How to Report a Data Breach to PDPC Singapore: A Complete 2026 Guide

Singapore's Personal Data Protection Act (PDPA) makes data breach notification mandatory for organisations that experience significant security incidents. Since the Mandatory Data Breach Notification (MDBN) obligation took effect on 1 February 2021, businesses must understand exactly when, how, and what to report to the Personal Data Protection Commission (PDPC). This guide walks you through the entire process, from initial detection to final submission, so your organisation stays compliant and protects affected individuals.

What Is a Notifiable Data Breach Under the PDPA?

A notifiable data breach is any unauthorised access, collection, use, disclosure, copying, modification, or disposal of personal data that meets specific thresholds under Singapore's PDPA. Not every breach must be reported, but the ones that qualify trigger strict legal obligations and tight timelines.

Under Section 26A of the PDPA, an organisation must notify the PDPC if the breach:

• Results in, or is likely to result in, significant harm to affected individuals; or
• Is of a significant scale — affecting 500 or more individuals.

What Counts as "Significant Harm"?

The PDPC has prescribed categories of personal data that are deemed to cause significant harm if compromised. These include:

• Full name combined with NRIC, FIN, passport, or work permit numbers
• Financial information such as bank account numbers, credit/debit card details, and account passwords
• Health and medical information, including diagnoses and treatment records
• Information about adoption matters, private keys for digital signatures, and life insurance details
• Personal data of vulnerable individuals (e.g. minors)

Key Timelines for PDPC Data Breach Notification

Timelines are strict, and missing them can result in financial penalties of up to S$1 million or 10% of annual turnover in Singapore (whichever is higher) for breaches occurring after October 2022.

Action	Timeline	Who to Notify
Assess whether breach is notifiable	Within 30 calendar days of becoming aware	Internal assessment
Notify PDPC	As soon as practicable, no later than 3 calendar days after assessment	Personal Data Protection Commission
Notify affected individuals	At the same time or after notifying PDPC (if significant harm)	Affected data subjects
Data intermediary notifies organisation	Without undue delay	Main controlling organisation

Step-by-Step: How to Report a Data Breach to PDPC

Reporting a data breach to PDPC involves a structured process designed to ensure transparency and timely remediation. Follow these seven steps in sequence.

Step 1: Contain the Breach Immediately

Before anything else, stop the breach from spreading. This may involve isolating affected systems, revoking compromised credentials, taking servers offline, or removing publicly exposed data. Document every containment action with timestamps.

Step 2: Convene Your Data Breach Response Team

Assemble your Data Protection Officer (DPO), IT security lead, legal counsel, and communications officer. If you don't have a DPO appointed, the PDPA requires you to designate one — this is a separate compliance obligation.

Step 3: Assess the Breach

Within 30 days, determine:

1. What personal data was involved?
2. How many individuals are affected?
3. Does the data fall into the "significant harm" categories?
4. Are 500 or more individuals affected?
5. What is the cause (cyberattack, human error, lost device, insider threat)?

If either threshold is met, the breach is notifiable.

Step 4: Notify the PDPC Within 3 Days

Submit your notification through the official PDPC online portal at eservice.pdpc.gov.sg. You'll need to log in using Singpass (for individuals) or Corppass (for organisations).

Step 5: Complete the Data Breach Notification Form

The form requires:

• Organisation details and DPO contact information
• Date and time the breach occurred and was discovered
• Description of the breach and its cause
• Type and volume of personal data involved
• Number of affected individuals
• Potential harm and risks
• Containment, remediation, and preventive measures taken
• Whether and how affected individuals have been or will be notified

Step 6: Notify Affected Individuals

If the breach is likely to cause significant harm, you must notify affected individuals in a clear, easily understandable manner. Notification can be by email, SMS, post, or public announcement if direct contact isn't feasible. Include:

• What happened and when
• What data was involved
• What the organisation is doing about it
• What individuals can do to protect themselves
• Contact details for further enquiries

Step 7: Follow Up and Maintain Records

Even after the initial notification, the PDPC may request additional information or evidence. Keep detailed records of the breach, your response, and lessons learned for at least the duration required by your data retention policy.

Exceptions: When You Don't Need to Notify Affected Individuals

The PDPA allows certain exceptions to notifying affected individuals (though PDPC notification is still required):

• Remedial action taken: If your organisation took action that renders the risk of significant harm unlikely (e.g. data was encrypted with strong, unbroken encryption).
• Technological protection: Personal data was protected by a technology that makes it inaccessible or unintelligible to unauthorised parties.
• Law enforcement or PDPC instruction: Where notification would impede an investigation or where the PDPC has waived the requirement.

Common Mistakes to Avoid

Many organisations stumble during their first breach response. Avoid these pitfalls:

• Delaying assessment: Treating the 30-day assessment window as a deadline rather than a maximum. Start immediately.
• Underestimating scope: Failing to investigate thoroughly often leads to amended notifications and reputational damage.
• Vague descriptions: The PDPC expects specific, factual reporting — not legalese.
• Skipping individual notifications: Don't assume the significant harm threshold doesn't apply without proper analysis.
• No documented breach response plan: Improvising during a crisis leads to missed steps and missed deadlines.

Preventing Future Breaches: Best Practices

Reporting is only half the equation. Strengthening your data protection posture reduces both the likelihood and impact of future incidents.

Technical Safeguards

• Encrypt personal data at rest and in transit using AES-256 or stronger
• Implement multi-factor authentication (MFA) for all administrative accounts
• Apply the principle of least privilege for data access
• Maintain up-to-date patching and vulnerability management
• Use secure link-sharing tools when distributing sensitive content — services like Lunyb offer password-protected and expiring links that reduce accidental exposure of internal URLs

Organisational Safeguards

• Appoint and empower a qualified Data Protection Officer
• Conduct annual PDPA training for all staff
• Maintain a written Data Breach Management Plan
• Run tabletop exercises simulating breach scenarios
• Review and audit third-party data intermediaries regularly

Vendor and Link Hygiene

Phishing and malicious links remain a top cause of data breaches in Singapore. Train staff to verify URLs before clicking, and standardise on trusted shortening and link-management platforms. For organisations sharing customer-facing links, choosing reputable tools matters — see our 2026 buyer's guide to URL shorteners and honest review of Lunyb for evaluation criteria, or our Rebrandly review for an enterprise alternative.

Penalties for Non-Compliance

The PDPA's enforcement framework was significantly strengthened in October 2022. Organisations that fail to notify the PDPC of a notifiable breach, or that fail to implement reasonable security arrangements, face:

• Financial penalties up to S$1 million or 10% of annual turnover in Singapore (whichever is higher) for organisations with annual local turnover exceeding S$10 million
• Directions to remediate, compensate affected individuals, or stop processing data
• Public listing of enforcement decisions, which can severely damage brand trust

Recent PDPC enforcement actions have consistently emphasised that prompt notification and cooperation can be mitigating factors when penalties are determined.

Data Intermediaries: Special Considerations

If your organisation processes personal data on behalf of another organisation (i.e. you are a data intermediary), you have a duty to notify the controlling organisation "without undue delay" upon becoming aware of a breach. The controlling organisation then takes responsibility for assessment and PDPC notification. Contracts between organisations and intermediaries should explicitly define breach notification timelines, often requiring notice within 24 hours.

Frequently Asked Questions

How long do I have to report a data breach to PDPC?

You must notify the PDPC as soon as practicable, and no later than 3 calendar days after you assess the breach to be notifiable. Your assessment itself must be completed within 30 days of becoming aware of the incident.

What is the threshold of 500 individuals based on?

The 500-individual threshold applies to the total number of affected individuals whose personal data is involved in the breach, regardless of whether the data is sensitive. Even if the data is non-sensitive (e.g. email addresses only), reaching 500 affected persons triggers mandatory notification.

Do I need to report breaches involving encrypted data?

If the personal data was protected by strong encryption and the decryption key was not compromised, the breach may not be likely to result in significant harm — meaning notification to individuals may not be required. However, you should still document your assessment, and notification to PDPC may still apply if 500 or more individuals are affected.

What happens if I report a breach late?

Late notification is itself a breach of the PDPA and can result in financial penalties. However, voluntarily reporting late (with explanation) is always better than not reporting at all. The PDPC considers cooperation and remediation efforts when determining penalties.

Can I submit the breach notification by email instead of the portal?

The PDPC strongly prefers submissions through its official eService portal at eservice.pdpc.gov.sg, which uses Corppass authentication. Email submissions are generally only accepted in exceptional circumstances and should not be your default approach.

Do I need to notify individuals overseas?

Yes. The PDPA's notification obligations apply to all affected individuals whose personal data your organisation handles, regardless of their location. If individuals overseas are affected by a Singapore-regulated breach, they must be notified using appropriate channels.

Final Thoughts

Reporting a data breach to PDPC isn't just a regulatory checkbox — it's a critical part of maintaining customer trust and demonstrating responsible data stewardship. By understanding the notification thresholds, acting quickly within prescribed timelines, and documenting every step, your organisation can navigate a breach with professionalism and minimise long-term damage. Build a tested breach response plan now, before you need it. The organisations that handle breaches best are the ones that prepared for them long before they happened.