How to Report a Data Breach to PDPC Singapore: Complete 2026 Guide

If your organisation has experienced a data breach in Singapore, time is critical. Under the Personal Data Protection Act (PDPA), businesses are legally required to notify the Personal Data Protection Commission (PDPC) of notifiable breaches within strict timelines, and failure to comply can result in financial penalties of up to S$1 million or 10% of annual turnover for organisations with annual local turnover exceeding S$10 million.

This guide walks you through exactly how to report a data breach to PDPC Singapore, what qualifies as a notifiable breach, the mandatory timelines, and what information you need to prepare before submitting your notification.

What Is a Data Breach Under the PDPA?

A data breach under Singapore's PDPA is defined as the unauthorised access, collection, use, disclosure, copying, modification, or disposal of personal data, or the loss of any storage medium or device on which personal data is stored. The Personal Data Protection (Amendment) Act 2020 introduced a mandatory data breach notification obligation that came into force on 1 February 2021.

This means organisations no longer have discretion to keep significant breaches private. If a breach meets the notification threshold, you must report it to the PDPC, and in many cases, to affected individuals as well.

Common Examples of Data Breaches

• Hacking or ransomware attacks on customer databases
• Lost or stolen laptops, USB drives, or mobile phones containing personal data
• Emails sent to the wrong recipient containing sensitive information
• Misconfigured cloud storage exposing data publicly
• Insider misuse of customer records
• Physical theft of paper files or documents

When Must You Report a Breach to PDPC?

You must notify PDPC if a data breach is assessed to be a "notifiable data breach." Under Section 26B of the PDPA, a breach is notifiable if it meets either of these criteria:

1. Significant harm threshold: The breach results in, or is likely to result in, significant harm to affected individuals.
2. Significant scale threshold: The breach affects, or is likely to affect, 500 or more individuals.

What Counts as "Significant Harm"?

The PDPC has prescribed specific categories of personal data where unauthorised disclosure is deemed to cause significant harm. These include:

• Full name combined with NRIC, FIN, or passport number
• Financial information such as credit card numbers, bank account details
• Account credentials (passwords, security questions)
• Health information and medical records
• Information about vulnerable individuals (children, persons with disabilities)
• Information about an individual's private life that could cause emotional distress

Mandatory Timelines for Reporting

The PDPA sets out strict deadlines that organisations must meet once a breach is discovered.

Action Required	Deadline	Who to Notify
Assess whether breach is notifiable	Within 30 calendar days of becoming aware	Internal assessment
Notify PDPC of notifiable breach	As soon as practicable, within 3 calendar days	PDPC
Notify affected individuals	As soon as practicable (where likely to cause significant harm)	Affected individuals
Data intermediary notifies controller	Without undue delay	Data controller

Note that the 3-day clock starts from when you determine the breach is notifiable, not from when the breach occurred. However, you have a maximum of 30 days to make that determination.

Step-by-Step: How to Report a Data Breach to PDPC

Follow this process to ensure your notification is complete and compliant.

Step 1: Contain the Breach Immediately

Before notification, take immediate action to contain the breach. This may include disconnecting affected systems, revoking access credentials, recovering lost devices, or shutting down compromised accounts. Document every containment action with timestamps.

Step 2: Assess the Breach

Conduct a thorough internal assessment within 30 days to determine:

• What personal data was involved
• How many individuals were affected
• The cause of the breach
• The likely impact on affected individuals
• Whether the breach meets the notifiable threshold

Step 3: Gather Required Information

Before submitting your notification, compile the following:

1. Organisation name, UEN, and contact details of your Data Protection Officer (DPO)
2. Date and time the breach occurred and was discovered
3. Description of how the breach happened
4. Type and volume of personal data affected
5. Number of affected individuals
6. Potential harm to individuals
7. Actions taken to contain the breach
8. Remediation steps and preventive measures
9. Whether affected individuals have been or will be notified

Step 4: Submit Notification via PDPC Online Portal

Notifications must be submitted through the official PDPC website at pdpc.gov.sg. Navigate to the "Report a Data Breach" section and complete the online data breach notification form. You will need to log in using Singpass or Corppass.

Step 5: Notify Affected Individuals

If the breach is likely to cause significant harm, you must also notify the affected individuals as soon as practicable. Notifications should be clear, in plain language, and include:

• The nature of the breach
• Type of personal data involved
• Potential consequences
• Measures taken to address the breach
• Steps individuals can take to protect themselves
• Contact details for further enquiries

Step 6: Maintain Records

Keep detailed records of the breach, your assessment, notifications, and remediation actions for at least three years. PDPC may request this documentation during any subsequent investigation.

Exceptions to Notification

You may not need to notify affected individuals (though you still must notify PDPC) if:

• You have taken remedial actions that render it unlikely the breach will cause significant harm (e.g. data was encrypted with strong keys not compromised)
• The personal data was subject to technological protection that makes the data inaccessible
• A law enforcement agency directs you not to notify (for ongoing investigations)
• The PDPC waives the requirement

Penalties for Non-Compliance

Failing to report a notifiable breach can result in significant penalties:

Violation	Maximum Penalty
Failure to notify PDPC (organisations with turnover > S$10M)	10% of annual local turnover or S$1 million, whichever is higher
Failure to notify PDPC (smaller organisations)	Up to S$1 million
Failure to notify affected individuals	Financial penalties and directions from PDPC
Repeated or egregious non-compliance	Public enforcement decisions and reputational damage

Beyond financial penalties, organisations may also face civil claims from affected individuals and significant reputational damage from PDPC's public enforcement decisions.

Best Practices to Prevent Data Breaches

Prevention is always better than notification. Implementing strong data protection practices reduces both the likelihood and severity of breaches.

Technical Measures

• Encrypt personal data both at rest and in transit
• Implement multi-factor authentication on all critical systems
• Use encrypted DNS and secure network configurations
• Regularly patch and update software
• Deploy endpoint detection and response (EDR) tools
• Use secure link-sharing tools like Lunyb when distributing URLs containing sensitive parameters, so you can track access and disable links if a breach is suspected

Organisational Measures

• Appoint a Data Protection Officer (mandatory under PDPA)
• Conduct regular staff training on data protection
• Maintain a current data inventory and data flow map
• Develop and test an incident response plan
• Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing
• Vet data intermediaries and include data protection clauses in contracts

Operational Measures

• Apply the principle of least privilege for data access
• Regularly review and revoke unnecessary access rights
• Implement data loss prevention (DLP) solutions
• Maintain secure backups with tested recovery procedures
• Anonymise or pseudonymise data wherever feasible

Working with Data Intermediaries

If your organisation engages third-party processors (data intermediaries) such as cloud providers, payroll vendors, or marketing platforms, your contracts should explicitly require them to notify you of any breach "without undue delay." The reporting obligation to PDPC ultimately rests with you as the data controller, even when the breach occurs at a vendor's premises.

Make sure your vendor management process includes regular security audits, clear breach notification clauses, and well-defined responsibilities for incident response.

Tools and Resources from PDPC

PDPC provides several free resources to help organisations comply:

• Guide to Managing and Notifying Data Breaches — detailed guidance document
• Data Breach Management Plan template — for incident response planning
• Data Protection Trustmark (DPTM) — voluntary certification scheme
• PDPA Assessment Tool — self-assessment for compliance gaps
• Advisory Guidelines — sector-specific guidance for industries like healthcare, education, and finance

For more on protecting your business online, see our Best URL Shorteners Reviewed and Compared: 2026 Buyer's Guide for tools that help manage and audit external links safely.

Frequently Asked Questions

How long do I have to report a data breach to PDPC Singapore?

You must notify PDPC as soon as practicable, and no later than 3 calendar days after determining that the breach is a notifiable data breach. You have up to 30 days from discovering the breach to complete this assessment.

What happens if I don't report a notifiable data breach?

Failure to notify PDPC of a notifiable breach can result in financial penalties of up to S$1 million, or 10% of your annual local turnover (whichever is higher) for organisations with turnover exceeding S$10 million. You may also face reputational damage from PDPC's public enforcement decisions.

Do I need to notify affected individuals if I notify PDPC?

Yes, if the breach is likely to cause significant harm to affected individuals, you must notify them as well. However, you may be exempted if you have implemented remedial measures (such as strong encryption) that make harm unlikely, or if a law enforcement agency directs you not to notify.

What if the breach affects fewer than 500 individuals?

The 500-individual threshold is only one of two criteria. Even if fewer than 500 people are affected, you must still notify PDPC if the breach is likely to cause significant harm — for example, if it involves NRIC numbers, financial data, or health information.

Can I report a breach anonymously to PDPC?

No. Organisations must submit notifications through their official accounts using Singpass or Corppass. The notification must include the organisation's details and contact information for the Data Protection Officer or designated representative.

What is the role of a Data Protection Officer in breach reporting?

Under the PDPA, every organisation must appoint a DPO whose responsibilities include managing data breaches. The DPO typically leads the breach assessment, prepares the notification to PDPC, communicates with affected individuals, and coordinates remediation efforts.

Reporting a data breach to PDPC is a legal obligation that demands speed, accuracy, and thorough documentation. By understanding the notification thresholds, preparing your incident response plan in advance, and acting decisively when a breach occurs, your organisation can meet its PDPA obligations while minimising harm to affected individuals and protecting your business reputation.