How to Report a Data Breach to PDPC Singapore: 2026 Step-by-Step Guide
If your organisation has suffered a data breach in Singapore, you may be legally required to notify the Personal Data Protection Commission (PDPC) within strict timeframes. Since the Data Breach Notification (DBN) obligation came into force on 1 February 2021 under the amended Personal Data Protection Act (PDPA), reporting is no longer optional for qualifying incidents. This guide walks you through exactly how to report a data breach to PDPC, what counts as a notifiable breach, and how to stay compliant in 2026.
What Counts as a Data Breach Under Singapore's PDPA?
A data breach under the PDPA refers to the unauthorised access, collection, use, disclosure, copying, modification, or disposal of personal data, or the loss of any storage medium or device on which personal data is stored. This applies whether the incident was caused by an external attacker, an insider, or a simple human error like sending an email to the wrong recipient.
Common examples of data breaches include:
- Ransomware or hacking incidents that expose customer databases
- Lost or stolen laptops, USB drives, or mobile phones containing personal data
- Misconfigured cloud storage buckets that leak files publicly
- Phishing attacks resulting in compromised employee credentials
- Accidental disclosure via mass emails (e.g. CC instead of BCC)
- Improper disposal of physical documents containing NRIC numbers or contact details
When Must You Report a Data Breach to PDPC?
Not every breach must be reported. Under Section 26B of the PDPA, an organisation must notify PDPC if the breach is a notifiable data breach, meaning it meets either of two thresholds.
Threshold 1: Significant Harm to Individuals
A breach is notifiable if it is likely to result in significant harm to any affected individual. The Personal Data Protection (Notification of Data Breaches) Regulations 2021 prescribe specific categories of personal data that are deemed to cause significant harm if compromised, including:
- Full name or alias combined with NRIC, FIN, work permit, or passport number
- Financial information (account numbers, credit card details, transaction history)
- Health information and medical records
- Insurance information
- Information related to children (individuals under 18)
- Account credentials such as passwords or security codes
Threshold 2: Significant Scale (500 or More Individuals)
A breach is also notifiable if it affects 500 or more individuals, regardless of the type of data involved. If you cannot determine the exact number, you must still notify if you reasonably believe the threshold has been met.
Mandatory Timelines: How Fast Must You Act?
Speed is critical. PDPC enforces strict notification deadlines, and missing them can lead to financial penalties of up to S$1 million or 10% of annual turnover in Singapore (whichever is higher).
| Action | Deadline | Reference |
|---|---|---|
| Assess whether the breach is notifiable | Within 30 calendar days of becoming aware | PDPA s.26C |
| Notify PDPC of a notifiable breach | As soon as practicable, no later than 3 calendar days | PDPA s.26D(1) |
| Notify affected individuals | At the same time as, or after, notifying PDPC | PDPA s.26D(2) |
| Data intermediary notifies the organisation | Without undue delay upon awareness | PDPA s.26A(2) |
Step-by-Step: How to Report a Data Breach to PDPC
Follow this sequence to ensure full compliance with the DBN obligation.
- Contain the breach. Immediately stop the leak, isolate affected systems, revoke compromised credentials, and preserve evidence for forensic analysis.
- Activate your Data Breach Management Plan. Convene your incident response team, including IT, legal, communications, and the Data Protection Officer (DPO).
- Assess the breach. Identify what data was involved, how many individuals are affected, the cause, and the likely harm. This must be completed within 30 days.
- Determine notifiability. Apply the two thresholds (significant harm or 500+ individuals). Document your reasoning even if you conclude the breach is not notifiable.
- Submit notification via PDPC's online form. Go to the PDPC website (pdpc.gov.sg) and use the Data Breach Notification e-Form. You will need your organisation's UEN and your DPO's contact details.
- Notify affected individuals. Use clear, plain language to describe what happened, what data was affected, what you are doing about it, and what they should do (e.g. change passwords, monitor accounts).
- Cooperate with PDPC. Respond promptly to any follow-up queries or directions from the Commission.
- Document everything. Keep records of the incident, your assessment, notifications sent, and remediation actions taken for at least the duration prescribed by your retention policy.
What Information Must Be Included in the PDPC Notification?
The PDPC online notification form requires comprehensive details. Prepare the following before you start:
Initial Notification (within 3 days)
- Organisation name, UEN, and DPO contact information
- Date and time the breach was discovered
- Date and time (or estimated period) the breach occurred
- Description of the incident and how it was discovered
- Categories and approximate volume of personal data involved
- Number of individuals affected (actual or estimated)
- Cause of the breach (if known)
- Immediate containment actions taken
- Whether affected individuals have been or will be notified
Follow-up Notification
If certain details are not available within 3 days, you can submit them later. PDPC expects updates once additional facts are confirmed, including root cause analysis and long-term remediation steps.
Notifying Affected Individuals: Best Practices
Section 26D of the PDPA requires you to notify affected individuals if the breach is likely to cause significant harm to them. However, you are exempted from notifying individuals if:
- You have taken remedial action that renders harm unlikely (e.g. data was encrypted and the key was not compromised), or
- Technological measures applied to the data make significant harm unlikely, or
- A prescribed law enforcement agency or PDPC directs you not to (e.g. to avoid prejudicing an investigation)
When you do notify, your communication should include the nature of the breach, the data involved, potential consequences, mitigation steps taken, recommended actions for the individual, and a contact point for follow-up questions.
Special Cases: Data Intermediaries and Overseas Breaches
A data intermediary (e.g. a cloud vendor, payroll processor, or marketing agency processing data on your behalf) must notify the organisation it serves "without undue delay" once it becomes aware of a breach. The primary organisation, not the intermediary, is responsible for notifying PDPC and affected individuals.
If a breach occurs at an overseas vendor processing Singapore residents' data, the Singapore-based organisation that engaged that vendor still bears the notification obligation. This is why cross-border data processing agreements should explicitly require prompt breach disclosure.
Penalties for Non-Compliance
Failing to notify PDPC of a notifiable data breach, or failing to do so within the prescribed timelines, is an offence under the PDPA. Since the 2022 amendments to the financial penalty framework, PDPC can impose fines of up to S$1 million or 10% of the organisation's annual turnover in Singapore, whichever is higher, for organisations with turnover exceeding S$10 million.
Beyond fines, PDPC publishes enforcement decisions on its website, leading to reputational damage that often outweighs the monetary penalty. Recent enforcement cases against organisations in healthcare, e-commerce, and financial services have made the regulator's expectations clear: rapid, transparent, and well-documented response is non-negotiable.
Preventing Data Breaches: Practical Measures for Singapore Organisations
Prevention is far cheaper than remediation. Consider these measures as part of your overall PDPA compliance programme:
Technical Controls
- Enforce multi-factor authentication on all administrative accounts
- Encrypt personal data at rest and in transit (AES-256, TLS 1.3)
- Use encrypted DNS resolvers and network segmentation
- Patch systems regularly and run vulnerability scans monthly
- Deploy endpoint detection and response (EDR) solutions
- Use secure, privacy-respecting tools for daily operations — for example, when sharing links externally, a privacy-focused shortener like Lunyb avoids exposing internal URL structures and provides analytics without invasive third-party trackers
Organisational Controls
- Appoint and resource a qualified Data Protection Officer (mandatory under PDPA)
- Conduct annual PDPA training for all staff handling personal data
- Maintain a written Data Breach Management Plan and run tabletop exercises twice a year
- Implement role-based access controls and review them quarterly
- Vet data intermediaries and include breach notification clauses in contracts
Link and Communication Hygiene
Many breaches start with phishing or accidental link exposure. Train staff to verify destination URLs before clicking, and use trusted link management platforms for outbound marketing and internal sharing. Our guide to the best URL shorteners in 2026 compares options on security and privacy. For an honest look at one Singapore-friendly option, see Is Lunyb Legit? An Honest Review, or compare it with established players in the Rebrandly 2026 review.
Quick Compliance Checklist
| Task | Status |
|---|---|
| DPO appointed and contact details published | ☐ |
| Written Data Breach Management Plan in place | ☐ |
| Staff trained on PDPA and breach reporting | ☐ |
| Data inventory and classification completed | ☐ |
| Vendor contracts include breach notification clauses | ☐ |
| Incident response runbook tested in last 12 months | ☐ |
| PDPC online notification form bookmarked | ☐ |
Frequently Asked Questions
1. How do I submit a data breach notification to PDPC?
Notifications are submitted through the official Data Breach Notification e-Form on the PDPC website at pdpc.gov.sg. You will need your organisation's UEN, DPO contact details, and a clear description of the incident. Email and postal submissions are generally not accepted for the initial notification.
2. What is the deadline to notify PDPC after discovering a breach?
You must notify PDPC as soon as practicable, and no later than 3 calendar days after determining that the breach is notifiable. Prior to that, you have up to 30 days to complete your assessment of whether the breach meets the notification thresholds.
3. Do I need to notify individuals if I have already notified PDPC?
Yes, in most cases. If the breach is likely to result in significant harm to individuals, you must notify them as well, unless an exception applies (e.g. the data was strongly encrypted, or a law enforcement agency has directed otherwise). Notification to individuals should happen at the same time as or after PDPC notification.
4. What happens if I fail to report a notifiable data breach?
Failure to comply with the Data Breach Notification obligation is an offence under the PDPA. Financial penalties can reach S$1 million or 10% of your annual Singapore turnover, whichever is higher. PDPC also publishes enforcement decisions publicly, which can cause significant reputational harm.
5. Are SMEs in Singapore subject to the same breach notification rules?
Yes. The PDPA applies to all organisations operating in Singapore regardless of size, including sole proprietors and SMEs. However, PDPC takes into account the organisation's resources and the nature of the breach when assessing compliance and determining penalties. SMEs should still maintain a basic written response plan and have a designated DPO.
Final Thoughts
Reporting a data breach to PDPC is not just a legal formality — it is a critical step in protecting affected individuals, preserving trust, and limiting your organisation's liability. With a 3-day notification window once a breach is deemed notifiable, preparation is everything. Build your Data Breach Management Plan today, train your team, and treat every privacy incident as a board-level concern. The organisations that handle breaches transparently and quickly almost always emerge stronger than those that try to hide them.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How to Protect Your Privacy Online in 2026: The Complete Guide
Online privacy in 2026 requires more than a strong password. This complete guide walks you through ten practical steps — from auditing your digital footprint to defending against AI-driven threats — so you can take real control of your data.
How to Encrypt Your Internet Traffic: A Complete 2026 Guide
Encrypting your internet traffic protects you from ISPs, advertisers, and attackers on public Wi-Fi. This 2026 guide walks through HTTPS, encrypted DNS, secure messaging, file encryption, and a layered setup anyone can deploy in an afternoon.
How to Create Branded Short Links: The Complete 2026 Guide
Branded short links boost click-through rates, build trust, and turn every URL into a marketing asset. This step-by-step guide walks through picking a custom domain, choosing a shortener, connecting DNS, and creating links that perform.
How to Report a Scam Phone Number: The Complete 2026 Guide
Scam calls and smishing texts cost consumers billions every year. This complete guide explains exactly how to report a scam number to the FTC, FCC, your carrier, and global agencies — plus what happens after you report and how to prevent future scam calls.