By Iva Karen
KUALA LUMPUR, June 20 – As corporate deals and investments surge across Malaysia and the region, companies should be mindful of the hidden risks of ignoring data privacy obligations during due diligence checks, says an industry analyst.
When companies investigate the background of a potential acquisition or business partner, they often handle sensitive personal data, from employee records to customer databases, pointed out Raymon Ram, Managing Principal of Graymatter Forensic Advisory Sdn Bhd.
“Failing to follow privacy laws during this process can lead to serious consequences, both legally and financially. Under the European Union’s General Data Protection Regulation (GDPR), organisations that violate privacy rules can face penalties of up to €20 million or 4% of global annual revenue, whichever is higher.
“Malaysia’s Personal Data Protection Act (PDPA), meanwhile, carries its own weighty enforcement measures — including criminal penalties such as fines and imprisonment. Company directors may also be held personally liable for breaches under local law. These laws are not symbolic. They are actively enforced,” he said.
Raymon added that a simple mistake, like uploading unredacted employee contracts to a shared data room, could trigger a regulatory investigation or fine.
“Beyond legal penalties, there are reputational risks that may be even harder to recover from. Mishandling sensitive data during a deal process can lead to public backlash, loss of customer trust, and negative media coverage.
“In some cases, the damage may outweigh the potential value of the deal itself. For example, if employee or customer data is leaked or misused during due diligence, affected parties may view the company as careless or untrustworthy. This can erode goodwill among stakeholders, disrupt operations, and ultimately weaken market confidence,” he stressed.
He highlighted that under GDPR, individuals whose data has been mishandled have the right to sue for damages.
“While Malaysia’s PDPA does not currently allow private lawsuits for data breaches, ongoing legislative reforms suggest this could change in the near future — potentially opening the door to a wave of future claims.”
Thus, Raymon urged companies to view privacy compliance not as a bureaucratic burden, but as a critical investment in risk management.
“Establishing clear protocols, conducting privacy impact assessments, and training internal teams on proper data handling during due diligence are now seen as best practices.
“Skipping data protection safeguards in a background check can result in regulatory sanctions, legal disputes, derailed transactions, and reputational damage. The cost of getting privacy wrong far exceeds the cost of doing it right,” he reiterated.
— WE