With the increasing number of smart devices and connections in Internet of Things (IoT) comes risks—specifically involving consumer data protection. In this respect, this exploratory research examines the current issues of IoT and personal data protection in Malaysia that includes: regulatory frameworks and data governance; issues and gaps; and key challenges in implementation. Results from this mixed-methods research indicates that a majority of consumers expressed concern about personal data risks due to increased usage of IoT devices. Moreover, there is a crucial need to increase regulation and accountability in the industry. In this regard, collaboration and partnerships between the main stakeholders are essential in tackling emerging issues of IoT and personal data protection. In order to strengthen IoT data governance, the fundamentals should be: strengthening consumer education and smart partnership between government-industry-civil society; providing motivation for active participation of NGOs and civil society; and obtaining industry buy-in. This paper also proposes a structure for the governance of evolving data-related technology, particularly in the case of data breaches or cyber incidents. It adds to the wider discussion of the current scenario, and proposes a model of collective responsibility in IoT data governance that is underpinned by the three principles of fair information practices, privacy impact assessment and privacy accountability.