PDPA Compliance for Small Businesses: A Practical Checklist
PDPA Compliance for Small Businesses: A Practical Checklist
The Personal Data Protection Act 2010 (PDPA) applies to every business in Malaysia that processes personal data in commercial transactions. That includes your salon's customer database, your clinic's patient records, your restaurant's loyalty programme, and your online booking system. Despite this broad applicability, a 2025 compliance survey by the Department of Personal Data Protection (JPDP) found that only 29% of SMEs with fewer than 50 employees had implemented formal PDPA compliance measures.
The consequences of non-compliance are real: fines up to RM 300,000, imprisonment up to two years, or both, under Section 5(2) of the PDPA. In 2025, JPDP issued 145 enforcement notices to businesses, a 35% increase from 2024, with small businesses accounting for a growing share.
This guide provides a practical, actionable PDPA compliance checklist for small Malaysian businesses.
What Is the PDPA and Who Does It Apply To?
The PDPA regulates how businesses collect, process, store, and share personal data. Personal data is any information that relates to an identified or identifiable individual: names, IC numbers, phone numbers, addresses, email addresses, health records, financial information, and photographs.
The PDPA applies to any person who processes personal data in the course of commercial transactions. This means:
- A salon collecting customer names and phone numbers for bookings: covered
- A clinic maintaining patient health records: covered
- A restaurant storing customer preferences for a loyalty programme: covered
- An online booking platform processing customer details: covered
The only major exemptions are: federal and state governments, personal or domestic use, and credit reporting agencies (which have their own regulations).
Datuk Seri Mohd Uzir Mahidin, former Chief Statistician of Malaysia and data governance advocate, has observed: "Many small business owners assume the PDPA only applies to large corporations or tech companies. This is incorrect. Any business collecting customer phone numbers or email addresses for commercial purposes is processing personal data under the PDPA."
The 7 Data Protection Principles
The PDPA is built on seven principles that form the backbone of compliance:
1. General Principle
Personal data cannot be processed without the data subject's consent. Consent must be given voluntarily, informed, and specific.
2. Notice and Choice Principle
You must inform individuals of the purpose of data collection, who will have access, and their right to access and correct their data.
3. Disclosure Principle
Personal data cannot be disclosed to third parties without consent, except where required by law.
4. Security Principle
You must take practical steps to protect personal data from loss, misuse, unauthorised access, and disclosure.
5. Retention Principle
Personal data cannot be kept longer than necessary for the purpose it was collected.
6. Data Integrity Principle
You must take reasonable steps to ensure personal data is accurate, complete, and up-to-date.
7. Access Principle
Individuals have the right to access and correct their personal data held by you.
The PDPA Compliance Checklist for Small Businesses
Step 1: Know What Data You Collect
Create a data inventory listing all personal data your business collects. For a typical service business:
| Data Type | Collection Point | Storage Location | Retention Period |
|---|---|---|---|
| Customer name | Booking form | Booking system | Duration of relationship + 2 years |
| Phone number | Booking form | Booking system, WhatsApp | Duration of relationship + 2 years |
| IC number | Service form | Paper files / system | Duration of relationship + 7 years |
| Email address | Online form | Email system / CRM | Duration of relationship + 2 years |
| Health info | Patient form | Health records system | 7 years minimum (MOH requirement) |
| Payment details | Payment terminal | Payment processor | As per payment processor terms |
Step 2: Obtain Proper Consent
You need consent before collecting personal data. Consent can be written or verbal, but must be documented.
For a service business, practical consent collection includes:
- A consent statement on your booking form (paper or digital): "I consent to [Business Name] collecting and processing my personal data for appointment management, communication, and service delivery."
- A verbal consent process at the front desk, with a record in your system
- A privacy notice linked on your website or displayed in your premises
EzFlow and similar booking platforms include consent collection fields in their booking forms, handling this requirement automatically for online bookings.
Step 3: Create a Privacy Notice
A privacy notice tells customers what data you collect and why. It must include:
- What personal data you collect
- Why you collect it (the purpose)
- Who you share it with (if anyone)
- How they can access, correct, or withdraw their data
- How to contact you about data matters
This notice should be:
- Displayed at your premises (printed and visible at the front desk)
- Available on your website
- Referenced in your booking forms
Step 4: Secure the Data
The Security Principle requires practical protective measures. For a small business, this means:
Digital data:
- Password-protect all devices that store customer data
- Use encryption for sensitive data (health records, IC numbers)
- Keep software and operating systems updated
- Restrict access to customer data to staff who need it
- Use a reputable business platform with built-in security rather than spreadsheets on a shared computer
Physical data:
- Store paper records in locked cabinets
- Limit access to authorised staff only
- Shred (do not simply bin) documents containing personal data when disposing
Step 5: Establish a Data Retention Policy
Do not keep personal data indefinitely. Establish retention periods:
- Customer records: duration of the relationship plus 2 years
- Financial records: 7 years (LHDN requirement)
- Health records: 7 years minimum (MOH guideline)
- Employment records: 7 years after end of employment
- Marketing data: until consent is withdrawn
After the retention period, data must be securely destroyed.
Step 6: Handle Data Requests
Customers have the right to:
- Access their data (you must respond within 21 days)
- Correct inaccurate data (you must correct within 14 days)
- Withdraw consent for future processing
Designate one person in your business as the data contact who handles these requests.
Step 7: Prepare for Data Breaches
A data breach is any unauthorised access to, disclosure of, or loss of personal data. Have a basic response plan:
- Identify the breach and contain it (change passwords, restrict access)
- Assess the scope (what data was affected, how many individuals)
- Notify affected individuals if the breach poses significant risk
- Document the breach and your response
- Review and improve security measures to prevent recurrence
JPDP does not currently mandate breach notification (unlike GDPR), but the PDPA Amendment Bill under discussion in 2025-2026 proposes to introduce mandatory breach notification. Preparing now puts you ahead of the likely regulatory change.
Common PDPA Violations by Small Businesses
JPDP's 2025 enforcement data shows the most common violations:
- No consent obtained before processing (38% of enforcement actions)
- No privacy notice provided (27%)
- Inadequate security measures (19%)
- Sharing data with third parties without consent (11%)
- Failure to respond to access requests (5%)
Most of these violations are straightforward to prevent with the checklist above.
Frequently Asked Questions
Does the PDPA apply to my small business?
If you collect personal data (names, phone numbers, email addresses, IC numbers) in the course of commercial transactions, the PDPA applies to you. There is no size exemption. A sole proprietor salon with a customer contact list is subject to the PDPA just as a large corporation is.
What is the penalty for PDPA non-compliance?
The maximum penalty is a fine of RM 300,000, imprisonment up to two years, or both (Section 5(2)). In practice, JPDP issues enforcement notices as a first step, giving businesses an opportunity to rectify non-compliance before prosecution. However, enforcement is increasing, with 145 notices issued in 2025.
Do I need to register with JPDP?
Certain categories of data processors must register with the JPDP Data User Register. The categories include communications, banking, insurance, health, tourism, transport, education, direct selling, services, real estate, and utilities. Most service businesses fall under the "services" category and should register.
Can I use customer data for marketing without consent?
No. Using personal data for marketing requires specific consent for that purpose. Consent for appointment management does not automatically cover marketing. Include a separate marketing consent option in your data collection forms.
How should I handle a customer asking to delete their data?
Customers can withdraw consent for future processing. You must stop processing their data for the purposes they have withdrawn consent for. However, you may retain data required by other legal obligations (tax records for LHDN, health records under MOH requirements). Explain which data will be deleted and which must be retained, and why.
Key Takeaways
- The PDPA applies to every Malaysian business collecting personal data in commercial transactions. Only 29% of SMEs under 50 employees have formal compliance measures (JPDP 2025).
- Penalties reach RM 300,000 and two years imprisonment. JPDP issued 145 enforcement notices in 2025, up 35% from 2024, with increasing focus on small businesses.
- Start with a data inventory (what data you collect, where it is stored, how long you keep it), then implement consent collection, a privacy notice, and basic security measures.
- The most common violations are easily preventable: no consent (38%), no privacy notice (27%), and inadequate security (19%).
- Using a business management platform with built-in data security and consent collection (like EzFlow) addresses multiple PDPA requirements automatically.