How to Report a Data Breach to PDPC Singapore: A Complete Guide
If your organisation has suffered a data breach in Singapore, the clock is already ticking. Under the amended Personal Data Protection Act (PDPA), businesses are legally required to notify the Personal Data Protection Commission (PDPC) — and in many cases, affected individuals — when a notifiable data breach occurs. Failing to do so can result in financial penalties of up to S$1 million or 10% of annual turnover in Singapore, whichever is higher.
This guide walks you through exactly how to report a data breach to the PDPC, what qualifies as a notifiable breach, the timelines you must meet, and the documentation you'll need. Whether you're a compliance officer, IT lead, or small business owner, this article will help you respond confidently and lawfully.
What Is a Data Breach Under Singapore's PDPA?
A data breach under Singapore's PDPA is any unauthorised access, collection, use, disclosure, copying, modification, or disposal of personal data — or the loss of any storage medium or device on which personal data is stored. This definition, introduced under the Personal Data Protection (Amendment) Act 2020 and enforced from 1 February 2021, applies to all organisations that handle personal data of individuals in Singapore.
Common examples include:
- Ransomware attacks encrypting customer databases
- Employees emailing personal data to the wrong recipient
- Lost laptops or USB drives containing unencrypted client information
- Phishing attacks that expose login credentials
- Misconfigured cloud storage exposing files publicly
- Insider theft of customer records
Not every breach is notifiable, but every breach must be assessed. The moment you suspect a breach has occurred, your data breach response plan should be triggered.
When Must You Report a Data Breach to PDPC?
You must notify the PDPC when a data breach meets either of two thresholds under Singapore's Mandatory Data Breach Notification (MDBN) regime:
- Significant harm threshold: The breach is likely to result in significant harm to affected individuals. This includes financial loss, identity theft, physical harm, damage to reputation, or exposure of sensitive data such as NRIC numbers, financial account details, or medical records.
- Scale threshold: The breach affects, or is likely to affect, 500 or more individuals — regardless of harm severity.
If either threshold is met, notification is mandatory. If neither is met, notification is not required, but you must still document the breach internally and take remediation steps.
Notification Timelines You Must Meet
Timing is critical. Here are the statutory deadlines:
- Within 30 days: Assess whether the breach is notifiable after becoming aware of it.
- As soon as practicable, no later than 3 calendar days: Notify PDPC once you determine the breach is notifiable.
- As soon as practicable: Notify affected individuals if the breach is likely to cause significant harm (unless an exception applies).
Step-by-Step: How to Report a Data Breach to PDPC
Below is a practical, sequential process to follow once you become aware of a potential breach.
Step 1: Contain and Investigate
Before you notify anyone, contain the incident. Isolate affected systems, revoke compromised credentials, patch vulnerabilities, and preserve forensic evidence. Assemble your incident response team, including IT, legal, and your Data Protection Officer (DPO).
Step 2: Assess the Breach
Determine the scope: what data was affected, how many people, what kind of harm is likely, and whether either notification threshold has been met. Document your assessment methodology — the PDPC may request evidence of due diligence.
Step 3: Prepare Your Notification
Gather the required information for the PDPC's Data Breach Notification form, including:
- Organisation name and UEN
- DPO contact information
- Date and time of the breach and discovery
- Type and volume of personal data compromised
- Number of affected individuals
- Cause of the breach
- Actions taken to contain and remediate
- Plans to notify affected individuals
Step 4: Submit the Notification to PDPC
File your notification through the official PDPC website at pdpc.gov.sg. Navigate to the "Report a Data Breach" section and complete the online Data Breach Notification Form. You'll need CorpPass credentials to log in. If online submission isn't possible, you may email the completed form to the PDPC directly.
Step 5: Notify Affected Individuals
If the significant harm threshold is met, notify affected individuals in a clear, timely manner. Notifications should describe the breach, the data involved, the potential consequences, steps individuals can take to protect themselves, and how your organisation is responding. Use email, SMS, letter, or public notice depending on circumstances.
Step 6: Follow Up and Remediate
Submit follow-up updates to the PDPC as new information emerges. Complete a post-incident review, update your policies, retrain staff, and strengthen technical controls to prevent recurrence.
Notification Thresholds at a Glance
| Criteria | PDPC Notification Required? | Individual Notification Required? |
|---|---|---|
| Breach likely to cause significant harm | Yes — within 3 days | Yes — as soon as practicable |
| Breach affects 500+ individuals (no significant harm) | Yes — within 3 days | Not required |
| Breach affects <500 individuals, no significant harm | No (document internally) | No |
| Data was encrypted or rendered inaccessible | Generally no — assess case-by-case | Generally no |
What Counts as "Significant Harm"?
The PDPC provides guidance on data categories that are presumed to cause significant harm if breached. These include:
- Full name combined with NRIC/FIN/passport number
- Financial account numbers, credit card details, or CVVs
- Medical, health, or psychological information
- Information about vulnerable individuals (minors, persons with disabilities)
- Private records such as adoption or criminal history
- Information that could enable identity theft or fraud
If your breach involves any of these categories, you should presume the significant harm threshold is met and prepare to notify both PDPC and affected individuals.
Exceptions to Individual Notification
You are not required to notify affected individuals in a few specific scenarios:
- Technological protection: The compromised data was encrypted or otherwise rendered inaccessible to unauthorised parties.
- Remedial action: Your organisation has taken action that makes significant harm unlikely (e.g., rapid password resets, revoked access tokens).
- Law enforcement directive: A prescribed law enforcement agency or the PDPC has directed you not to notify.
Even when notification to individuals isn't required, you still must notify the PDPC if the scale or harm threshold is met.
Penalties for Non-Compliance
Since 1 October 2022, the PDPC can impose financial penalties of up to S$1 million or 10% of an organisation's annual turnover in Singapore, whichever is higher (for organisations with turnover exceeding S$10 million). Beyond fines, non-compliance can lead to:
- Public directions and enforcement notices
- Reputational damage and loss of customer trust
- Civil suits from affected individuals
- Increased regulatory scrutiny in future audits
Best Practices to Reduce Data Breach Risk
Prevention is far cheaper than remediation. Here are foundational practices every Singapore organisation should implement:
1. Appoint a Qualified Data Protection Officer
Every organisation is required to designate at least one DPO whose contact details are publicly available. Ensure your DPO is trained and empowered to lead breach response.
2. Encrypt Sensitive Data
Encryption at rest and in transit dramatically reduces breach impact. If encrypted data is stolen, notification obligations may not apply.
3. Minimise Data Collection
Only collect personal data you genuinely need, and dispose of it securely when no longer required. The less data you hold, the smaller your breach exposure.
4. Use Secure Links for Shared Content
When sharing sensitive documents, forms, or portals externally, use secure, trackable short links rather than exposing raw URLs. Platforms like Lunyb allow you to create branded, monitored short URLs with click analytics, so you can detect suspicious activity early. Read our honest review of Lunyb or explore other options in our 2026 buyer's guide to URL shorteners.
5. Train Employees Regularly
The majority of data breaches involve human error. Regular phishing simulations, secure handling workshops, and clear reporting procedures dramatically reduce risk.
6. Establish a Written Incident Response Plan
Documented playbooks with roles, escalation paths, and PDPC notification templates ensure you can respond within the statutory 3-day window, even under pressure.
Common Mistakes Organisations Make
From PDPC enforcement decisions published over the past few years, these are the recurring mistakes that lead to fines:
- Delaying assessment: Waiting weeks to determine notifiability, blowing past the 30-day assessment window.
- Under-scoping the breach: Reporting a smaller impact than actually occurred, then having to file corrections.
- Poor documentation: Failing to log the breach timeline, decisions made, and remedial steps taken.
- Vague notifications to individuals: Notifications that don't clearly explain what data was affected or what individuals should do.
- No DPO in place: Small businesses that never appointed a DPO have no one to lead the response.
What to Do If You're a Data Intermediary
If your organisation processes personal data on behalf of another organisation (as a vendor or service provider), you have a duty to notify the primary organisation "without undue delay" once you become aware of a breach. The primary organisation then assumes the responsibility for notifying the PDPC and affected individuals.
Data intermediary agreements should clearly define breach notification obligations, timelines, and cooperation requirements. Both parties should keep records of communications for audit purposes.
Frequently Asked Questions
How long do I have to report a data breach to PDPC?
You have up to 30 days to assess whether the breach is notifiable. Once you determine it is, you must notify the PDPC as soon as practicable — no later than 3 calendar days from that determination.
Do I need to report every data breach, even small ones?
No. Only breaches that meet the significant harm threshold or affect 500 or more individuals require PDPC notification. However, you should document all breaches internally for compliance records and root cause analysis.
What happens if I don't notify the PDPC?
Failure to comply with mandatory notification obligations can result in financial penalties of up to S$1 million or 10% of your annual Singapore turnover (whichever is higher), plus enforcement directions, reputational damage, and civil claims.
Can I notify PDPC before I have all the details?
Yes. The PDPC accepts initial notifications with preliminary information and encourages organisations to submit follow-up updates as more details become available. Don't delay notification just because your investigation is incomplete.
Do I need to notify individuals if the data was encrypted?
Generally, no. If the affected data was encrypted or otherwise rendered inaccessible to unauthorised parties, the exception to individual notification typically applies. You should still notify the PDPC if the scale threshold is met and document the encryption controls in place.
Final Thoughts
Reporting a data breach to the PDPC isn't just a legal obligation — it's an opportunity to demonstrate accountability, rebuild trust, and strengthen your organisation's security posture. The Singapore PDPA regime is designed to be practical: it expects prompt action, honest communication, and continuous improvement, not perfection.
Prepare in advance. Appoint a DPO, document your response plan, train your team, and invest in preventive controls like encryption, access management, and secure link sharing. When a breach happens — and statistically, it eventually will — you'll be ready to act within the required timelines and protect both your customers and your business.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How to Create Branded Short Links: A Complete Step-by-Step Guide
Branded short links turn forgettable URLs into memorable marketing assets. This step-by-step guide covers everything from picking a short domain to connecting DNS, creating slugs, and tracking clicks — so you can launch professional, high-converting links in under an hour.
How to Shorten a URL: The Complete Step-by-Step Guide
Shortening a URL turns long, messy links into clean, shareable ones in seconds. This complete guide walks you through every method, tool, and best practice for creating short links that look professional and perform better.
How to Remove Your Personal Information from Data Brokers: The Complete 2026 Guide
Data brokers profit by selling your name, address, phone, and family details to anyone who pays. This step-by-step guide shows you exactly how to remove personal information from data brokers, keep it off, and reclaim your digital privacy in 2026.
How to Report a Scam Phone Number: The Complete 2026 Guide
Scam calls cost consumers billions each year, but reporting them is faster than most people think. This guide covers how to report a scam number to the right agencies, block future calls, and protect your finances if you've already been targeted.