facebook-pixel

How to Report a Data Breach to PDPC Singapore: 2026 Guide

L
Lunyb Security Team
··8 min read

If your organisation has suffered a data breach in Singapore, the Personal Data Protection Commission (PDPC) may need to be notified within a strict 3-day window. Under the Personal Data Protection Act (PDPA), failing to report a notifiable data breach can result in significant financial penalties and reputational damage. This guide walks you through exactly how to report a data breach to PDPC, what qualifies as notifiable, and how to handle the process from discovery to closure.

What Is a Data Breach Under Singapore's PDPA?

A data breach under Singapore's PDPA is any unauthorised access, collection, use, disclosure, copying, modification, or disposal of personal data, or the loss of any storage medium or device containing personal data. This definition covers both malicious cyber incidents and accidental exposures such as misdirected emails or lost laptops.

The Personal Data Protection (Amendment) Act 2020, which took effect on 1 February 2021, introduced the mandatory Data Breach Notification (DBN) obligation. This means organisations no longer have discretion to decide whether to report certain breaches — they must notify both the PDPC and affected individuals when the legal thresholds are met.

Examples of Data Breaches

  • Ransomware or hacking attacks exposing customer databases
  • Employees emailing personal data to the wrong recipient
  • Lost or stolen unencrypted USB drives and laptops
  • Misconfigured cloud storage buckets exposing files publicly
  • Insider theft of customer records
  • Phishing attacks compromising employee credentials with database access

When Must You Report a Data Breach to PDPC?

You must notify the PDPC if the data breach is deemed notifiable. A notifiable data breach is one that:

  1. Results in, or is likely to result in, significant harm to affected individuals; OR
  2. Is of a significant scale — affecting 500 or more individuals.

What Counts as "Significant Harm"?

The PDPA and its regulations prescribe specific categories of personal data that, if compromised, are presumed to cause significant harm. These include:

  • Full name or alias combined with NRIC/FIN/passport number
  • Financial information (bank accounts, credit card numbers, income details)
  • Health and medical information
  • Life and accident insurance information
  • Information about vulnerabilities, sexual life, or criminal offences
  • Photographs or video images of vulnerable individuals
  • Login credentials, biometric data, or account passwords

Notification Timelines at a Glance

EventTimelineParty to Notify
Assess whether breach is notifiableWithin 30 calendar days of discoveryInternal
Notify PDPC of notifiable breachAs soon as practicable, no later than 3 calendar days after assessmentPDPC
Notify affected individualsAs soon as practicable, on or after PDPC notificationIndividuals
Data intermediary notifies data controllerWithout undue delayMain organisation

Step-by-Step: How to Report a Data Breach to PDPC

Here is the practical workflow every Singapore organisation should follow when a breach is discovered.

Step 1: Contain the Breach Immediately

Before anything else, stop the bleeding. Actions may include:

  1. Isolating affected servers or systems from the network
  2. Resetting compromised passwords and revoking access tokens
  3. Recalling misdirected emails where possible
  4. Physically securing lost devices remotely (wipe if necessary)
  5. Engaging your incident response team or external forensics firm

Step 2: Assess the Scope and Severity

Your Data Protection Officer (DPO) should coordinate an assessment covering:

  • What personal data was involved and in what volume
  • How many individuals are affected
  • Whether the data was encrypted or otherwise protected
  • The likelihood the data will be misused
  • Whether the breach is contained or ongoing

You have up to 30 days to complete this assessment, but the PDPC expects organisations to act with reasonable expediency.

Step 3: Determine Notifiability

Apply the two-limb test:

  • Significant harm limb: Does the breach involve any prescribed personal data categories, or otherwise pose real risk of harm?
  • Significant scale limb: Does it affect 500 or more individuals?

If either limb is triggered, the breach is notifiable.

Step 4: Submit the Notification to PDPC

Notifications are submitted online via the PDPC's official data breach notification portal at eservice.pdpc.gov.sg. You will need to log in using Singpass or Corppass. The form requests:

  1. Organisation details and DPO contact information
  2. Date and time the breach was discovered
  3. Description of the breach and how it occurred
  4. Type and volume of personal data affected
  5. Number of affected individuals
  6. Cause of the breach (cyber attack, human error, system failure, etc.)
  7. Containment and remediation actions taken
  8. Whether affected individuals have been or will be notified

You must submit within 3 calendar days of concluding the breach is notifiable. If you don't yet have full information, submit an initial notification and update PDPC as the investigation progresses.

Step 5: Notify Affected Individuals

Where the breach is likely to cause significant harm, you must also notify the affected individuals in a manner they are reasonably likely to receive (email, SMS, letter, or public notice if contact details are unavailable). The notification should include:

  • A clear description of the breach
  • Types of personal data involved
  • Steps taken to address the breach
  • Information on what individuals can do to protect themselves
  • Contact details for further inquiries

Step 6: Cooperate With PDPC Follow-Up

After submission, the PDPC may request additional information, evidence of remediation, or documentation of your breach management plan. Respond promptly and preserve all logs and forensic evidence.

Exceptions: When You Don't Need to Notify Individuals

Even for a notifiable breach, you may be exempt from notifying individuals (though still required to notify PDPC) in these cases:

  • Remedial action taken: You've taken action that renders it unlikely the breach will cause significant harm — for example, if compromised data was strongly encrypted with keys not exposed.
  • Technological protection: The data is protected by technology that makes the personal data inaccessible or unusable.
  • Law enforcement instruction: The Commissioner or a law enforcement agency has directed you not to notify (typically to preserve an ongoing investigation).

Penalties for Non-Compliance

Failure to comply with the Data Breach Notification obligation is a serious matter. Under the amended PDPA, financial penalties can reach:

  • Up to 10% of annual turnover in Singapore for organisations with local turnover exceeding S$10 million; or
  • Up to S$1 million, whichever is higher

Beyond fines, the PDPC publishes enforcement decisions publicly, which can damage brand trust for years.

Preparing Before a Breach Happens

The best time to build a breach response plan is before you need one. Here's how to prepare.

Appoint a Data Protection Officer

Every Singapore organisation is legally required to designate a DPO and publish their contact details. The DPO leads breach assessment and PDPC liaison.

Build a Data Breach Management Plan

Document who does what within the first 24, 72, and 720 hours after discovery. Include escalation paths, external counsel contacts, forensic partners, and communications templates.

Maintain a Data Inventory

You cannot assess breach impact if you don't know what data you hold or where. Map data flows, storage locations, and retention periods.

Strengthen Preventive Controls

Reduce breach likelihood through:

  • Multi-factor authentication on all admin accounts
  • Encryption at rest and in transit
  • Least-privilege access controls
  • Regular staff training on phishing and data handling
  • Vetted vendors and data intermediary contracts with breach clauses
  • Careful handling of links shared with customers — using a trusted link management platform like Lunyb can help avoid credential-harvesting risks while giving you audit trails over shared URLs

Rehearse Tabletop Exercises

Run at least one simulated breach exercise annually. Test whether your team can complete the assessment, containment, and notification workflow within statutory timelines.

Common Mistakes to Avoid

  1. Delaying assessment: Waiting weeks to investigate uses up your notification window.
  2. Under-scoping the breach: Assuming lower affected numbers without evidence can trigger enforcement if PDPC finds otherwise.
  3. Skipping individual notification: Some organisations notify PDPC but fail to inform individuals, which is a separate obligation.
  4. Poor documentation: Without contemporaneous notes, defending your response decisions later becomes very difficult.
  5. Ignoring data intermediaries: Your vendors' breaches are your responsibility if they process personal data on your behalf.

Special Considerations for Data Intermediaries

If you are a data intermediary (a vendor processing personal data on behalf of another organisation), you have a duty to notify the main organisation of any breach without undue delay. The main organisation, not the intermediary, carries the obligation to notify PDPC and individuals — but your delay could put them in breach.

Related Reading

To learn more about protecting the links and data your organisation shares online, see our guides on the best URL shorteners of 2026 and whether Lunyb is a legitimate choice for secure link management. For teams considering paid platforms, our Rebrandly 2026 review covers enterprise link security features in depth.

Frequently Asked Questions

How long do I have to report a data breach to PDPC in Singapore?

You must notify the PDPC as soon as practicable, and no later than 3 calendar days after you determine the breach is notifiable. You have up to 30 days from discovery to complete that assessment, but regulators expect prompt action.

Do I need to report every data breach to PDPC?

No. Only notifiable breaches must be reported — those that cause or are likely to cause significant harm to individuals, or that affect 500 or more people. However, all breaches should be internally documented as part of your accountability obligations.

What happens if I don't report a notifiable breach?

Non-compliance can lead to financial penalties of up to S$1 million or 10% of annual Singapore turnover, whichever is higher. The PDPC also publishes enforcement decisions, which can significantly harm your organisation's reputation.

Do I need to notify affected individuals as well as PDPC?

Yes, if the breach is likely to cause significant harm. However, if you've taken remedial action that eliminates the risk (such as strong encryption with keys unaffected), or if law enforcement instructs otherwise, individual notification may be excused.

What if the breach happened at my vendor, not our company?

As the main organisation (data controller), you remain responsible for notifying PDPC and affected individuals. Your data intermediary must inform you without undue delay, but the statutory obligations to notify authorities and individuals sit with you. Ensure your vendor contracts contain clear breach notification clauses.

Where do I submit the data breach notification?

Notifications are submitted online via the PDPC's data breach notification e-service at eservice.pdpc.gov.sg, accessed using Singpass or Corppass. You can also update or supplement your notification as new information becomes available.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles