facebook-pixel

How to Report a Data Breach to PDPC Singapore: A Complete 2026 Guide

L
Lunyb Security Team
··10 min read

If your organisation has suffered a data breach in Singapore, you may be legally required to notify the Personal Data Protection Commission (PDPC) within specific timeframes under the Personal Data Protection Act (PDPA). Failure to notify correctly can lead to financial penalties of up to S$1 million or 10% of your annual turnover in Singapore, whichever is higher. This guide walks you through exactly how to report a data breach to PDPC, when notification is mandatory, and what information you need to submit.

What Is a Notifiable Data Breach Under the PDPA?

A notifiable data breach is any unauthorised access, collection, use, disclosure, copying, modification, or disposal of personal data that meets specific severity thresholds set by the PDPC. Under the Personal Data Protection (Amendment) Act 2020, effective from 1 February 2021, data breach notification became mandatory rather than voluntary.

A breach is considered notifiable if it either:

  1. Results in, or is likely to result in, significant harm to affected individuals; or
  2. Is of a significant scale, meaning it affects 500 or more individuals.

What Counts as "Significant Harm"?

The PDPC has prescribed specific categories of personal data that are deemed to cause significant harm if breached. These include:

  • Full name or alias combined with NRIC, FIN, or passport number
  • Financial information such as credit card numbers, bank account details, or income data
  • Medical or health information, including diagnoses, treatments, and mental health records
  • Life insurance and health insurance details
  • Information relating to adoption, sexual orientation, or private key used for authentication
  • Account credentials that could allow access to financial or health accounts

Mandatory Timelines for Reporting a Data Breach to PDPC

Timelines under the PDPA are strict and start running from the moment your organisation has reason to believe a breach has occurred. Missing these deadlines is a common source of enforcement action.

ActionTimelineApplies To
Assess whether breach is notifiableWithin 30 calendar days of becoming awareAll suspected breaches
Notify PDPCAs soon as practicable, no later than 3 calendar days after determining it is notifiableNotifiable breaches
Notify affected individualsAt the same time as, or after, notifying PDPCBreaches likely to cause significant harm
Data intermediary notifying data controllerWithout undue delay after becoming awareThird-party processors

When You Do NOT Need to Notify Affected Individuals

You may be exempt from notifying affected individuals (though you must still notify the PDPC) if:

  • You have implemented technological measures (such as strong encryption) that render the personal data inaccessible or unintelligible
  • You have taken remedial actions that prevent the risk of significant harm before individuals can be affected
  • A law enforcement agency has instructed you to delay notification for investigative reasons

Step-by-Step: How to Report a Data Breach to PDPC

The PDPC provides an online Data Breach Notification Form on its official portal. Here is the exact process to follow after a suspected breach is discovered.

Step 1: Contain the Breach Immediately

Before notification, your first priority is containment. This includes:

  1. Isolating affected systems from the network
  2. Revoking compromised credentials and issuing new ones
  3. Preserving logs and forensic evidence for investigation
  4. Engaging your incident response team or external cybersecurity consultants
  5. Notifying internal stakeholders including your Data Protection Officer (DPO), legal counsel, and senior management

Step 2: Assess Whether the Breach Is Notifiable

Conduct a documented assessment within 30 days. Consider the type of personal data involved, the number of individuals affected, the likelihood of harm, and whether any protective measures (such as encryption) reduce the impact. Keep this assessment on file even if you conclude notification is not required.

Step 3: Gather the Required Information

Before opening the notification form, prepare the following details:

  • Organisation name, UEN, and DPO contact information
  • Date and time the breach occurred and when it was discovered
  • Description of how the breach happened (e.g. phishing, misconfigured server, lost device)
  • Type and volume of personal data compromised
  • Number of affected individuals (or best estimate)
  • Containment and remediation actions taken
  • Plans for notifying affected individuals
  • Measures to prevent recurrence

Step 4: Submit the Notification Online

Access the PDPC Data Breach Notification form at pdpc.gov.sg via the "Report a Data Breach" section. You will need to log in using CorpPass. Complete all mandatory fields and upload any supporting documents such as forensic reports or communication drafts intended for affected individuals.

Step 5: Notify Affected Individuals

If the breach is likely to result in significant harm, notify affected individuals in a clear and easily understandable manner. Notifications can be sent via email, SMS, physical mail, or public announcement if direct contact is impractical. The notice should include:

  1. A description of the breach and when it occurred
  2. Types of personal data involved
  3. Potential consequences and risks
  4. Steps individuals can take to protect themselves (e.g. change passwords, monitor bank accounts)
  5. Contact details for further information

Step 6: Follow Up With Additional Information

If you did not have complete information at the time of initial notification, you must submit updates to the PDPC as more facts become available. The PDPC may also request additional information or clarification during their review.

What Happens After You Report a Data Breach to PDPC

After submission, the PDPC will acknowledge receipt and may open an investigation depending on the severity of the breach. Their review typically follows a structured process.

The PDPC's Review Process

  1. Acknowledgement: You will receive confirmation of your submission, usually within a few business days.
  2. Preliminary assessment: The PDPC evaluates whether further investigation is warranted.
  3. Information requests: Additional documents, interviews, or forensic reports may be requested.
  4. Determination: The PDPC decides whether the organisation has complied with the PDPA and whether enforcement action is required.
  5. Outcome: Possible outcomes include a warning, directions to improve practices, financial penalties, or a published decision.

Possible Penalties for Non-Compliance

Under the amended PDPA, the PDPC can impose financial penalties of up to S$1 million or 10% of an organisation's annual turnover in Singapore (whichever is higher) for serious contraventions. Beyond fines, the reputational impact of a published enforcement decision can be substantial for consumer trust.

Common Mistakes When Reporting Data Breaches

Even well-prepared organisations make procedural errors that worsen enforcement outcomes. Avoid these frequent pitfalls.

1. Delaying the Assessment

Many organisations wait for a "complete picture" before starting the notifiability assessment. The 30-day clock starts when you have reason to believe a breach occurred, not when the investigation is complete. Begin assessment immediately, in parallel with technical remediation.

2. Underestimating Data Sensitivity

NRIC numbers, health data, and financial details automatically trigger the "significant harm" threshold. Some organisations incorrectly conclude that publicly available information (like names and emails) combined with these identifiers does not qualify. It does.

3. Vague Individual Notifications

Notices that use legal jargon or downplay risks often prompt PDPC follow-up and public complaints. Write notifications in plain English, include actionable steps, and provide a genuine support channel.

4. Ignoring Data Intermediaries

If you use third-party vendors (cloud providers, payroll processors, marketing platforms), your contracts should require them to notify you promptly. A breach at your intermediary is your breach to report if you are the data controller.

5. Poor Documentation

The PDPC expects organisations to maintain a data breach management plan, breach register, and evidence of assessments — even for incidents ultimately deemed non-notifiable. Missing documentation is often what turns a manageable breach into an enforcement case.

Preventing Data Breaches Before They Happen

Notification is the last line of defence. A robust prevention programme reduces both the likelihood and severity of breaches, and demonstrates accountability to the PDPC even when incidents do occur.

Technical Safeguards

  • Encryption at rest and in transit for all personal data, particularly sensitive categories
  • Multi-factor authentication on all administrative and remote-access accounts
  • Network segmentation to prevent lateral movement during a compromise
  • Regular patching and vulnerability management
  • Encrypted DNS and secure web gateways to reduce phishing exposure
  • Secure link handling: When sharing sensitive URLs internally or with partners, use trusted shorteners that offer HTTPS, click analytics, and expiry controls. Tools like Lunyb can help teams track and control link distribution without exposing raw destination URLs in emails.

Organisational Safeguards

  • Appoint and empower a Data Protection Officer with clear authority
  • Conduct annual PDPA training for all staff, with role-specific modules for developers and customer service teams
  • Maintain an up-to-date data inventory and data flow map
  • Run tabletop exercises simulating breach scenarios at least once a year
  • Review third-party contracts to ensure breach notification clauses meet PDPA timelines

Real-World Example: A Simplified Breach Scenario

Consider a Singapore e-commerce company that discovers on 5 March that a database containing 8,000 customer records — including names, NRIC numbers, and delivery addresses — was accessed by an attacker exploiting an unpatched web server. Here is how the timeline should unfold:

DateAction
5 MarchBreach detected. Server isolated. DPO and management notified. Incident response begins.
6–10 MarchForensic investigation, log review, scope of exposure confirmed.
11 MarchAssessment concludes breach is notifiable (NRIC + 500+ individuals).
12 MarchPDPC notified via online form (within 3 days of determination).
13–14 MarchEmail notifications sent to all 8,000 affected customers with remediation guidance.
OngoingUpdates provided to PDPC as investigation progresses. Long-term controls implemented.

Related Reading

If you are strengthening your organisation's link and data handling practices as part of a broader PDPA compliance programme, these guides may help:

Frequently Asked Questions

How long do I have to report a data breach to PDPC in Singapore?

You must notify the PDPC as soon as practicable, and no later than 3 calendar days after determining that the breach is notifiable. The assessment itself must be completed within 30 days of becoming aware of the incident.

What is the difference between a data controller and a data intermediary under the PDPA?

A data controller (organisation) decides the purposes and means of processing personal data and holds primary notification obligations. A data intermediary processes personal data on behalf of the organisation and must notify the controller without undue delay after discovering a breach, but generally does not notify the PDPC directly.

Do I need to notify PDPC if the breached data was encrypted?

If encryption or similar technical measures render the personal data inaccessible or unintelligible to unauthorised parties, you may be exempt from notifying affected individuals. However, you are still expected to notify the PDPC if the breach meets the notifiability thresholds, and document why individual notification was deemed unnecessary.

What are the penalties for failing to report a data breach?

Under the amended PDPA, the PDPC can impose financial penalties of up to S$1 million or 10% of your organisation's annual turnover in Singapore, whichever is higher. Additional consequences include mandatory directions, reputational damage from published decisions, and potential civil claims from affected individuals.

Can I withdraw or amend a data breach notification after submission?

You cannot withdraw a notification, but you can and should submit updated information as your investigation progresses. If new facts materially change the assessment (for example, the number of affected individuals increases significantly), notify the PDPC promptly with the revised details.

Final Thoughts

Reporting a data breach to the PDPC is a structured process, but it is also a high-pressure one. The organisations that handle breaches best are those that prepared long before an incident occurred — with a documented response plan, trained staff, tested backups, and clear escalation paths. Treat every near-miss as a rehearsal, and every actual breach as an opportunity to demonstrate accountability under the PDPA. When in doubt, err on the side of notifying; the PDPC has consistently signalled that transparent, timely reporting is viewed more favourably than delayed or defensive responses.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles