, by Gabriel
Since the Personal Data Protection (Amendment) Act 2024 took full effect, Malaysian organisations face mandatory data breach notification, stricter consent requirements, and the real prospect of fines reaching RM1 million per offence under Act 854. Many compliance officers and HR managers are now asking the same question: how do we train our people fast, and who pays for it? The answer, for levy-paying employers, is HRD Corp claimable cybersecurity compliance training, and this article explains exactly how to use it.
Key Takeaways
Act 854, Malaysia's Personal Data Protection Act 2010, was substantially amended in 2024. The amendments introduced a 72-hour breach notification window, expanded the definition of sensitive personal data, and increased maximum fines to RM1 million for certain offences.
These are not theoretical risks. The Personal Data Protection Commissioner has signalled closer scrutiny of financial services, healthcare, and e-commerce sectors. A breach combined with no evidence of staff training is a compounding liability, not a simple oversight.
The practical implication is clear: compliance is no longer purely a legal function. IT managers, HR managers, and line supervisors all handle personal data and all need structured knowledge of their obligations under Act 854.
Employers registered with HRD Corp and current on their Human Resource Development levy contributions can claim training costs through the SBL-Khas (Skim Bantuan Latihan Khas) scheme. Approved programmes are fully claimable, meaning the employer pays nothing out of pocket for eligible training.
To qualify, the training provider must be registered with HRD Corp, the programme must be submitted and approved before training commences, and attendance records must be maintained. Claims are submitted post-training via the HRD Corp e-TRiS system.
Cybersecurity compliance programmes specifically designed around Act 854, data protection principles, and breach response protocols qualify under the scheme. Generic vendor-led IT security courses that do not reference Malaysian law typically do not produce the compliance evidence your organisation needs, even if they are claimable.
Not every programme labelled "cybersecurity training" addresses your legal exposure under Act 854. A programme built for compliance should cover the following areas substantively.
Core modules for Act 854 compliance training
A programme that addresses all six areas equips participants to act, not merely to understand. The Commissioner's office looks for evidence that staff can execute breach response, not just recite the law.
While Act 854 as amended does not yet mandate a data protection officer for all organisations, the Commissioner has consistently encouraged appointment as a governance best practice. Organisations under investigation that can point to a trained, designated DPO demonstrate a credible compliance programme.
HRD Corp claimable training can fund the development of an internal DPO or a compliance officer with the knowledge to manage data subject access requests, conduct privacy impact assessments, and coordinate breach notifications. This builds permanent institutional capability rather than relying on periodic external consultants.
For SMEs where a dedicated DPO is not operationally feasible, DPO-as-a-Service arrangements can complement internal training, ensuring coverage without a full-time headcount commitment.
C-suite approval for compliance training is easier when the cost is zero. If your organisation pays the HRD Corp levy and has not claimed against it for cybersecurity or data protection training, that levy is a sunk cost returning no value.
Present the decision as a straightforward one. A structured Act 854 training programme, fully funded through SBL-Khas, reduces regulatory exposure, builds internal competence, and creates a documented compliance trail that can materially affect the outcome of a Commissioner investigation.
The RM1 million maximum fine, combined with reputational damage from a publicised breach, dwarfs any administrative effort required to submit an HRD Corp claim. The calculus favours action.
Confirm your organisation's HRD Corp levy status and available balance first. Then identify a registered training provider whose programme is explicitly built around Act 854 and the 2024 amendment, not adapted from a generic international cybersecurity curriculum. Submit your SBL-Khas application before training begins, since retrospective claims are not accepted. The single most practical step you can take this week is to schedule a scoping call with a provider who can confirm HRD Corp approval status and tailor the programme to your industry's specific data handling environment.
