Cortex Solution Logo
Cortex Business Solution
Back to Blog
Technical Guide

PDPA Compliance for Apps: What Malaysian Developers Should Know

Security
Feb 25, 20267 min readBy Cortex Team
PDPA Compliance for Apps: What Malaysian Developers Should Know

What is PDPA?


Malaysia's Personal Data Protection Act 2010 (PDPA) governs how businesses collect, use, and store personal data. If your app handles names, emails, phone numbers, IC numbers, or any information that can identify a person — PDPA applies to you.


**Important disclaimer:** We're developers, not lawyers. This article is a practical guide based on our understanding and experience. For legal advice, consult a qualified Malaysian lawyer.


The 7 Principles (In Plain English)


1. General Principle

Only process personal data for lawful purposes directly related to your business activity. Don't collect data you don't need.


2. Notice and Choice

Tell users what data you're collecting, why you need it, and who you might share it with. Give them a real choice to opt out — not a buried checkbox.


3. Disclosure

Don't share personal data with third parties unless the user consented to it or you have a legal reason.


4. Security

Take reasonable steps to protect personal data from loss, misuse, and unauthorized access.


5. Retention

Don't keep personal data longer than you need it. Have a data retention policy and actually follow it.


6. Data Integrity

Keep personal data accurate and up-to-date. Give users a way to correct their information.


7. Access

Users have the right to access their personal data and know how it's being used.


Practical Steps for Your App


Here's what we actually implement in every app we build:


**Consent collection:** Clear consent form before collecting any personal data. Not a pre-checked checkbox — an active opt-in.


**Data encryption:** All personal data encrypted at rest and in transit. HTTPS everywhere, encrypted database fields for sensitive data.


**Access controls:** Role-based access so only authorized people can see personal data. Audit logs for who accessed what.


**Data minimization:** Only collect what you actually need. If you don't need an IC number, don't ask for it.


**Deletion capability:** Users can request their data be deleted. Your app needs to actually support this.


**Privacy policy:** A clear, readable privacy policy that explains everything in plain language — not legal jargon.


Common Mistakes


1. **Collecting "just in case" data.** Don't ask for fields you might need someday. Only collect what you need now.

2. **No way to delete data.** If a user asks you to remove their data and you can't, that's a problem.

3. **Storing passwords in plain text.** This still happens. Always hash passwords (bcrypt, argon2).

4. **No SSL/HTTPS.** In 2026, there's no excuse. Use HTTPS for everything.

5. **Sharing data with analytics tools without disclosure.** If you use Google Analytics or similar, say so in your privacy policy.


Our Approach


We're not PDPA certified (that's not really a thing for dev shops), but we follow these principles as standard practice on every project. It's baked into how we build, not bolted on as an afterthought.


If you're building an app that handles personal data and you're not sure what you need to comply with, we can help you figure that out as part of the development process.


---


*Building an app that handles personal data? [Let's chat](/contact) about getting the security foundations right from the start.*


Ready to apply these insights?

Our team can help you implement these strategies and solve your specific challenges.

Schedule a Consultation

See how we implement this

Service Insight

Security & Compliance in Automation: What Actually Matters

5 minSecurity

Cut through the compliance noise. Here's what really matters when automating sensitive processes.

Read Insight

Found this helpful?

Explore more guides and insights in our knowledge hub, or talk to our team about your specific needs.

Explore Knowledge HubGet in Touch
Chat on WhatsApp