The issue of data privacy, as well as its security and policy management has received a fair share of media attention since the introduction of the Personal Data Protection Act 2010 (PDPA) in Malaysia. Governments around the world have variously introduced similar laws such as the Australian Privacy Act of 1988, and the European General Data Protection Regulation of 2018. An understudied area in data privacy and security management is the way student data is managed in Malaysian private universities. This study aims to gain an in-depth understanding—within the context of a Malaysian private university—the various challenges of managing personal student data privacy and security; to better understand how student personal data privacy policies and related issues are being addressed within the regulatory requirements of the Personal Data Protection Act; and to propose a wholistic framework to address the management of student data privacy and security in Malaysian private universities given the pervasive presence of the Internet of Things. Through qualitative research methods such as interviews, qualitative content coding and thematic network analysis— this study has arrived at a thematic network map that consists of four organising themes—regulatory compliance, security, risk, and concerns as well as data privacy. We conclude that these four themes of data privacy management in a Malaysian private university would point the way to the next step in the creation of a comprehensive framework to address the management of student data privacy and security in Malaysian private universities.