The Personal Data Protection Act Amendment 2024 came into effect in April 2025. It raised the maximum fine for non-compliance to RM1 million and introduced the possibility of up to three years imprisonment. That is a significant increase from the earlier penalty structure. More than a year has passed since those changes took effect. Yet many businesses in Malaysia are still running background screening processes that have not been updated to reflect the new requirements. Some are collecting data without proper consent language. Others are retaining candidate records far longer than allowed. Some are outsourcing screening to vendors without checking whether those vendors are themselves compliant. This guide is a practical check-in for HR and compliance teams who want to make sure their employee screening process is aligned with what the law actually requires in 2026.
What the PDPA Amendment 2024 Changed for Employers
The original Personal Data Protection Act 2010 set out the foundational rules for how personal data should be collected, used, stored, and disclosed in Malaysia. The 2024 Amendment updated several areas that are directly relevant to background screening. The penalties for non-compliance increased substantially. The Amendment also strengthened requirements around data breach notification, giving organisations a mandatory timeframe to report breaches to the Personal Data Protection Commissioner. It tightened rules around cross-border data transfers, which matters for companies using overseas screening providers or sharing candidate data with international entities. For employers conducting background checks, the core obligations remain the same but the consequences of getting them wrong are now much higher.
The Seven PDPA Principles and What They Mean for Background Screening
The PDPA is built around seven principles. All seven apply when you are screening employees or candidates. The General Principle requires explicit written consent from the candidate before you begin any check. The Notice and Choice Principle means candidates must be informed in writing about what data you are collecting, why, who it may be shared with, and their rights under the PDPA — before data collection begins. The Disclosure Principle means data collected for background screening may only be used for that purpose. The Security Principle requires reasonable steps to protect candidate data from unauthorised access. The Retention Principle means personal data should not be kept longer than necessary. The Data Integrity Principle requires that data used for screening decisions must be accurate and complete. The Access Principle gives candidates the right to access their personal data and request corrections.
Common Gaps in Background Screening Compliance
Based on what is commonly seen across Malaysian organisations, these are the areas where screening processes most often fall short of PDPA requirements.
Consent Forms That Are Too Vague
A general consent to collect personal data during recruitment does not cover background screening specifically. The consent form needs to name the types of checks, data sources, and any third-party providers involved.
No Data Retention Policy for Screening Records
Many HR teams retain candidate screening reports indefinitely. Under the PDPA, you need a defined retention period and a documented process for deleting or destroying records once that period ends.
Unvetted Third-Party Screening Providers
If you outsource background screening, you remain responsible for ensuring that provider handles candidate data in a PDPA-compliant manner. Lack of ISO 27001 certification or clear data handling agreements is a risk that sits with your organisation.
Cross-Border Data Transfer Without Safeguards
Some screening providers process data outside Malaysia. Under the PDPA, transferring personal data to a country without comparable data protection standards requires specific safeguards.
What a PDPA-Compliant Screening Process Looks Like in 2026
A compliant employee screening process in Malaysia today should include a specific written consent form referencing background screening types and third-party providers, a personal data protection notice issued before any data collection begins available in both English and Bahasa Malaysia, a documented data retention schedule with clear timelines for deleting screening records for unsuccessful candidates, a data handling agreement with any external screening provider confirming PDPA compliance, a process for responding to candidate data access or correction requests, and a record of all screening decisions maintained in a secure and access-controlled environment.
What to Do if You Find Gaps
If you review your current process and find gaps, the priority order is straightforward. Update your consent forms and privacy notices first, as these are the most visible and most commonly audited element. Establish or update your data retention policy next. Review your agreements with any third-party screening providers and confirm they meet current PDPA requirements. Document your process so that if your organisation is ever subject to a complaint or audit, you can demonstrate that a compliant process is in place.
Does PDPA Apply to Re-Screening Existing Employees?
Yes. The PDPA applies to the collection and processing of personal data for any individual, including existing employees. If you conduct periodic re-screening of your workforce, the same consent, notice, and data handling obligations apply. Many organisations overlook this when updating their screening policies, focusing only on new hire processes while leaving existing employee re-screening outside the compliance framework.
Final Thoughts
The PDPA Amendment 2024 was not a minor update. The increase in penalties was significant and the obligations it reinforced around consent, data security, and third-party management are ones that many organisations in Malaysia have still not fully addressed. A compliance review of your background screening process does not need to be complex. In most cases it comes down to updating consent forms, setting a retention policy, and confirming that your screening provider meets current data protection standards. Venovox conducts background screening in Malaysia through a process aligned with PDPA requirements and ISO 27001 certified data security standards. Our screening reports are audit-ready and our data handling practices are documented and transparent. Contact us to discuss how we can support your organisation's screening and compliance needs.
Dato' Venodevan
Risk is an opportunity