facebook-pixel

How to Report a Data Breach to PDPC Singapore: A Step-by-Step Guide

L
Lunyb Security Team
··10 min read

If your organisation has suffered a data breach in Singapore, you may be legally required to notify the Personal Data Protection Commission (PDPC) within a strict timeframe. Since the Personal Data Protection (Amendment) Act 2020 came into force on 1 February 2021, mandatory data breach notification has become one of the most important compliance obligations for any business handling personal data in Singapore.

This guide walks you through exactly how to report a data breach to the PDPC, when notification is required, what information you must submit, and how to prepare your organisation to respond effectively.

What Is a Data Breach Under Singapore's PDPA?

A data breach under Singapore's Personal Data Protection Act (PDPA) refers to any unauthorised access, collection, use, disclosure, copying, modification, disposal, or loss of personal data. This includes both malicious incidents (like hacking or ransomware) and accidental events (such as emailing personal data to the wrong recipient or losing an unencrypted USB drive).

The PDPC treats data breaches seriously because they can expose individuals to identity theft, financial fraud, reputational harm, or physical danger. Under the amended PDPA, organisations have a positive legal duty to assess, contain, and report qualifying breaches.

Common Examples of Reportable Breaches

  • Ransomware or malware attacks that expose customer databases
  • Phishing attacks resulting in credential compromise
  • Lost or stolen laptops, phones, or storage devices containing personal data
  • Misconfigured cloud storage buckets exposing files publicly
  • Employees accessing personal data without authorisation
  • Accidental disclosure via email, mail merge, or file sharing errors

When Must You Notify the PDPC?

Not every data breach is notifiable. Under Section 26B of the PDPA, you must notify the PDPC only if the breach meets one of two thresholds: it is likely to result in significant harm to affected individuals, or it is of a significant scale (500 or more individuals affected).

Threshold 1: Significant Harm to Individuals

A breach is deemed likely to cause significant harm if it involves prescribed categories of personal data, such as:

  • Full name or alias combined with NRIC/FIN/passport numbers
  • Financial information (bank account, credit card details, transaction history)
  • Health and medical information
  • Information about vulnerable individuals (e.g., minors)
  • Login credentials to accounts containing the above
  • Adoption, sexual, or domestic abuse-related information

Threshold 2: Significant Scale (500+ Individuals)

Any breach affecting 500 or more individuals must be notified to the PDPC, regardless of whether the data is considered sensitive. If you cannot determine the exact number quickly, you must still notify based on a reasonable estimate.

The 72-Hour and 30-Day Rule: Notification Timelines

Timelines under the PDPA are strict. Missing them can lead to enforcement action and financial penalties of up to 10% of annual Singapore turnover (for organisations with turnover exceeding SGD 10 million) or SGD 1 million, whichever is higher.

  1. Assessment period: You must complete your breach assessment in a reasonable and expeditious manner — generally within 30 calendar days of becoming aware of the incident.
  2. Notify PDPC: Once a breach is confirmed as notifiable, you must inform the PDPC as soon as practicable, and no later than 3 calendar days (72 hours).
  3. Notify affected individuals: If the breach is likely to cause significant harm, affected individuals must also be notified at the same time or after PDPC notification.

Step-by-Step: How to Report a Data Breach to PDPC

Here is the practical, end-to-end process for reporting a data breach to the PDPC in Singapore.

Step 1: Contain the Breach Immediately

Before anything else, take reasonable steps to contain the incident. This may include disconnecting affected systems, revoking compromised credentials, isolating infected devices, disabling exposed APIs, or recovering lost physical media. Document every action taken and the time it was taken.

Step 2: Assemble Your Breach Response Team

Bring together your Data Protection Officer (DPO), IT/security lead, legal counsel, communications team, and executive sponsor. If you don't yet have a designated DPO, appointing one is a legal requirement under the PDPA.

Step 3: Conduct a Breach Assessment

Assess the nature and scope of the breach:

  • What personal data was involved?
  • How many individuals are affected?
  • What is the likely impact on those individuals?
  • Is the breach ongoing or contained?
  • Does it meet the notification thresholds (significant harm or 500+ individuals)?

Step 4: Submit the Notification via PDPC's Online Form

The PDPC provides an official Data Breach Notification Form on its website. Navigate to pdpc.gov.sg and locate the "Report a Data Breach" section. The form is submitted online and requires details covered in the next section.

Step 5: Notify Affected Individuals (If Required)

If the breach is likely to cause significant harm, notify each affected individual clearly and directly, explaining the incident, what data was involved, potential consequences, and steps they can take (e.g., changing passwords, monitoring bank statements). Notification can be waived only if the PDPC directs you to, or if remedial actions have made harm unlikely.

Step 6: Document Everything

Keep detailed records of the incident, your assessment, the notification, and remedial steps. The PDPC may request this information during any follow-up review.

Information You Must Include in the Notification

The PDPC's Data Breach Notification Form asks for specific details. Prepare the following before submitting:

CategoryRequired Information
Organisation DetailsCompany name, UEN, DPO name and contact information
Incident OverviewDate and time of breach, date of discovery, how it was discovered
Nature of BreachType of incident (cyberattack, human error, physical loss, etc.)
Data InvolvedCategories of personal data affected (NRIC, financial, health, etc.)
ScaleEstimated number of affected individuals
Impact AssessmentLikely harm to individuals and mitigating factors
Containment ActionsSteps already taken to contain and remediate
Individual NotificationWhether and how affected individuals will be informed
Preventive MeasuresActions planned to prevent recurrence

What Happens After You Notify the PDPC?

After submission, the PDPC will acknowledge receipt and may follow up with additional questions, requests for evidence, or a formal investigation. Cooperate fully — voluntary cooperation and proactive remediation are considered mitigating factors in any enforcement decision.

The PDPC may:

  • Close the case with no further action if handled well
  • Issue guidance or a warning
  • Impose directions to strengthen protection measures
  • Levy a financial penalty for significant lapses
  • Publish the decision publicly (many enforcement decisions are published on the PDPC website)

Penalties for Non-Compliance

Failing to notify a qualifying breach — or delaying notification — is itself a breach of the PDPA. Since October 2022, the maximum financial penalty has been increased to 10% of an organisation's annual turnover in Singapore (for turnover above SGD 10 million) or SGD 1 million, whichever is higher.

Beyond fines, organisations face reputational damage, customer loss, potential civil claims, and — for regulated sectors like finance and healthcare — additional regulatory action from MAS, MOH, or other bodies.

How to Prepare Before a Breach Happens

The best time to prepare for a data breach is long before one occurs. A well-rehearsed response plan can be the difference between a manageable incident and a regulatory crisis.

1. Appoint and Empower a DPO

Every organisation in Singapore must appoint a Data Protection Officer whose contact details are publicly available. Ensure your DPO has both the authority and resources to act during a breach.

2. Maintain a Data Inventory

You cannot assess a breach quickly if you don't know what data you hold, where it lives, and who has access. Maintain an up-to-date data map covering systems, third-party processors, and cross-border transfers.

3. Build an Incident Response Plan

Document a clear playbook covering detection, containment, assessment, notification, and post-incident review. Assign roles and run tabletop exercises at least annually.

4. Strengthen Technical Controls

Encrypt personal data at rest and in transit, enforce multi-factor authentication, monitor for anomalous access, patch systems promptly, and restrict access on a need-to-know basis. When sharing links containing potentially sensitive references, use privacy-respecting tools — for example, a secure link management platform like Lunyb lets you shorten and manage URLs without exposing underlying parameters publicly. For a broader comparison of link management tools, see our 2026 buyer's guide to URL shorteners.

5. Vet Your Data Intermediaries

Under the PDPA, you remain accountable for personal data even when it is processed by vendors. Include breach notification obligations in every data processing contract, and audit critical vendors regularly.

Common Mistakes Organisations Make

  • Waiting too long to assess: The 30-day assessment window is a maximum, not a target. Fast action matters.
  • Notifying too narrowly: When in doubt, err on the side of notification. The PDPC treats over-reporting more favourably than under-reporting.
  • Vague individual notifications: Affected individuals need concrete, actionable information — not corporate legalese.
  • Failing to document: Even non-notifiable breaches must be documented internally for at least three years.
  • Ignoring root cause: A breach that recurs because underlying issues weren't fixed will be viewed as an aggravating factor.

Exceptions: When You Don't Need to Notify Individuals

You may not need to notify affected individuals (though PDPC notification is still required) if:

  • You have taken remedial actions that make significant harm unlikely (e.g., data was strongly encrypted and keys were not compromised)
  • The PDPC has directed you not to notify individuals
  • A law enforcement agency has instructed you to delay notification to preserve an investigation

These exceptions are narrow and should be relied upon only after documented assessment and, ideally, legal advice.

FAQ: Reporting a Data Breach to PDPC Singapore

1. How quickly must I report a data breach to the PDPC?

Once you have determined that a breach is notifiable, you must inform the PDPC as soon as practicable, and no later than 3 calendar days (72 hours) from that determination. Your assessment itself should be completed expeditiously — generally within 30 days of becoming aware of the incident.

2. Do I need to report every data breach?

No. Only breaches that are likely to result in significant harm to individuals, or that affect 500 or more individuals, must be notified to the PDPC. However, you should document all breaches internally, including near misses, to demonstrate accountability.

3. What if I discover the breach was caused by a third-party vendor?

You remain the accountable organisation under the PDPA even when a data intermediary caused the breach. You must still notify the PDPC and affected individuals. Your vendor contracts should require immediate notification to you, and you should retain the right to audit their security controls.

4. Can I be fined even if I report the breach voluntarily?

Yes, financial penalties can still apply if the underlying breach resulted from inadequate protection measures. However, prompt notification, cooperation with the PDPC, and effective remediation are recognised mitigating factors and often result in significantly reduced penalties or no penalty at all.

5. Where exactly do I submit the notification?

Notifications are submitted via the official Data Breach Notification Form on the PDPC website (pdpc.gov.sg). The form can be completed online and requires details about your organisation, the nature of the breach, the data and individuals affected, and the remedial steps taken. Save a copy of your submission for your records.

Final Thoughts

Reporting a data breach to the PDPC is not just a legal box to tick — it is a test of your organisation's maturity, transparency, and commitment to the individuals whose data you hold. The organisations that emerge strongest from breaches are those that prepared in advance, acted quickly, communicated honestly, and used the incident as a catalyst for lasting improvement.

If you handle personal data in Singapore, treat the PDPA breach notification obligation as a live risk today, not a hypothetical concern. Build the playbook, train the team, and make sure your DPO knows exactly what to do when the alert comes in at 2 a.m.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles