In our increasingly digitised world, data protection has become a key concern for individuals and businesses alike. Singapore, known for its robust regulatory framework, has established stringent measures to safeguard personal data through its Personal Data Protection Act (PDPA).
First enacted in 2012 and last amended in 2020, the PDPA establishes a comprehensive legal framework governing the collection, use, disclosure and care of personal data within the private sector in Singapore. Compliance with the PDPA is a priority for any company handling personal information in Singapore. In this article, we break down:
- The jurisdiction and applicability of the PDPA
- Main obligations under the PDPA
- Mandatory steps for PDPA compliance in Singapore
- How we can help
The jurisdiction and applicability of the PDPA
In Singapore, the Personal Data Protection Commission (PDPC) is the main authority that organisations in Singapore liaise with on data protection matters. Part of the Infocomm Media Development Authority, it is responsible for administering the PDPA and related regulations such as the Personal Data Protection Regulations 2021.
Scope coverage: who needs to comply with the PDPA
The PDPA applies to all private sector organisations in Singapore that handle personal data. If your company manages personal data relating to customers, employees or business partners in Singapore, you are required to comply with the PDPA.
Definition of personal data
Under the PDPA, personal data refers to any information that can identify an individual, whether on its own or when combined with other data accessible to the organisation. Personal data can include the individual’s full name, identification number - such as the National Registration Identity Card (NRIC) -, passport number, thumbprint, mobile number, email address and residential address. The Act also applies to personal data kept in both electronic and non-electronic forms.
International reach
Importantly, the PDPA can apply to organisations even with no physical presence in Singapore. The key factor is whether the organisation is dealing with personal data in Singapore. If you are a company headquartered overseas with services offered to Singapore customers, you will need to follow the PDPA obligations.
Exemptions and exclusions
That said, while the PDPA casts a wide net, there are specific exemptions and exclusions where the law does not apply or applies only in a limited way. Key instances include:
- Employees acting in the course of employment: Employees are not personally liable for work carried out on behalf of their employer. Data protection training, which is a mandatory step for PDPA compliance, will therefore be essential to reduce risks. We’ll explain this below.
- Individuals in personal or domestic capacity: If you maintain a personal contacts list or collect data for your own family or household use, you’re typically not subject to PDPA obligations.
- Public agencies: Government ministries, departments and public agencies have other data governance rules, such as the Public Sector (Governance) Act, to adhere to.
- Business contact information: The PDPA also excludes business contact information that is provided for business purposes. This includes common professional details such as an individual's name, position or title, business telephone number, business address, and business email.
Main obligations under the PDPA
Accountability: Your company must first be transparent about how it manages personal data. This means providing information on your privacy policies, practices and complaints procedure when requested. You are also required to appoint a Data Protection Officer (DPO) and ensure your company’s contact details are publicly accessible.
Consent: Getting consent is fundamental under the PDPA. Before collecting, using or disclosing personal data, your company must ensure that individuals give their consent clearly and knowingly. This means being transparent about why the data is being collected and how it will be used.
Purpose limitation: Your company is only permitted to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
Notification: Individuals must be informed of the purposes for which their data is collected, used or disclosed at the time of collection.
Accuracy: Reasonable efforts must be made to ensure that the personal data collected is accurate and complete. Particularly if it is used to make a decision that affects the individual, such as applying for a loan or an insurance policy.
Access and correction: Individuals have the right to access their personal data held by your company and to correct any inaccuracies.
Protection: Your company must protect all personal data in its possession or control by making reasonable security arrangements. These measures should prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
Retention limitation: Personal data should not be retained longer than necessary for the fulfilment of the purposes for which it is collected.
Transfer limitation: You must ensure that personal data transferred outside Singapore is adequately protected.
Data breach: In the event of a data breach, your company will need to take steps to assess if the incident is notifiable. If the breach is likely to result in significant damage to individuals and/or is of a significant scale, you are required to notify both the PDPC and the affected individuals as soon as possible.
Mandatory steps for PDPA compliance in Singapore
Beyond awareness of the PDPA, organisations must take proactive steps to ensure full compliance and robust data protection practices. From appointing a DPO to implementing thorough policies and procedures, adherence to the following mandatory steps is crucial in safeguarding personal data.
1. Appointment of a DPO
Under the PDPA, one of your key responsibilities is to appoint a DPO to oversee how your company manages personal data. The DPO acts as a focal point for data protection matters within your company, ensuring compliance with the PDPA and other relevant regulations.
2. Implementation of policies and procedures
At the same time, you’ll need to develop and implement a Data Protection Management Programme (DPMP) and other policies that guide the collection, use, disclosure and management of personal data. These should encompass consent mechanisms, data retention schedules, security measures, breach response protocols and guidelines for handling data access requests.
3. Conducting Data Protection Impact Assessments (DPIAs)
Before embarking on new projects or initiatives involving the processing of personal data, a DPIA is required to assess and mitigate potential risks to individuals' privacy rights. The DPIA can help with identifying privacy risks as well as evaluating the necessity and proportionality of data processing activities. Measures can then be enforced to enhance data protection.
4. Scheduling employee data protection training
Your employees must also stay well-informed about your company’s data protection obligations. Regular training sessions and awareness programmes must be arranged to educate staff members on their responsibilities regarding the handling of personal data, including the importance of confidentiality, data accuracy and security measures.
5. Implementation of technical and organisational measures
Additionally, you'll need to implement appropriate technical and organisational measures to protect personal data from unauthorised access, disclosure, alteration or destruction. This may include encryption, access controls, regular security assessments and the adoption of privacy-enhancing technologies.
6. Establishment of data breach response mechanisms
Should a data breach occur, there must be robust response mechanisms in place to promptly detect, assess and mitigate the impact of the breach. This involves notifying affected individuals and the PDPC within the stipulated timeframes and taking remedial actions to prevent future breaches.
7. Regular compliance audits and reviews
Finally, make it a priority to conduct compliance audits and reviews on a regular basis to ensure adherence to data protection requirements. Periodically assess your practices to identify areas for improvement. Corrective actions can then be taken to prevent lapses in data protection and penalties for non-compliance.
Potential fines for non-compliance
Non-compliance with the PDPA can result in severe penalties, including financial fines. For example, an integrated resort operator was imposed a penalty of SG$315,000 in 2025 for breaching the protection obligation. The PDPC may issue directions and warnings or initiate an audit of the entire company. Organisations found in breach of the PDPA can face fines of up to SG$1 million or 10% of the annual turnover (whichever is higher). Note that the offence and penalty will subsequently be published on the PDPC website.
How we can help
At its core, the PDPA reflects Singapore’s intent to maintain a trusted environment for innovation and commerce. It defines how personal data must be handled within and beyond Singapore’s borders.
But beyond compliance, data protection is increasingly essential to uphold the trust that different stakeholders have in your company. If we already support your company’s corporate or regulatory functions in Singapore, we can further assist you with the above steps to meet the PDPA requirements.
Alternatively, if you’re planning to set up here, this is another area our Singapore team can help with in addition to our range of corporate services. Speak to our team to learn more about our data protection solutions to strengthen your company’s governance in Singapore.
Speak to our experts today
Explore how our corporate services can elevate your business needs
