement governance