← Compliance Frameworks

Compliance Guide · Singapore

PDPA Compliance Guide

The Personal Data Protection Act governs how every business in Singapore collects, uses, and protects personal data — from a one-person consultancy to a multinational. Here is the operating manual: the 9 obligations, the 3-day breach window, the real fines, and the fastest path to a defensible programme.

  • Regulator: Personal Data Protection Commission (PDPC)
  • Enacted: 2012 · Amended 2020
  • Coverage: All private-sector organisations
  • Validity: Continuous — no expiry
Book a Free Consultation Call Find your frameworks →
PDPA Singapore compliance framework — the nine data protection obligations for SMBs
9 Data-protection obligations to operationalise
3 days To notify the PDPC of a notifiable breach
S$1M Maximum fine — or 10% of Singapore turnover
Required DPO appointment for every organisation

Who needs to comply with PDPA?

Every private-sector organisation that collects, uses, or discloses personal data about an individual in Singapore must comply with PDPA — regardless of where the organisation is headquartered or where its servers live. A US SaaS company with one Singapore customer is in scope. A Singapore-incorporated holding company processing data of EU residents is also in scope (alongside GDPR).

"Personal data" is broadly defined: any data, true or false, about an individual who can be identified — name, NRIC, email, phone, IP address, photo, voice recording, behavioural profile, employee record, or any combination that identifies a person.

  • SMEs and startups — no exemptions based on size or revenue
  • Multinationals with Singapore operations or customers
  • SaaS, platforms and marketplaces serving Singapore users
  • Healthcare, fintech, edtech, e-commerce — typically high-risk categories
  • Data intermediaries (vendors processing data on your behalf) have a narrower set of obligations but are still in scope

Public sector agencies are governed by the Public Sector (Governance) Act rather than PDPA, but vendors providing services to government must usually meet equivalent or stricter standards.

The 9 PDPA data protection obligations

PDPA's heart is a set of nine principles-based obligations. You must operationalise each one with policies, processes, and technical controls.

1

Consent

Collect, use, and disclose personal data only with valid consent — or under a recognised exception (legitimate interests, business asset transactions, etc.).

2

Purpose Limitation

Use data only for purposes a reasonable person would consider appropriate and that the individual has been notified of.

3

Notification

Tell individuals the purposes for which their data is being collected, used, or disclosed — at or before collection.

4

Access & Correction

Provide individuals with access to their personal data on request and let them correct errors.

5

Accuracy

Make a reasonable effort to ensure personal data is accurate and complete, especially when used for decisions about the individual.

6

Protection

Implement reasonable security arrangements — encryption, access controls, MFA, endpoint security, vendor due diligence, employee training.

7

Retention Limitation

Cease retention or anonymise personal data when the original purpose is no longer being served, and there's no other legal/business reason to keep it.

8

Transfer Limitation

Personal data transferred outside Singapore must receive a comparable standard of protection (contractual clauses, BCRs, certifications).

9

Openness

Develop and publish data protection policies. Appoint and publish DPO contact details. Make practices transparent to individuals.

Three additional obligations were added in the 2020 PDPA Amendment: Accountability (formerly Openness), Mandatory Data Breach Notification, and the Data Portability Obligation (in force only when subsidiary legislation is issued).

Data Protection Officer (DPO)

Appointing at least one DPO is mandatory for every organisation — there is no exemption based on size, revenue, or industry. The DPO is your accountable person for PDPA: they oversee compliance, handle access/correction requests, manage breach response, and act as the primary point of contact for the PDPC.

  • The DPO can be an internal employee (often the founder, COO, head of operations, or IT lead in smaller orgs)
  • It can be an outsourced or virtual DPO from a qualified service provider
  • The contact details must be published (typically a dedicated page or footer link) and registered with ACRA via the Practitioners Certificate of Insurance filing
  • The DPO does not need to be a lawyer but should be trained — the IMDA's Practitioner Certificate in Personal Data Protection (PCPDP) is widely recognised

Mandatory data breach notification

Since 1 February 2021, organisations have a statutory duty to notify the PDPC of data breaches that meet either of these tests:

  1. Significant harm — the breach results in, or is likely to result in, significant harm to affected individuals (financial loss, identity theft, etc.)
  2. Significant scale — the breach affects 500 or more individuals

The deadlines:

  • To the PDPC: as soon as practicable and no later than 3 calendar days from when you have reason to believe a notifiable breach has occurred
  • To affected individuals: at the same time or shortly after — unless an exception applies (e.g. the data was rendered unintelligible by encryption, or notification would impede a criminal investigation)

Practical implication: you need a tested incident response plan, breach assessment template, communication templates, and a single owner who can authorise notifications inside 72 hours. These don't appear from nowhere on day-of.

Step-by-step PDPA compliance roadmap

PDPA Singapore compliance roadmap — appoint a Data Protection Officer, map personal data, implement consent and security controls, monitor and audit

A defensible compliance baseline can be reached in 4–8 weeks for most SMEs. The work falls into four phases:

Phase 1 Govern (Weeks 1–2)

  • Appoint and publish DPO contact details
  • Run a data inventory: what personal data, where it lives, who can access it, where it's transferred
  • Risk-assess each data flow against the 9 obligations

Phase 2 Document (Weeks 2–4)

  • Publish public-facing privacy policy and notification statements
  • Internal policies: data protection policy, retention schedule, vendor due-diligence policy, access request handling SOP
  • Build the Data Protection Management Programme (DPMP) — the PDPC's recommended governance artefact

Phase 3 Protect (Weeks 3–6)

  • Technical controls: MFA, encryption-in-transit and at-rest, endpoint protection, identity governance, logging
  • Vendor risk reviews and updated DPAs (Data Processing Agreements)
  • Mandatory staff training (annual refreshers expected)

Phase 4 Respond & Improve (Ongoing)

  • Tested incident response plan with 3-day PDPC notification path
  • Quarterly access reviews, annual policy refresh
  • Continuous monitoring for new data flows, vendors, and processing activities

Real penalties & enforcement examples

The PDPC publishes its enforcement decisions. They are a far better guide to what "compliance" actually looks like than the Act itself. Notable cases:

  • SingHealth / IHiS (2019) — S$1,000,000 in combined fines following the breach affecting 1.5M patients. Root cause: weak account management, unpatched systems, slow incident response.
  • Commeasure / RedDoorz (2022) — S$74,000 fine after the personal data of 5.9M customers was exposed via an AWS access key embedded in an Android APK.
  • MyRepublic (2022) — S$60,000 fine after 79,388 customers' data was exfiltrated from a third-party data storage facility with insufficient access controls.
  • Recurring DNC violations — multiple SMEs fined S$10K–S$50K per case for sending marketing messages without checking the Do Not Call registry.

Beyond financial penalties, the PDPC routinely issues directions requiring organisations to undertake remedial work (often more costly than the fine itself), and enforcement decisions are publicly named — the reputational impact often exceeds the cash fine.

“The PDPC's enforcement decisions are a far better guide to what compliance actually looks like than the Act itself. Read three of them and you'll know which controls to invest in first.”

— Security Pulse compliance team

Cost & timeline

SME (1–50 staff)

4–8 weeks

Internal effort: ~80–120 hours of DPO/founder time. External support (policies, training, technical setup): typically S$5K–S$25K one-off, then S$500–S$2K/month for ongoing monitoring.

Mid-market (50–500 staff)

8–16 weeks

Multi-departmental effort. External programme: S$25K–S$80K including DPMP, technical controls, vendor reviews, training. Ongoing: S$2K–S$8K/month.

Enterprise (500+)

16+ weeks

Programme work integrating with existing GRC. External advisory + tooling typically S$80K+. Often combined with ISO 27001 or Cyber Trust Mark for portfolio coverage.

How Security Pulse helps with PDPA

Security Pulse is built around the 9 PDPA obligations from the ground up. We provide both the foundational programme and the continuous controls in a single platform — so PDPA compliance isn't a one-off project that decays after audit.

RunWay — Get compliant

  • DPO advisory and registration support
  • Data inventory & flow mapping workshop
  • Policy library aligned to PDPC's DPMP
  • Staff training programme with PDPA-specific content
  • Incident response runbook with 3-day PDPC path

Autopilot — Stay compliant

  • Identity & access controls (MFA, JIT access, quarterly reviews)
  • Endpoint protection on every device with Singapore data
  • Email & cloud security covering the most-exploited paths
  • 24/7 breach detection with auto-alerting to your DPO
  • Evidence vault — produces PDPC-ready reports on demand

PDPA vs GDPR vs HIPAA

PDPA (Singapore)GDPR (EU/UK)HIPAA (US)
ScopeAll Singapore personal dataEU/UK resident personal dataUS Protected Health Information (PHI)
Max fineS$1M or 10% turnover€20M or 4% global turnover$1.9M/yr per category
Breach window3 calendar days to PDPC72 hours to supervisory authority60 days to HHS & individuals
DPO requiredYes — every organisationConditional (high-risk processing)Privacy & Security Officers required
Right to be forgottenNo (not yet)Yes (Art. 17)Limited (correction rights)
Cross-border transferComparable protection requiredAdequacy / SCCs / BCRsLess restrictive (BAAs)

Common questions about PDPA compliance

Who must comply with PDPA in Singapore?

Every private-sector organisation that collects, uses, or discloses personal data of individuals in Singapore — regardless of where the company is headquartered. PDPA applies to your one-person consultancy and to a 5,000-person multinational equally. Public agencies are governed by the separate Public Sector (Governance) Act.

What are the 9 PDPA data protection obligations?

Consent, Purpose Limitation, Notification, Access & Correction, Accuracy, Protection, Retention Limitation, Transfer Limitation, and Openness (which includes appointing a Data Protection Officer and publishing data protection policies). Three additional obligations were added in 2021: Accountability, Notification of Data Breaches, and Data Portability (not yet in force).

How much can the PDPC fine my business?

Since 1 October 2022, the maximum financial penalty is S$1 million OR 10% of annual turnover in Singapore (whichever is higher) for organisations with annual turnover above S$10 million. Smaller organisations are capped at S$1 million. The PDPC has issued financial penalties exceeding S$2.7 million across enforcement actions, with the SingHealth breach alone resulting in S$1 million in fines.

Do I need to appoint a Data Protection Officer (DPO)?

Yes — appointing at least one DPO is mandatory for every organisation under PDPA, with no exceptions for size. The DPO's contact details must be published (typically on your website) and registered with ACRA. The DPO can be an existing employee (such as the COO or IT lead), an outsourced provider, or a virtual DPO service. They must be reasonably reachable in Singapore.

What counts as a notifiable data breach?

A breach is notifiable if it (a) results in, or is likely to result in, significant harm to affected individuals, OR (b) affects 500 or more individuals. You must notify the PDPC as soon as practicable and no later than 3 calendar days from determining a notifiable breach. Affected individuals must also be notified unless an exception applies (e.g. the data was protected by encryption that would prevent harm).

How long does PDPA compliance take?

For most SMEs starting from scratch, expect 4–8 weeks to reach a defensible compliance baseline: DPO appointment, data inventory, policy publication, consent mechanisms, security controls, and breach response procedures. Mid-market firms with complex data flows or legacy systems should plan for 8–16 weeks. Ongoing compliance is continuous — annual reviews are standard practice.

Does PDPA apply to data transferred out of Singapore?

Yes. The Transfer Limitation Obligation requires that personal data transferred outside Singapore must receive a standard of protection comparable to PDPA. Acceptable mechanisms include the recipient being subject to comparable laws, contractual clauses (such as the ASEAN Model Contractual Clauses), binding corporate rules, or specified certifications like APEC CBPR.

How is PDPA different from GDPR?

PDPA is principles-based and consent-driven; GDPR is rights-based with broader extraterritorial reach. PDPA fines are capped at S$1M / 10% turnover; GDPR fines reach €20M / 4% global turnover. PDPA's breach notification is 3 days vs GDPR's 72 hours. PDPA does not (yet) recognise a 'right to be forgotten' the way GDPR does. If you serve EU customers from Singapore, you'll need to comply with both.

What about the Do Not Call (DNC) Registry?

DNC obligations are part of PDPA and apply to organisations sending marketing messages to Singapore phone numbers via voice call, text, or fax. You must check the DNC registers (or rely on a valid clear-and-unambiguous consent) before sending. Penalties of up to S$1M apply, and unsolicited marketing has been one of the most-fined categories under PDPA.

How does Security Pulse help with PDPA compliance?

Security Pulse maps directly to the 9 PDPA obligations. RunWay handles the foundational setup — DPO support, data inventory, policies, staff training, and the PDPC-aligned Data Protection Management Programme (DPMP). Autopilot then runs continuously: identity controls, endpoint protection, breach detection, audit logs, and an evidence vault that produces reports for PDPC investigations on demand.

Make PDPA the easiest compliance you'll ever run.

Book a Free Consultation Call