How to Report a Data Breach to PDPC Singapore: Complete 2026 Guide
Under Singapore's Personal Data Protection Act (PDPA), organisations are legally required to notify the Personal Data Protection Commission (PDPC) of certain data breaches. Since the Mandatory Data Breach Notification (MDBN) regime came into force on 1 February 2021, every business that handles personal data in Singapore must understand when, how, and what to report. This guide walks you through the full process of reporting a data breach to the PDPC, including assessment thresholds, statutory timelines, and the exact steps to take in the critical hours after a breach is discovered.
What Is a Notifiable Data Breach Under the PDPA?
A notifiable data breach is an incident involving unauthorised access, collection, use, disclosure, copying, modification, or disposal of personal data that meets one or both of the following thresholds set out in Section 26B of the PDPA:
- Significant harm threshold: The breach is likely to result in significant harm to affected individuals (financial loss, identity theft, physical danger, reputational damage, or loss of opportunity).
- Significant scale threshold: The breach affects 500 or more individuals, regardless of the nature of the harm.
If either threshold is met, the organisation must notify both the PDPC and the affected individuals. The Personal Data Protection (Notification of Data Breaches) Regulations 2021 specify categories of data — such as full NRIC numbers combined with financial details, medical records, or login credentials — that are presumed to cause significant harm if compromised.
What Counts as Personal Data?
Personal data includes any data about an individual who can be identified from that data, or from that data combined with other information the organisation has access to. This covers names, NRIC/FIN, addresses, phone numbers, email addresses, biometric data, financial information, and behavioural data linked to a person.
Statutory Timelines You Must Meet
The PDPA imposes strict deadlines once a data breach is discovered. Missing them can result in financial penalties of up to S$1 million or 10% of annual turnover in Singapore (for organisations with turnover exceeding S$10 million).
| Stage | Timeline | Action Required |
|---|---|---|
| Discovery | Day 0 | Become aware of suspected breach |
| Assessment | Within 30 calendar days | Conduct expeditious assessment to confirm if breach is notifiable |
| Notify PDPC | Within 3 calendar days of assessment | Submit formal notification if thresholds met |
| Notify individuals | As soon as practicable after notifying PDPC | Inform affected individuals (unless exception applies) |
The 30-day assessment window is not a default grace period — the PDPC expects organisations to act expeditiously. Delays without justification can themselves be treated as a breach of the PDPA.
Step-by-Step: How to Report a Data Breach to PDPC
Step 1: Contain the Breach Immediately
Before any reporting, focus on containment. Common actions include:
- Disconnect affected systems from the network
- Revoke compromised credentials and reset passwords
- Disable unauthorised user accounts
- Preserve logs and forensic evidence (do not wipe systems)
- Engage your incident response team or external cybersecurity vendor
Step 2: Assess Whether the Breach Is Notifiable
Your Data Protection Officer (DPO) should lead an assessment covering:
- What personal data was affected and how sensitive it is
- Number of individuals impacted
- Whether the data was encrypted or otherwise protected
- Likelihood of misuse and resulting harm
- Whether the data has been recovered or remains exposed
Document the assessment thoroughly. The PDPC may request these records during any subsequent investigation.
Step 3: Prepare Notification Details
The PDPC notification must include the following information, to the extent known at the time of reporting:
- Facts of the breach (when discovered, how it occurred, root cause if known)
- Number of affected individuals
- Types of personal data involved
- Potential harm to affected individuals
- Containment and remediation actions taken or planned
- Contact details of the DPO or responsible officer
- Information provided (or to be provided) to affected individuals
Step 4: Submit the Notification via the PDPC Website
The PDPC accepts data breach notifications through its online form at pdpc.gov.sg. Navigate to "Report a Data Breach" and complete the Data Breach Notification Form. You will need a Singpass or Corppass login for organisational submissions.
If you do not yet have all the details, submit what you know within the 3-day window and update the PDPC as new information emerges. Submitting an incomplete report on time is far better than a delayed complete one.
Step 5: Notify Affected Individuals
Unless an exception applies, you must notify affected individuals as soon as practicable. The notification should be clear, in plain English, and contain:
- A description of the breach
- The personal data affected
- Potential consequences for the individual
- Measures the organisation has taken
- Recommended actions for the individual (e.g., changing passwords, monitoring accounts)
- Contact information for follow-up questions
Step 6: Document Everything
Maintain a written record of the entire incident, including timestamps, decisions made, communications sent, and remediation steps. This forms the basis of your post-incident review and any regulatory follow-up.
Exceptions: When You Don't Need to Notify Individuals
You may be exempted from notifying affected individuals (though you still must notify the PDPC) if:
- You have taken remedial actions that render it unlikely the breach will result in significant harm (e.g., the data was strongly encrypted and the encryption keys were not compromised)
- Technological measures were applied that make the data inaccessible or unintelligible
- The PDPC or another law enforcement agency directs you not to notify (for instance, to avoid prejudicing an investigation)
These exceptions are narrow — do not assume they apply without legal advice.
Common Mistakes to Avoid
- Delaying assessment: Treating the 30-day window as a buffer rather than a maximum
- Under-reporting scope: Failing to investigate adjacent systems that may also be compromised
- Vague individual notifications: Sending generic messages that do not help individuals protect themselves
- No DPO appointed: Every organisation in Singapore must appoint a DPO and register their contact details with ACRA
- Ignoring data intermediaries: If you process data on behalf of another organisation, you must notify them of breaches without undue delay
Preventing Future Breaches: Practical Safeguards
While the PDPC focuses on response, prevention reduces the likelihood of ever needing to report. Key controls include:
- Encryption at rest and in transit for all personal data
- Role-based access control and the principle of least privilege
- Multi-factor authentication for all administrative accounts
- Regular vulnerability scanning and penetration testing
- Secure link sharing — when distributing sensitive resources internally, use tools that allow expiry dates, password protection, and access logging. Services like Lunyb let you create trackable, expirable short links so you can audit who accessed what and when, reducing the risk of stale links leaking confidential material. You can read an honest review of Lunyb for more context.
- Employee training on phishing, social engineering, and data handling
- Vendor due diligence for any third party processing personal data on your behalf
What Happens After You Notify the PDPC?
Once your notification is submitted, the PDPC will acknowledge receipt and may follow up with:
- Requests for additional information
- Directions on remediation steps
- A formal investigation, particularly for large or high-impact breaches
- Enforcement action, which may include financial penalties, directions, or undertakings
The PDPC's published enforcement decisions show that organisations that respond promptly, cooperate transparently, and demonstrate genuine remediation typically receive lower penalties than those that conceal or delay.
Sample Timeline: A Realistic Breach Response
| Time | Activity |
|---|---|
| Hour 0 | Suspicious login detected; security team alerted |
| Hour 2 | Affected systems isolated; forensic snapshot taken |
| Hour 6 | DPO notified; incident response team convened |
| Day 1–3 | Forensic investigation identifies scope |
| Day 5 | Assessment confirms 800 individuals affected — notifiable |
| Day 6 | PDPC notification submitted via online form |
| Day 8 | Affected individuals notified by email with remediation guidance |
| Day 14 | Post-incident review begins; updated controls deployed |
Further Reading
- Best URL Shorteners Reviewed and Compared: 2026 Buyer's Guide
- Is Lunyb Legit? An Honest Review of the URL Shortener in 2026
- Rebrandly Review 2026: Is It Worth the Price?
Frequently Asked Questions
How quickly must I report a data breach to PDPC?
You must notify the PDPC within 3 calendar days of determining that a breach is notifiable. The assessment itself should be completed expeditiously and, in any case, no later than 30 days from the date you became aware of the suspected breach.
What is the penalty for not reporting a data breach in Singapore?
Failure to notify the PDPC of a notifiable data breach can result in a financial penalty of up to S$1 million, or up to 10% of the organisation's annual turnover in Singapore if that turnover exceeds S$10 million. The PDPC may also issue directions requiring specific remedial action.
Do I need to notify individuals if the data was encrypted?
If the personal data was protected by strong encryption and the encryption keys were not compromised, you may be exempt from notifying affected individuals. However, you must still notify the PDPC and provide details of the protective measures applied.
Who in my organisation is responsible for reporting?
Every organisation in Singapore must appoint a Data Protection Officer (DPO). The DPO is typically responsible for assessing breaches, coordinating the response, and submitting the notification to the PDPC. Senior management remains ultimately accountable.
Does the MDBN regime apply to data intermediaries?
Data intermediaries (organisations that process personal data on behalf of another organisation) are not required to notify the PDPC directly. However, they must notify the organisation that engaged them without undue delay once they become aware of a breach, so that the principal organisation can assess and report it.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How to Report a Data Breach to the ICO: A Complete UK Guide
UK GDPR gives you just 72 hours to report a notifiable data breach to the ICO. This step-by-step guide explains what counts as a reportable breach, how to use the ICO's online form, and how to avoid the mistakes that turn incidents into fines.
How to Encrypt Your Internet Traffic: The Complete 2026 Guide
Learn how to encrypt your internet traffic across every layer — HTTPS, DNS, VPN, Tor, email, and Wi-Fi. This step-by-step 2026 guide shows you exactly which tools to use and how to combine them for total online privacy.
How to Remove Your Data from the Internet: Complete 2026 Guide
Your personal information is scattered across hundreds of websites, data broker databases, and search engines. This complete guide shows you exactly how to remove your data from the internet, reduce your digital footprint, and reclaim your online privacy in 2026.
How to Protect Your Privacy Online in 2026: The Complete Guide
Online privacy in 2026 is harder than ever, with AI scrapers, data brokers, and tracking pixels everywhere. This complete guide walks you through the practical, modern steps to lock down your accounts, browser, devices, and personal data.