facebook-pixel

How to Report a Data Breach to PDPC Singapore: A Complete Guide

L
Lunyb Security Team
··9 min read

If your organisation has suffered a data breach in Singapore, the clock is already ticking. Under the amended Personal Data Protection Act (PDPA), businesses are legally required to notify the Personal Data Protection Commission (PDPC) — and in many cases, affected individuals — when a notifiable data breach occurs. Failing to do so can result in financial penalties of up to S$1 million or 10% of annual turnover in Singapore, whichever is higher.

This guide walks you through exactly how to report a data breach to the PDPC, what qualifies as a notifiable breach, the timelines you must meet, and the documentation you'll need. Whether you're a compliance officer, IT lead, or small business owner, this article will help you respond confidently and lawfully.

What Is a Data Breach Under Singapore's PDPA?

A data breach under Singapore's PDPA is any unauthorised access, collection, use, disclosure, copying, modification, or disposal of personal data — or the loss of any storage medium or device on which personal data is stored. This definition, introduced under the Personal Data Protection (Amendment) Act 2020 and enforced from 1 February 2021, applies to all organisations that handle personal data of individuals in Singapore.

Common examples include:

  • Ransomware attacks encrypting customer databases
  • Employees emailing personal data to the wrong recipient
  • Lost laptops or USB drives containing unencrypted client information
  • Phishing attacks that expose login credentials
  • Misconfigured cloud storage exposing files publicly
  • Insider theft of customer records

Not every breach is notifiable, but every breach must be assessed. The moment you suspect a breach has occurred, your data breach response plan should be triggered.

When Must You Report a Data Breach to PDPC?

You must notify the PDPC when a data breach meets either of two thresholds under Singapore's Mandatory Data Breach Notification (MDBN) regime:

  1. Significant harm threshold: The breach is likely to result in significant harm to affected individuals. This includes financial loss, identity theft, physical harm, damage to reputation, or exposure of sensitive data such as NRIC numbers, financial account details, or medical records.
  2. Scale threshold: The breach affects, or is likely to affect, 500 or more individuals — regardless of harm severity.

If either threshold is met, notification is mandatory. If neither is met, notification is not required, but you must still document the breach internally and take remediation steps.

Notification Timelines You Must Meet

Timing is critical. Here are the statutory deadlines:

  • Within 30 days: Assess whether the breach is notifiable after becoming aware of it.
  • As soon as practicable, no later than 3 calendar days: Notify PDPC once you determine the breach is notifiable.
  • As soon as practicable: Notify affected individuals if the breach is likely to cause significant harm (unless an exception applies).

Step-by-Step: How to Report a Data Breach to PDPC

Below is a practical, sequential process to follow once you become aware of a potential breach.

Step 1: Contain and Investigate

Before you notify anyone, contain the incident. Isolate affected systems, revoke compromised credentials, patch vulnerabilities, and preserve forensic evidence. Assemble your incident response team, including IT, legal, and your Data Protection Officer (DPO).

Step 2: Assess the Breach

Determine the scope: what data was affected, how many people, what kind of harm is likely, and whether either notification threshold has been met. Document your assessment methodology — the PDPC may request evidence of due diligence.

Step 3: Prepare Your Notification

Gather the required information for the PDPC's Data Breach Notification form, including:

  • Organisation name and UEN
  • DPO contact information
  • Date and time of the breach and discovery
  • Type and volume of personal data compromised
  • Number of affected individuals
  • Cause of the breach
  • Actions taken to contain and remediate
  • Plans to notify affected individuals

Step 4: Submit the Notification to PDPC

File your notification through the official PDPC website at pdpc.gov.sg. Navigate to the "Report a Data Breach" section and complete the online Data Breach Notification Form. You'll need CorpPass credentials to log in. If online submission isn't possible, you may email the completed form to the PDPC directly.

Step 5: Notify Affected Individuals

If the significant harm threshold is met, notify affected individuals in a clear, timely manner. Notifications should describe the breach, the data involved, the potential consequences, steps individuals can take to protect themselves, and how your organisation is responding. Use email, SMS, letter, or public notice depending on circumstances.

Step 6: Follow Up and Remediate

Submit follow-up updates to the PDPC as new information emerges. Complete a post-incident review, update your policies, retrain staff, and strengthen technical controls to prevent recurrence.

Notification Thresholds at a Glance

Criteria PDPC Notification Required? Individual Notification Required?
Breach likely to cause significant harm Yes — within 3 days Yes — as soon as practicable
Breach affects 500+ individuals (no significant harm) Yes — within 3 days Not required
Breach affects <500 individuals, no significant harm No (document internally) No
Data was encrypted or rendered inaccessible Generally no — assess case-by-case Generally no

What Counts as "Significant Harm"?

The PDPC provides guidance on data categories that are presumed to cause significant harm if breached. These include:

  • Full name combined with NRIC/FIN/passport number
  • Financial account numbers, credit card details, or CVVs
  • Medical, health, or psychological information
  • Information about vulnerable individuals (minors, persons with disabilities)
  • Private records such as adoption or criminal history
  • Information that could enable identity theft or fraud

If your breach involves any of these categories, you should presume the significant harm threshold is met and prepare to notify both PDPC and affected individuals.

Exceptions to Individual Notification

You are not required to notify affected individuals in a few specific scenarios:

  1. Technological protection: The compromised data was encrypted or otherwise rendered inaccessible to unauthorised parties.
  2. Remedial action: Your organisation has taken action that makes significant harm unlikely (e.g., rapid password resets, revoked access tokens).
  3. Law enforcement directive: A prescribed law enforcement agency or the PDPC has directed you not to notify.

Even when notification to individuals isn't required, you still must notify the PDPC if the scale or harm threshold is met.

Penalties for Non-Compliance

Since 1 October 2022, the PDPC can impose financial penalties of up to S$1 million or 10% of an organisation's annual turnover in Singapore, whichever is higher (for organisations with turnover exceeding S$10 million). Beyond fines, non-compliance can lead to:

  • Public directions and enforcement notices
  • Reputational damage and loss of customer trust
  • Civil suits from affected individuals
  • Increased regulatory scrutiny in future audits

Best Practices to Reduce Data Breach Risk

Prevention is far cheaper than remediation. Here are foundational practices every Singapore organisation should implement:

1. Appoint a Qualified Data Protection Officer

Every organisation is required to designate at least one DPO whose contact details are publicly available. Ensure your DPO is trained and empowered to lead breach response.

2. Encrypt Sensitive Data

Encryption at rest and in transit dramatically reduces breach impact. If encrypted data is stolen, notification obligations may not apply.

3. Minimise Data Collection

Only collect personal data you genuinely need, and dispose of it securely when no longer required. The less data you hold, the smaller your breach exposure.

4. Use Secure Links for Shared Content

When sharing sensitive documents, forms, or portals externally, use secure, trackable short links rather than exposing raw URLs. Platforms like Lunyb allow you to create branded, monitored short URLs with click analytics, so you can detect suspicious activity early. Read our honest review of Lunyb or explore other options in our 2026 buyer's guide to URL shorteners.

5. Train Employees Regularly

The majority of data breaches involve human error. Regular phishing simulations, secure handling workshops, and clear reporting procedures dramatically reduce risk.

6. Establish a Written Incident Response Plan

Documented playbooks with roles, escalation paths, and PDPC notification templates ensure you can respond within the statutory 3-day window, even under pressure.

Common Mistakes Organisations Make

From PDPC enforcement decisions published over the past few years, these are the recurring mistakes that lead to fines:

  • Delaying assessment: Waiting weeks to determine notifiability, blowing past the 30-day assessment window.
  • Under-scoping the breach: Reporting a smaller impact than actually occurred, then having to file corrections.
  • Poor documentation: Failing to log the breach timeline, decisions made, and remedial steps taken.
  • Vague notifications to individuals: Notifications that don't clearly explain what data was affected or what individuals should do.
  • No DPO in place: Small businesses that never appointed a DPO have no one to lead the response.

What to Do If You're a Data Intermediary

If your organisation processes personal data on behalf of another organisation (as a vendor or service provider), you have a duty to notify the primary organisation "without undue delay" once you become aware of a breach. The primary organisation then assumes the responsibility for notifying the PDPC and affected individuals.

Data intermediary agreements should clearly define breach notification obligations, timelines, and cooperation requirements. Both parties should keep records of communications for audit purposes.

Frequently Asked Questions

How long do I have to report a data breach to PDPC?

You have up to 30 days to assess whether the breach is notifiable. Once you determine it is, you must notify the PDPC as soon as practicable — no later than 3 calendar days from that determination.

Do I need to report every data breach, even small ones?

No. Only breaches that meet the significant harm threshold or affect 500 or more individuals require PDPC notification. However, you should document all breaches internally for compliance records and root cause analysis.

What happens if I don't notify the PDPC?

Failure to comply with mandatory notification obligations can result in financial penalties of up to S$1 million or 10% of your annual Singapore turnover (whichever is higher), plus enforcement directions, reputational damage, and civil claims.

Can I notify PDPC before I have all the details?

Yes. The PDPC accepts initial notifications with preliminary information and encourages organisations to submit follow-up updates as more details become available. Don't delay notification just because your investigation is incomplete.

Do I need to notify individuals if the data was encrypted?

Generally, no. If the affected data was encrypted or otherwise rendered inaccessible to unauthorised parties, the exception to individual notification typically applies. You should still notify the PDPC if the scale threshold is met and document the encryption controls in place.

Final Thoughts

Reporting a data breach to the PDPC isn't just a legal obligation — it's an opportunity to demonstrate accountability, rebuild trust, and strengthen your organisation's security posture. The Singapore PDPA regime is designed to be practical: it expects prompt action, honest communication, and continuous improvement, not perfection.

Prepare in advance. Appoint a DPO, document your response plan, train your team, and invest in preventive controls like encryption, access management, and secure link sharing. When a breach happens — and statistically, it eventually will — you'll be ready to act within the required timelines and protect both your customers and your business.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles