PDPA Compliance Checklist for Singapore SMBs

If you run a small or mid-sized business in Singapore, the Personal Data Protection Act applies to you. There is no size exemption. A 5-person startup collecting customer emails has the same legal obligations as a bank.

The difference is that banks have compliance teams. You probably don't.

This checklist translates PDPA requirements into specific actions sized for small businesses. It covers what you legally must do, what the PDPC actually looks for during enforcement, and what gaps have led to fines in recent cases.

For a complete background on the law itself — the 11 obligations, fines, who enforces it, who needs to comply, and how the certification path works — see our complete PDPA compliance guide.

Last updated: April 2026.

Understanding the stakes

The PDPC can impose financial penalties of up to SGD 1 million or 10% of your annual Singapore turnover, whichever is higher. For organizations with turnover exceeding SGD 10 million, penalties scale further.

This is not theoretical. In 2024 and 2025, the PDPC fined multiple small and mid-sized organizations:

• Singapore Data Hub (SaaS provider): SGD 17,500 for a breach exposing 689,000 individuals. Root cause: publicly accessible servers running outdated operating systems.
• People Central (HR SaaS provider): SGD 17,500 for a breach affecting 95,000 individuals. Root cause: inadequate access controls.
• Marina Bay Sands: SGD 315,000 for a breach affecting 665,495 patrons. Root cause: no post-migration security review, no regular vulnerability scanning.

The pattern across enforcement decisions is consistent: weak passwords, outdated software, no vulnerability scanning, and no incident response planning. These are basic hygiene failures, not sophisticated attacks.

Part 1: Accountability (Obligation #1)

PDPA Section 11-12 requires organizations to be accountable for the personal data they handle.

Appoint a Data Protection Officer (DPO)

Every organization must designate at least one individual responsible for PDPA compliance. In a small business, this can be the founder, office manager, or IT lead. The role doesn't require a certification, but the person must understand PDPA obligations and have authority to implement data protection measures.

Publish your DPO's contact information on your website and in your privacy policy. The PDPC checks for this.

Develop a Data Protection Policy

Document how your organization collects, uses, stores, and disposes of personal data. This doesn't need to be a 50-page manual. A 3-5 page internal document covering the key processes is sufficient for a small business. What matters is that it exists, it's specific to your operations, and staff know about it.

Create a data inventory

Map out what personal data you hold, where it's stored, who has access, and what it's used for. Include: customer databases, employee records, email lists, payment information, CRM data, HR systems, and any data held by third-party SaaS tools.

This inventory is the foundation of everything else. Without knowing what data you have, you can't protect it.

Conduct a gap assessment

Compare your current practices against PDPA requirements. Identify where you fall short. Prioritize closing the gaps with the highest regulatory and operational risk.

Part 2: Notification and Consent (Obligations #2-3)

PDPA Sections 13-17 require you to notify individuals about your data practices and obtain consent.

Publish a Privacy Policy

Your privacy policy must clearly state:

• What personal data you collect
• Why you collect it (the purposes)
• How you use and may disclose it
• How individuals can access or correct their data
• How they can withdraw consent
• Your DPO's contact details

Place it on your website, in your app, and anywhere you collect personal data. Make it readable, not a wall of legalese.

Obtain valid consent before collecting data

Consent must be informed and voluntary. Users must understand what they're agreeing to before providing personal data. Pre-ticked checkboxes don't count. Burying consent in terms of service that nobody reads is risky.

For existing data collected before PDPA took effect, you can rely on "deemed consent" if individuals were previously notified of the purpose and didn't object.

Implement consent withdrawal mechanisms

Individuals have the right to withdraw consent at any time. You must make this process easy and clearly communicated. An email address or a form on your website is sufficient for a small business. Process withdrawal requests within a reasonable timeframe (typically 30 days or fewer).

Do not collect more data than necessary

Only collect personal data that serves a stated purpose. If you run an ecommerce store, you need a shipping address. You don't need a customer's NRIC number. The PDPC takes a dim view of over-collection.

Part 3: Purpose Limitation (Obligation #4)

PDPA Section 18 restricts how you use personal data.

Use data only for the purposes you stated

If you collected email addresses for order confirmations, you can't add those addresses to a marketing mailing list without separate consent.

Document the purpose for each data collection point

For each form, registration page, or data collection touchpoint, record the specific purpose. This documentation matters during a PDPC investigation.

Review and retire old data purposes

If you collected data for a project that's finished, a product that's discontinued, or a purpose that no longer applies, you should stop using that data and consider disposing of it.

Part 4: Access and Correction (Obligations #5-6)

PDPA Sections 21-22 give individuals the right to access and correct their personal data.

Set up a process for access requests

Individuals can ask to see the personal data you hold about them. You must respond within 30 days. For a small business, a simple email-based process works. Designate who handles these requests internally and document the response workflow.

Set up a process for correction requests

If an individual identifies an error in their personal data, you must correct it within 30 days (unless there's a valid reason not to). Send the corrected data to any organization you disclosed the original data to within the past year.

Know what you can charge

You may charge a reasonable fee for access requests, but the fee must reflect the actual cost of providing access. Keep it reasonable or waive it. Excessive fees invite PDPC scrutiny.

Part 5: Data Accuracy (Obligation #7)

PDPA Section 23 requires that personal data be accurate and complete.

Verify data at the point of collection

Use form validation, email confirmation, and other basic checks to ensure the data you collect is accurate from the start.

Provide easy ways for users to update their data

Self-service account settings, profile pages, or a clear contact process. The easier you make it, the more accurate your data stays.

Periodically review stored data for accuracy

For data you use for ongoing purposes (like customer communication), establish a review cycle. Annual is fine for most small businesses.

Part 6: Protection (Obligation #8)

PDPA Section 24 requires reasonable security arrangements to protect personal data. This is the obligation most frequently cited in PDPC enforcement actions.

Implement access controls

Not everyone in your organization needs access to all data. Set role-based access. Use the principle of least privilege: employees get access only to the data they need for their specific role.

Enforce strong password policies

The PDPC has specifically cited weak password policies as a failure in multiple enforcement decisions. Require a minimum password length (12+ characters), complexity requirements, and prohibit password reuse. Use a password manager.

Enable multi-factor authentication (MFA)

MFA should be mandatory for all accounts that access personal data. This includes email accounts, CRM systems, HR platforms, cloud storage, and admin panels. SMS-based MFA is better than nothing but phishing-resistant methods (authenticator apps, security keys) are stronger.

Encrypt personal data in transit and at rest

Use HTTPS for all web-based services. Encrypt databases containing personal data. Encrypt laptops and mobile devices. If you're using cloud services (SaaS), verify that your provider encrypts data at rest.

Keep software updated and patched

Outdated software is the single most cited vulnerability in Singapore breach cases. The Singapore Data Hub breach happened because servers were running outdated operating systems. Establish a patching schedule. Monthly at minimum for critical systems. Immediately for critical CVEs.

Conduct vulnerability assessments

The PDPC expects organizations to conduct periodic security reviews, including vulnerability scanning. For a small business, a quarterly external vulnerability scan and an annual penetration test (or at least after any major system change) is a reasonable standard.

Secure physical access

Lock server rooms. Encrypt portable devices. Implement screen locks. Shred physical documents containing personal data before disposal.

Manage vendor security

If you use SaaS tools that process personal data (CRM, HR, accounting, email marketing), you remain responsible for that data under the PDPA. Review vendor security practices. Include data protection clauses in vendor contracts. The People Central case demonstrated that vendor breaches become your compliance problem.

Part 7: Retention and Disposal (Obligation #9)

PDPA Section 25 requires that you stop retaining personal data when it's no longer needed.

Define retention periods for each data category

How long do you keep customer records after they stop doing business with you? Employee records after they leave? Marketing leads that never converted? Define a period for each type and stick to it.

Implement secure disposal procedures

When the retention period expires, dispose of the data securely. Digital data should be permanently deleted (not just moved to trash). Physical documents should be shredded. Decommissioned hard drives should be wiped or physically destroyed.

Audit data stores for unnecessary retention

Old databases, archived email accounts, legacy CRM exports, shared drives full of spreadsheets. Every piece of personal data you retain beyond its useful life is liability without value.

Part 8: Data Transfers (Obligation #10)

PDPA Section 26 restricts the transfer of personal data outside Singapore.

Identify all cross-border data transfers

If you use cloud services hosted outside Singapore (which most SaaS tools are), personal data is being transferred internationally. Map out which services, which data, and where the servers are located.

Ensure comparable protection in the receiving country

The receiving country must have data protection laws comparable to the PDPA, or the recipient must be contractually bound to provide equivalent protection. Standard contractual clauses in your vendor agreements typically satisfy this requirement.

Consider APEC CBPR certification

For organizations regularly transferring data across Asia-Pacific, the APEC Cross-Border Privacy Rules system provides a recognized framework. The PDP Regulations recognize APEC CBPR and PRP certifications.

Part 9: Breach Notification (Obligation #11)

PDPA Sections 26A-26E require notification of data breaches. This is where most SMBs are least prepared.

Know what constitutes a "notifiable data breach"

A breach is notifiable if it:

• Results in, or is likely to result in, significant harm to affected individuals, OR
• Is of a significant scale (affects 500 or more individuals)

Significant harm includes financial loss, identity theft, physical harm, or damage to reputation.

Build a breach response plan

Document the steps your organization will take when (not if) a breach occurs. Include:

• Who leads the response (DPO? Founder? IT lead?)
• How to assess whether the breach is notifiable
• How to contain the breach
• Communication templates for PDPC notification and affected individuals
• Contact information for your legal advisor and any incident response provider

Know the notification timelines

• Notify the PDPC: within 3 calendar days of determining the breach is notifiable
• Notify affected individuals: as soon as practicable, at the same time or after notifying the PDPC

Three calendar days is extremely tight. If you're figuring out your notification process for the first time during an active breach, you will almost certainly miss the deadline.

Prepare a PDPC notification template

The PDPC requires specific information in a breach notification:

• Nature and circumstances of the breach
• Types of personal data involved
• Number of affected individuals
• Measures taken to contain the breach
• Measures taken to prevent recurrence
• Contact details for the DPO

Having a template ready means you fill in specifics rather than starting from scratch under crisis pressure.

Maintain an incident log

Document every security incident, even those that don't meet the notifiable threshold. This log demonstrates due diligence to the PDPC and helps you identify patterns that might indicate a larger problem.

Part 10: Do Not Call (DNC) Registry

PDPA Part IX governs telemarketing.

Check the DNC registry before marketing calls or messages

If your business sends marketing messages or makes marketing calls, you must check the DNC registry. Non-compliance with DNC provisions is a criminal offense punishable by a fine of up to SGD 10,000 per offense.

Maintain a DNC suppression list

Keep records of numbers checked against the registry and their DNC status. Update regularly.

Implementation timeline for small businesses

Week 1: Appoint a DPO. Start the data inventory. Publish a privacy policy (or update the existing one).

Week 2-3: Complete the data inventory. Implement access controls and MFA. Review and update password policies.

Week 4: Develop the data protection policy. Set up consent mechanisms and withdrawal processes.

Month 2: Conduct a vulnerability scan. Review vendor contracts for data protection clauses. Define retention periods.

Month 3: Build the breach response plan. Prepare PDPC notification templates. Run a tabletop exercise (even 30 minutes walking through a breach scenario with your team).

Ongoing: Monthly patching. Quarterly vulnerability scans. Annual review of the full checklist.

Estimated cost for a small business (under 20 endpoints)

CSA estimates the cost of implementing basic cyber hygiene measures in Cyber Essentials at SGD 1,800 to SGD 4,500 after government subsidies through CISOaaS and IMDA's SMEs Go Digital Programme.

This is a fraction of the minimum PDPC fine in any recent enforcement decision (SGD 17,500) and an even smaller fraction of the breach recovery costs.

How SecurityPulse helps with PDPA compliance

Continuous security monitoring is one of the PDPC's expectations under the Protection Obligation. SecurityPulse provides:

• Automated vulnerability detection across your endpoints and cloud services
• Real-time alert monitoring that satisfies the "reasonable security arrangements" standard
• Incident detection and documentation that provides the evidence trail the PDPC expects
• Breach assessment support to help determine if an incident is notifiable within the 3-day window

For teams without a dedicated compliance or security hire, SecurityPulse turns PDPA's protection requirements from a staffing problem into a tool configuration.

---

Related resources

• Cybersecurity Compliance: The Complete 2026 Practitioner's Guide
• How to Respond to an Impossible Travel Alert in Microsoft 365
• CrowdStrike vs SentinelOne: Which Is Better for Small Businesses?
• Cybersecurity Strategy for Small Businesses: A 10-Step Guide