By Urwah Saari, Consultant at Profess Consulting Group, former Assistant Commissioner at the Personal Data Protection Department (JPDP), and HRD Corp Certified Trainer specialising in data protection, governance, and compliance, September 2025

From Checklist to Culture
The protection of personal data is now a defining feature of organisational culture and risk management. In Malaysia’s digital economy, data is both an asset and a liability. Yet many organisations still regard personal data protection as nothing more than a checklist: a policy to be filed, a notice to be displayed, or a document produced only when regulators ask. This narrow approach undermines the intent of the Personal Data Protection Act 2010 (PDPA), which was established not merely to regulate data usage but to embed respect for privacy and accountability into the way organisations operate.

Common Cultural Barriers
The cultural barriers to genuine data protection are well known. In many workplaces, compliance is treated as an afterthought, raised only during audits or after a breach. Awareness is low across departments, with staff uncertain of their role in safeguarding personal data. Policies are often applied with a tick-box mentality that satisfies formalities but does little to influence behaviour. Most critically, accountability is weak. Without clear ownership, data breaches may be mishandled or ignored, creating both regulatory and reputational risks.

PDPA Amendments 2024: Raising the Stakes

The 2024 amendments to Malaysia’s PDPA make this situation unsustainable. Several changes signal the need for a cultural shift. Biometric information has been formally recognised as sensitive personal data, demanding stronger safeguards and heightened respect for privacy. The mandatory appointment of a Data Protection Officer (DPO) embeds responsibility for data protection into organisational structures, ensuring that oversight and leadership are no longer optional. Penalties for non-compliance have been substantially increased, exposing organisations to both financial loss and criminal liability. The requirement to notify regulators of significant data breaches introduces a new culture of transparency, while the recognition of additional rights for data subjects, such as data portability, reflects an emphasis on integrity and customer-centric practice.

Beyond Compliance: Managing Change

These reforms confirm that data protection can no longer be siloed as a purely legal or technical issue. It must be integrated into daily practice and organisational culture. Achieving this demands more than new policies. It requires change management. One useful approach is the ADKAR model developed by Prosci, which describes change at the individual level in five stages: awareness, desire, knowledge, ability, and reinforcement. Applying this model to personal data protection means first creating awareness of why compliance matters, then building the desire among employees to support change. Knowledge must be provided through training and resources, which in turn enable ability by equipping staff to apply what they learn. Finally, reinforcement ensures that behaviours are sustained through monitoring, feedback, and recognition. In this way, personal data protection can become part of an organisation’s DNA rather than a short-term exercise in compliance.

The Business Case for Cultural Change

The benefits of this cultural shift extend far beyond avoiding penalties. Organisations that embed PDPA compliance into daily practice are better protected against data breaches, more resilient to cyber threats, and able to build trust with customers, regulators, and partners. In an era when reputation is closely tied to data security, such trust is a strategic advantage.

Building Capability Through Training

Training and capability development play a central role in this transformation. Employees at every level must understand not only the rules but also how to apply them in practice. Professional training programmes help translate the legal requirements of the PDPA into practical measures that staff can implement day to day. By bridging the gap between law and culture, they ensure that compliance is sustainable.

A Practical Step Forward

To support this shift, Irshad HR Consulting and Profess Consulting Group have developed the PDPA Fundamentals & DPO Training Programme. Designed for managers, executives, and aspiring Data Protection Officers, the programme moves beyond theory to address the operational and cultural realities of data protection. By equipping organisations with regulatory insight and practical tools, it enables them to comply with the law while embedding data protection as part of organisational culture, a shift that is now essential for success under Malaysia’s PDPA.