, by Gabriel
The Personal Data Protection (Amendment) Act 2024 has raised the maximum fine for data breaches to RM1 million per offence, yet a 2025 NACSA survey found that fewer than 30% of Malaysian SMEs had conducted any structured cybersecurity training in the preceding 12 months. The gap between legal exposure and workforce readiness is widening. HRD Corp claimable cybersecurity compliance training gives Malaysian employers a funded, practical route to close it.
Key Takeaways
The Personal Data Protection (Amendment) Act 2024, gazetted and progressively enforced from 2025 into 2026, is not a future obligation. It is current law. Organisations that process personal data of Malaysian residents must now comply with mandatory data breach notification within 72 hours of discovery, a requirement that did not exist under the original PDPA 2010.
The amended Act also broadens the definition of sensitive personal data and introduces stricter accountability for data processors, not just data controllers. A vendor who mishandles your customers' data can now implicate your organisation directly. Legal counsel and compliance officers who have not updated their frameworks since 2023 are operating on outdated assumptions.
Regulators do not accept "we were unaware" as a mitigating factor. They do, however, give weight to documented training programmes and internal governance records when assessing penalties. Training is no longer a nicety. It is a risk management instrument.
The Human Resources Development Corporation, established under the Pembangunan Sumber Manusia Berhad Act 2001 and operating today under Act 854, collects a mandatory levy of 1% of monthly payroll from employers with ten or more Malaysian employees. That levy sits in a fund that employers can draw on for approved training. Many organisations pay in consistently but claim rarely, leaving substantial credit unused.
The SBL-Khas scheme, the primary grant mechanism, covers training fees for programmes delivered by registered HRD Corp training providers. Employers submit an application before the training commences, and reimbursement or direct payment follows upon completion and submission of supporting documents including attendance records and assessment outcomes.
Cybersecurity and PDPA compliance programmes qualify when they are mapped to recognised competency standards, such as those under the National Occupational Skills Standard, and delivered by a registered provider. The practical effect is that a well-structured two-day compliance workshop for ten staff members can cost the employer nothing beyond administrative time.
Not every training session labelled "cybersecurity" meets HRD Corp approval criteria or, more critically, your organisation's actual compliance requirements. A programme that qualifies for claim and delivers genuine workforce competency should address the following areas.
For Compliance Officers and Data Protection Officers
For IT Managers and Technical Staff
For HR Managers and General Staff
The most frequent reason HRD Corp claims are rejected is late submission. Applications must be approved before the training date, not submitted retrospectively. Employers who arrange training and then attempt to claim are routinely turned away regardless of the programme's quality.
The second common error is selecting a provider that is not registered with HRD Corp, or one whose programme syllabus does not align with the approved competency framework stated in the application. Verify registration status on the HRD Corp employer portal before signing any training agreement.
Third, organisations underestimate the documentation required post-training. Attendance sheets, assessment results, trainer credentials, and the training provider's invoice must all be submitted in the prescribed format. Missing a single document can delay reimbursement by weeks.
A single workshop is not a compliance programme. Regulators and auditors look for a repeatable, documented training cycle: an annual schedule with role-specific modules, refresher sessions when legislation changes, and records that show which employees completed which training and when.
Structuring your HRD Corp claims across a 12-month calendar also allows you to train different employee cohorts without exhausting your levy balance in a single quarter. A phased approach, starting with your data protection officer and compliance officers, then IT teams, then HR and operations staff, distributes both the learning and the administrative load sensibly.
Organisations that treat HRD Corp funding as a strategic resource rather than an ad hoc reimbursement mechanism consistently achieve higher claim utilisation and, more importantly, a workforce that is genuinely prepared to meet regulatory obligations. Start by auditing your current levy balance, identify your highest-risk compliance gaps, and map a training programme that addresses both. That single step will move you further than any policy document written without the training to back it up.
Orbixtech is an HRD Corp registered training provider offering PDPA compliance and cybersecurity programmes claimable under the SBL-Khas scheme. Our programmes are designed for compliance officers, data protection officers, IT managers, and HR teams at Malaysian SMEs, GLCs, and corporations operating under Act 854.
