facebook-pixel

How to Report a Data Breach to PDPC Singapore: Complete 2026 Guide

L
Lunyb Security Team
··8 min read

Singapore's Personal Data Protection Act (PDPA) imposes strict data breach notification obligations on organisations handling personal data. Since the mandatory Data Breach Notification (DBN) regime came into force on 1 February 2021, businesses must promptly assess and report qualifying breaches to the Personal Data Protection Commission (PDPC) — or face financial penalties of up to S$1 million (or 10% of annual Singapore turnover for larger organisations).

This guide walks you through exactly how to report a data breach to PDPC Singapore, when notification is required, the strict 3-day and 72-hour deadlines, and what information you must include in your submission.

What Is a Notifiable Data Breach Under the PDPA?

A notifiable data breach under Singapore's PDPA is any unauthorised access, collection, use, disclosure, copying, modification, or disposal of personal data — or loss of storage media containing personal data — that meets specific severity thresholds.

Under Section 26B of the PDPA, a data breach is notifiable to the PDPC if it:

  1. Results in, or is likely to result in, significant harm to affected individuals; OR
  2. Is of a significant scale — meaning it affects 500 or more individuals.

What Counts as "Significant Harm"?

The Personal Data Protection (Notification of Data Breaches) Regulations 2021 prescribe categories of personal data whose compromise is deemed to cause significant harm. These include:

  • Full name combined with NRIC, FIN, work permit, or passport number
  • Financial account details (bank account numbers, credit/debit card numbers, CVV codes)
  • Health and medical information, including diagnoses, prescriptions, and treatment plans
  • Life, accident, or health insurance information
  • Adoption records or information relating to sexual abuse
  • Private key used to authenticate or sign electronic records
  • Information relating to a child's or young person's welfare

PDPC Data Breach Reporting Timelines You Must Know

Singapore's PDPA sets out clear, non-negotiable timelines for breach assessment and notification. Missing these deadlines is itself a violation.

ActionDeadlineLegal Basis
Assess whether breach is notifiableWithin 30 calendar days of becoming awareSection 26C PDPA
Notify PDPCAs soon as practicable, no later than 3 calendar days after determining notifiabilitySection 26D(1) PDPA
Notify affected individualsAt the same time or after PDPC notification (with exceptions)Section 26D(2) PDPA
Data intermediary notifies data controllerWithout undue delay upon awarenessSection 26A(2) PDPA

Note: The GDPR-style 72-hour clock is often referenced, but Singapore's PDPA uses "as soon as practicable, and in any case no later than 3 calendar days" — which effectively aligns to a 72-hour expectation.

Step-by-Step: How to Report a Data Breach to PDPC

Step 1: Contain the Breach Immediately

Before anything else, take immediate action to contain the incident. This might include:

  1. Isolating affected systems from the network
  2. Revoking compromised credentials and rotating API keys
  3. Disabling affected user accounts
  4. Preserving forensic evidence and system logs
  5. Engaging your incident response team or external forensics vendor

Step 2: Conduct a Breach Assessment

Within 30 days of awareness, assess whether the breach meets the notification threshold. Document:

  • What personal data was involved
  • How many individuals are affected
  • The likelihood and severity of harm
  • Whether any remedial actions (encryption, remote wipe) reduce the risk

Step 3: Submit the Notification via PDPC's Online Form

PDPC accepts data breach notifications through its official online portal at www.pdpc.gov.sg. Navigate to "Report a Data Breach" under the Complaints and Reviews section. You will need CorpPass credentials to log in on behalf of your organisation.

The online submission is preferred, but PDPC also accepts notifications by email to info@pdpc.gov.sg in urgent cases.

Step 4: Provide the Required Information

Your PDPC notification must include, to the best of your knowledge at the time:

  1. Facts of the breach — how, when, and where it occurred
  2. Number of affected individuals
  3. Categories of personal data compromised
  4. Potential harm to affected individuals
  5. Chronology of events and root cause (if known)
  6. Actions taken or planned to contain the breach
  7. Steps to mitigate harm to individuals
  8. Contact details of your Data Protection Officer (DPO)
  9. Whether affected individuals have been (or will be) notified

Step 5: Notify Affected Individuals

Unless an exception applies, you must notify affected individuals in a way that allows them to take protective action. Notifications should be clear, in plain language, and explain:

  • What happened and when
  • What personal data was affected
  • What steps the individual can take (e.g., change passwords, monitor accounts)
  • What your organisation is doing in response
  • Contact details for further inquiries

Step 6: Submit a Follow-Up Report

If your initial notification was incomplete, PDPC expects updates as investigations progress. Submit supplementary information as facts emerge, particularly the final root cause analysis and remediation measures.

Exceptions: When You Do NOT Need to Notify Individuals

Even for notifiable breaches, individual notification may not be required if:

  • The organisation has taken action (e.g., strong encryption) that renders it unlikely the breach will result in significant harm
  • The organisation has implemented remedial actions that prevent significant harm
  • A prescribed law enforcement agency instructs the organisation not to notify (e.g., to avoid compromising an investigation)
  • PDPC directs the organisation not to notify

Note: These exceptions apply only to notifying individuals — you must still notify PDPC.

Common Data Breach Scenarios in Singapore

Phishing and Business Email Compromise (BEC)

Attackers gain access to employee email accounts and exfiltrate customer records. If NRIC numbers or financial data are involved, this typically triggers notification.

Ransomware Attacks

Even when data is only encrypted (not exfiltrated), PDPC considers this a breach if personal data availability is affected. Modern ransomware groups routinely steal data before encryption, meaning exfiltration should be assumed unless proven otherwise.

Misconfigured Cloud Storage

Public S3 buckets, unsecured MongoDB instances, and open Elasticsearch clusters remain a leading cause of breaches. If personal data was accessible to unauthorised parties — even if you can't prove it was accessed — you may have a notifiable breach.

Lost or Stolen Devices

An unencrypted laptop containing a customer database is a classic notifiable breach. Full-disk encryption is one of the strongest defences and can qualify for the harm-mitigation exception.

Shortened Link Analytics Leaks

Businesses using URL shorteners should ensure the platform doesn't expose click data containing PII. Using a privacy-focused shortener like Lunyb helps prevent leakage of tracking data. For a broader comparison of shortener providers and their data handling, see our 2026 URL shortener buyer's guide.

Penalties for Non-Compliance

The consequences of failing to properly report a data breach to PDPC are significant and have grown sharper under the amended PDPA.

ViolationMaximum Penalty
Failure to notify PDPC of notifiable breachUp to S$1 million, or 10% of annual Singapore turnover (whichever is higher) for organisations with turnover exceeding S$10 million
Failure to notify affected individualsSame as above
Failure to conduct proper breach assessmentFinancial penalty and directions from PDPC
Failure to implement reasonable security arrangementsFinancial penalty (many recent cases in the S$10,000–S$75,000 range)

Building a Breach-Ready Organisation

Reporting a breach effectively depends on preparation done long before an incident occurs.

1. Appoint a Data Protection Officer (DPO)

The PDPA requires every organisation to appoint at least one DPO whose contact details are publicly available. The DPO leads breach response and PDPC communications.

2. Maintain a Data Breach Management Plan

Document your incident response procedures, escalation contacts, decision trees for notification, and communication templates. Test the plan through tabletop exercises at least annually.

3. Keep a Data Inventory

You cannot assess a breach quickly if you don't know what personal data you hold, where it lives, and who has access. Maintain a live data map.

4. Implement Strong Preventive Controls

  • Encrypt personal data at rest and in transit
  • Enforce multi-factor authentication on all administrative and cloud accounts
  • Apply least-privilege access controls
  • Use encrypted DNS and network segmentation
  • Patch systems promptly and monitor for vulnerabilities
  • Log and monitor all access to personal data repositories

5. Train Employees Regularly

Most breaches originate from human error — phishing, misdirected emails, weak passwords. Continuous training reduces this risk dramatically.

What Happens After You Notify PDPC?

Once PDPC receives your notification, they will typically:

  1. Acknowledge receipt within a few working days
  2. Request additional information or documentation
  3. Assess whether to open a formal investigation
  4. Issue directions on remediation, if warranted
  5. Determine whether financial penalties apply
  6. Publish enforcement decisions on the PDPC website (often anonymised for minor cases, named for serious ones)

Cooperation, transparency, and demonstrating prompt remedial action significantly influence PDPC's response. Organisations that self-report early, take responsibility, and implement genuine improvements often face lighter penalties than those that delay or obscure.

Frequently Asked Questions

Do I need to notify PDPC for every data breach?

No. Only breaches that result in (or are likely to result in) significant harm to affected individuals, or that affect 500 or more individuals, must be notified. However, you should document your assessment for all breaches — even those you decide are non-notifiable — in case PDPC later inquires.

What is the deadline to notify PDPC of a data breach?

You must notify PDPC as soon as practicable, and in any case no later than 3 calendar days after determining that the breach is notifiable. The determination itself must occur within 30 days of becoming aware of the breach.

Can I be fined even if I report the breach?

Yes. Notification is separate from liability. If your organisation failed to implement reasonable security measures, PDPC can still impose financial penalties. However, prompt notification and cooperation typically result in more lenient outcomes than concealment.

What if I'm a data intermediary (processor), not the data controller?

Data intermediaries must notify the organisation they process data for (the data controller) without undue delay upon becoming aware of a breach. The data controller then bears the responsibility for assessing and notifying PDPC and affected individuals.

Should I notify individuals before or after notifying PDPC?

You should notify PDPC first or at the same time as notifying individuals. Notifying individuals before PDPC is generally discouraged unless there's an urgent need for individuals to take protective action (e.g., to prevent immediate financial fraud).

Where can I find PDPC's official breach notification form?

The official Data Breach Notification form is available at www.pdpc.gov.sg under the "Report a Data Breach" section. You'll need CorpPass credentials to submit on behalf of your organisation.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles