Singapore Data Privacy Laws: Complete PDPA Compliance Guide (2026)

Singapore regulates personal data collection, use, and disclosure through the Personal Data Protection Act 2012 (PDPA), enforced by the Personal Data Protection Commission. The PDPA imposes 9 binding data protection obligations on all private-sector organizations and was significantly strengthened by the Personal Data Protection (Amendment) Act 2020.

Singapore has built one of Asia-Pacific's most comprehensive data privacy frameworks. The Personal Data Protection Act 2012 (PDPA) governs how private-sector organizations collect, use, disclose, and manage personal data. It is enforced by the Personal Data Protection Commission (PDPC), a statutory body under the Infocomm Media Development Authority (IMDA).

The PDPA went through its most significant overhaul with the Personal Data Protection (Amendment) Act 2020, passed by Parliament in November 2020. These amendments introduced mandatory breach notification, higher penalties, expanded consent exceptions, and a data portability framework. The changes were phased in starting 1 February 2021, with the enhanced penalty regime taking effect on 1 October 2022.

This guide covers everything you need to know about Singapore's data privacy laws as of 2026, including the 9 data protection obligations, the consent framework and its exceptions, the mandatory DPO requirement, breach notification rules, penalties, the Do Not Call registry, cross-border transfer rules, AI governance guidance, and recent regulatory developments.

Quick Answer: Singapore's Data Privacy Law

Singapore's primary data privacy law is the Personal Data Protection Act 2012. It is enforced by the PDPC and applies to all private-sector organizations operating in Singapore. The law requires organizations to obtain consent before collecting personal data, notify individuals of collection purposes, protect data with reasonable security measures, and appoint a Data Protection Officer. Financial penalties can reach SGD 1 million or 10% of annual Singapore turnover for larger organizations. The Do Not Call registry supplements the PDPA by restricting unsolicited marketing communications.

The Legislative Framework: PDPA 2012 and the 2020 Amendments

The PDPA was enacted in October 2012 and came into full force in July 2014. It established the first comprehensive data protection regime in Singapore, replacing a patchwork of sector-specific rules with a single statute covering all private-sector personal data processing.

The Personal Data Protection (Amendment) Act 2020

The Personal Data Protection (Amendment) Act 2020 was the most significant set of changes to the PDPA since its enactment. Parliament passed the bill on 2 November 2020. The amendments addressed several gaps that had become apparent in the years since the PDPA took effect.

Mandatory data breach notification (Part VIA) was a major addition. Before the 2020 amendments, organizations had discretion over whether to report breaches to the PDPC. The new rules made notification mandatory for qualifying breaches and set firm timelines.

Expanded consent exceptions reduced the compliance burden for common business activities. The amendments added deemed consent by notification, deemed consent by contractual necessity, the legitimate interests exception, and the business improvement exception. These give organizations more flexibility to process data without relying solely on express consent.

Higher financial penalties were introduced but set to take effect later. The 2020 bill raised the maximum penalty from SGD 1 million to the higher of SGD 1 million or 10% of annual turnover in Singapore for organizations exceeding SGD 10 million turnover. These enhanced penalties came into force on 1 October 2022 to give organizations time to adjust.

Data portability provisions were legislated under Part VIB but left to commence at a future date pending implementing regulations.

Criminal liability for egregious misuse was added. Individuals who knowingly or recklessly obtain, use, or disclose personal data without authorization, for wrongful gain or to cause harm, now face criminal penalties.

Key Subordinate Legislation

The PDPA is supported by several pieces of delegated legislation, including the Personal Data Protection Regulations 2021 (which set out cross-border transfer mechanisms and breach notification procedures) and the Personal Data Protection (Notification of Data Breaches) Regulations 2021 (which specify the form and content of breach notifications).

The Personal Data Protection Commission (PDPC)

The PDPC is Singapore's data protection supervisory authority. It was established under the PDPA and operates as a division of the Infocomm Media Development Authority (IMDA). Its functions include:

• Promoting awareness of data protection obligations among organizations and individuals
• Handling complaints and conducting investigations
• Issuing advisory guidelines and codes of practice
• Imposing financial penalties and issuing directions for non-compliance
• Engaging in international cooperation on data protection matters

The PDPC issues advisory guidelines that, while not legally binding, represent the PDPC's considered interpretation of the PDPA and strongly influence how organizations structure their compliance programs. In practice, organizations that follow the advisory guidelines are unlikely to face enforcement action on those issues.

The Commission operates a complaints portal where individuals can file complaints about alleged PDPA breaches. Before filing a complaint, individuals are encouraged to raise the issue directly with the organization first. The PDPC assesses each complaint and decides whether to investigate, mediate, or take no further action.

Who Does the PDPA Apply To?

The PDPA applies to all private-sector organizations in Singapore that collect, use, or disclose personal data. This includes companies, associations, partnerships, sole proprietors, and any body of persons, whether corporate or unincorporated.

There are important exclusions. Public agencies (government ministries, statutory boards, and organs of state) are not covered by the PDPA's data protection provisions. They follow their own internal data governance policies instead.

The 2020 amendments narrowed this exclusion in one respect. The blanket exemption for organizations acting on behalf of public agencies was removed. Contractors and service providers working for government bodies are now subject to PDPA obligations, even though the public agency itself remains excluded.

The PDPA also does not apply to personal data about individuals in their capacity as employees of an organization. Employee data falls under a separate framework, though organizations are still expected to handle such data responsibly.

What Counts as Personal Data?

Under the PDPA, "personal data" means data, whether true or not, about an individual who can be identified from that data, or from that data combined with other information the organization has or is likely to have access to.

This definition is broad. It covers names, NRIC numbers, phone numbers, email addresses, photographs, IP addresses when linkable to an individual, biometric data, and any other information that can identify a specific person. Business contact information (name, title, business email, business phone) is not personal data for the purposes of the PDPA. Anonymized data also falls outside the PDPA, since it can no longer identify an individual. Pseudonymized data, which can be re-identified with additional information, remains personal data.

The 9 Data Protection Obligations

The core of the PDPA is built around 9 data protection obligations that every covered organization must follow. These obligations govern the entire lifecycle of personal data from collection through disposal.

1. Consent Obligation

Organizations may only collect, use, or disclose personal data with the individual's knowledge and consent. Consent can be express (written or verbal) or deemed (implied from the individual's conduct or notification).

The 2020 amendments significantly expanded the consent framework. Organizations can now rely on several additional bases beyond express consent.

Deemed consent by contractual necessity applies where personal data is necessary to perform a contract with the individual or to respond to their request before entering a contract. The data collection must be genuinely necessary, not merely convenient.

Deemed consent by notification applies where the organization gives clear notice of the purpose and provides a reasonable opt-out mechanism, and the individual does not opt out. This is appropriate for incidental data uses that individuals would reasonably expect.

Legitimate interests exception allows processing without consent where a legitimate interest of the organization or a third party outweighs any adverse effect on the individual. The organization must conduct a prior assessment of the likely adverse effects. Detection or prevention of illegal activity is one recognized legitimate interest. The PDPC issued its first enforcement decision applying this exception in March 2023, providing clearer guidance on its scope.

Business improvement exception allows processing for improving operational efficiency, developing or enhancing goods or services, understanding customer behavior and preferences, or personalizing offerings. It does not require adverse-effect balancing, but is limited to the organization and its related companies. It cannot be used if the processing would adversely affect the individual.

Individuals may withdraw consent at any time with reasonable notice. Organizations must inform them of the likely consequences and cease processing once consent is withdrawn. An organization cannot make consent a condition for products or services beyond what is reasonably required to deliver them.

2. Purpose Limitation Obligation

Organizations may only collect, use, or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances. The purpose must be one the individual has been informed of and consented to, or a recognized exception applies.

This obligation prevents scope creep. Data collected for one purpose cannot be repurposed for something unrelated without fresh consent or a valid exception.

3. Notification Obligation

Before or at the time of collecting personal data, organizations must notify individuals of the purposes for which the data will be collected, used, or disclosed. This is typically done through a privacy notice or data protection policy.

The notification must be clear, specific, and accessible. Vague or overly broad purpose statements do not satisfy this obligation. If purposes change, fresh notification is required before the new use begins.

4. Access and Correction Obligation

On request, organizations must provide individuals with access to their personal data held by the organization, and information about how that data has been used or disclosed in the past year.

Individuals also have the right to request corrections to inaccurate personal data. If the organization is satisfied the correction is warranted, it must make the change and notify any organization that received the original data in the preceding year.

Organizations may charge a reasonable fee for access requests. They cannot charge for correction requests.

5. Accuracy Obligation

Organizations must make reasonable efforts to ensure that personal data is accurate and complete, particularly if it will be used to make a decision affecting the individual or will be disclosed to another organization.

6. Protection Obligation

Organizations must implement reasonable security arrangements to protect personal data from unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks.

What is "reasonable" depends on the nature of the data, how it is stored, and the potential harm from a breach. The PDPC consistently holds that organizations need both technical safeguards (encryption, access controls, monitoring, patching) and administrative safeguards (policies, staff training, incident response plans, vendor management).

This obligation is the basis for most PDPC enforcement actions. The Commission has found repeated failures in areas such as outdated operating systems, weak password policies, absence of multi-factor authentication, and lack of vendor security review.

7. Retention Limitation Obligation

Organizations must cease retaining personal data, or remove the means by which it can be associated with a particular individual, as soon as it is reasonable to assume that the purpose for which it was collected is no longer being served and retention is no longer necessary for legal or business purposes.

Organizations should establish data retention schedules and regularly audit whether continued retention of specific data sets is justified.

8. Transfer Limitation Obligation

Organizations may only transfer personal data outside Singapore if the receiving party provides a standard of protection comparable to the PDPA. "Comparable" does not mean identical; the recipient must offer meaningful safeguards. This obligation is covered in detail in the cross-border transfers section below.

9. Openness Obligation

Organizations must make information about their data protection policies and practices available to the public on request. This includes information about how personal data is managed, the types of data held, and how individuals can contact the DPO. In practice, this obligation is satisfied by publishing a clear and accessible privacy policy and ensuring the DPO's contact details are easy to find.

The Mandatory Data Protection Officer (DPO)

One of the most operationally significant requirements under the PDPA is the mandatory appointment of a Data Protection Officer. Under Section 11(3) of the PDPA, every covered organization must designate at least one individual to be responsible for ensuring the organization complies with the PDPA.

What Makes Singapore's DPO Requirement Distinctive

Unlike the EU GDPR, which only mandates a DPO in certain circumstances (large-scale systematic monitoring or sensitive data processing), Singapore's requirement applies to all covered organizations regardless of size or industry. A sole proprietor with a handful of customer records must appoint a DPO just as a multinational bank must.

Public Contact Information Requirement

Under Section 11(5) of the PDPA, the business contact information of at least one DPO must be made publicly accessible. This information must be reachable from Singapore, operational during Singapore business hours, and if a phone number is provided, it must be a Singapore telephone number. Organizations typically publish the DPO's email address or a dedicated data protection email address on their website.

Registration: From BizFile+ to the PDPC Portal

From 1 December 2024, organizations can no longer register their DPO's contact information through ACRA's BizFile+ portal. The PDPC moved DPO registration to its own online form on the PDPC website. Organizations that previously registered through BizFile+ should ensure their records are updated through the new channel.

Who Can Serve as DPO?

The PDPA does not specify qualifications for the role. The PDPC has published a Competency Framework and Training Roadmap for DPOs, which describes the knowledge and skills expected at different levels. In practice, the DPO can be:

• A dedicated senior staff member in a standalone DPO role
• An existing employee (such as a legal, compliance, or IT manager) who takes on DPO responsibilities in addition to other duties
• An external professional or firm appointed as a "virtual DPO" to carry out the function on an outsourced basis

The PDPC recommends that the DPO have direct access to senior management and a sufficient budget to carry out compliance activities. Where the DPO is not a C-level executive, there should be a clear escalation path to the executive team.

Mandatory Data Breach Notification

The 2020 amendments introduced the mandatory data breach notification framework, which took effect on 1 February 2021. Before this change, organizations had discretion over whether to report incidents to the PDPC.

What Is a Notifiable Data Breach?

A breach is notifiable if it meets either of two thresholds:

Significant harm test: The breach is likely to result in significant harm to affected individuals. Significant harm includes unauthorized access to NRIC numbers, financial account details, medical information, biometric data, personal data of a child, and other categories prescribed in the Personal Data Protection (Notification of Data Breaches) Regulations 2021.

Scale test: The breach affects the personal data of 500 or more individuals, regardless of data sensitivity.

If a breach meets either threshold, notification to the PDPC is mandatory. Notification to affected individuals is required for breaches meeting the significant harm test unless the organization has taken remedial action that eliminates the risk of harm, for example by demonstrating that stolen data was encrypted and unreadable.

Notification Timelines

PDPC notification deadline: 3 calendar days from the date the organization determines the breach is notifiable. The clock starts the day after that determination. The PDPC expects the overall timeline from discovery to determination to be no more than 30 days. Organizations cannot unreasonably delay their internal assessment to extend the notification window.

Individual notification: Must be made as soon as practicable once the organization determines notification is required.

Data intermediaries (organizations processing data on behalf of others, such as cloud providers or payroll processors) must notify the data controller organization without undue delay upon discovering or suspecting a breach involving data they process on the controller's behalf. The controller then decides whether the breach meets the notification thresholds.

Content of the PDPC Notification

The notification to the PDPC must include the facts of the breach (nature, circumstances, dates), the type and volume of personal data affected, the likely consequences, steps already taken or planned to address the breach, a list of affected individuals with contact information where available, and the DPO's contact details.

Do Not Call (DNC) Registry

The DNC registry is a separate pillar of Singapore's personal data framework, established under Parts VIII through X of the PDPA. It gives individuals the right to opt out of unsolicited telemarketing messages sent to their Singapore telephone numbers.

How the DNC Registry Works

Individuals register their Singapore telephone numbers at the PDPC's DNC Registry portal. Registration is free and takes effect within 30 days. Once a number is registered, organizations are prohibited from sending specified marketing messages to that number without the individual's clear and unambiguous prior consent.

"Specified messages" cover voice calls, SMS, MMS, and fax messages sent to advertise or promote goods, services, land, or investment opportunities. The DNC provisions also apply to messaging apps such as WhatsApp and Telegram that use phone numbers as identifiers, as the phone number remains the relevant identifier.

DNC Exemptions

Organizations do not need to check the DNC Registry if they have obtained clear and unambiguous prior consent from the recipient. Additional categories exempt from DNC rules include pure market research or survey messages that do not promote goods or services; messages from charitable or religious organizations; personal messages sent by individuals; public agency messages; and political messages.

DNC Business Obligations

Businesses that wish to send marketing messages to Singapore numbers must register with the DNC Registry at a one-time fee of SGD 30 (SGD 60 for overseas companies), and must check numbers against the registry before sending. Businesses may check up to 10 numbers manually at a time, or submit CSV files for bulk checking with results returned within 24 hours. Records of registry checks must be retained.

The maximum financial penalty for DNC violations is SGD 1 million, or 10% of annual turnover in Singapore for organizations with turnover exceeding SGD 10 million, whichever is higher.

Cross-Border Data Transfers

Singapore's approach to cross-border data transfers is pragmatic. Section 26 of the PDPA restricts transfers of personal data outside Singapore unless the receiving party provides a comparable standard of protection. No prior PDPC approval is required.

What "Comparable Protection" Means

The PDPC does not publish a formal adequacy whitelist of approved countries. Instead, organizations must assess whether the recipient's protections are comparable. The PDPC considers whether the recipient's jurisdiction has data protection legislation, regulatory oversight, and enforcement mechanisms. The standard requires meaningfully equivalent safeguards, not a mirror image of the PDPA.

Available Transfer Mechanisms

Organizations have several pathways for lawful cross-border transfers under the Personal Data Protection Regulations 2021.

Contractual agreements are the most common approach. The organization enters a binding agreement with the overseas recipient requiring them to protect the data to a comparable standard. The agreement must be enforceable and give the transferring organization remediation rights in the event of a breach.

APEC Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) certification -- Singapore participates in the APEC CBPR system. Recipients certified under CBPR or PRP are deemed to provide comparable protection and can receive data without a separate contractual agreement.

ASEAN Model Contractual Clauses (MCCs) -- Standardized clauses for intra-ASEAN transfers. In January 2024, the PDPC published an updated Joint Guide comparing ASEAN MCCs with EU Standard Contractual Clauses to help multinationals manage dual compliance.

Binding corporate rules -- Multinational organizations can establish group-wide data protection policies covering all group entities. While the PDPA has no formal BCR approval process like the GDPR, implementing BCRs is recognized as a valid transfer mechanism.

Informed consent -- Organizations can transfer data overseas with the individual's specific consent, provided the individual has been clearly told that the receiving country's protection standards may differ from Singapore's.

Data Portability: Legislated But Not Yet in Force

The 2020 amendments introduced a data portability obligation under Part VIB of the PDPA. When commenced, this will give individuals the right to request that an organization transmit their personal data in a commonly used, machine-readable format to another organization.

As of May 2026, the data portability obligation has not been brought into operation. The PDPC is still finalizing the implementing regulations. Organizations should monitor PDPC announcements but are not currently required to operationalize portability requests.

Financial Penalties and Enforcement

The Penalty Framework

The PDPA's financial penalty regime was substantially strengthened by the 2020 amendments, with the enhanced structure taking effect on 1 October 2022.

For organizations with annual turnover in Singapore exceeding SGD 10 million, the maximum financial penalty is the higher of 10% of annual turnover in Singapore, or SGD 1 million. For organizations with annual turnover in Singapore of SGD 10 million or below, the maximum is SGD 1 million. Before October 2022, the maximum was SGD 1 million regardless of organizational size.

The PDPC weighs multiple factors in determining penalty amounts: the severity and duration of the breach, the number of individuals affected, whether the organization cooperated with the investigation, whether proactive remediation steps were taken, any previous contraventions, and the organization's size and resources.

Beyond financial penalties, the PDPC can issue directions requiring organizations to stop collecting, using, or disclosing personal data; destroy data; implement specified security measures; pay compensation to affected individuals; or take any other steps necessary to achieve compliance.

Criminal Penalties for Individuals

The 2020 amendments introduced individual criminal liability for egregious misuse. Individuals who knowingly or recklessly obtain, use, or disclose personal data without authorization, for wrongful gain or to cause harm to the affected individual, face a fine of up to SGD 5,000 or imprisonment of up to 2 years, or both.

Notable Enforcement Actions

SingHealth and IHiS (January 2019) -- The landmark enforcement action arose from a cyberattack that exposed the personal data of 1.5 million patients, including 160,000 outpatient prescription records. The PDPC imposed a SGD 750,000 fine on Integrated Health Information Systems and a SGD 250,000 fine on SingHealth. The combined SGD 1 million penalty was the maximum available at the time. The PDPC found inadequate security measures and poor incident response preparedness.

Marina Bay Sands (October 2025) -- The PDPC imposed a SGD 315,000 fine after a 2023 breach exposed the personal data of 665,495 patrons. The breach occurred during a system migration where a single employee compiled API configurations manually with no second-layer verification. The omission went undetected for six months, and the stolen data appeared for sale on the dark web. The PDPC found that a manual process with a single point of failure and no verification step violated the Protection Obligation.

Air Sino-Euro Associates Travel (October 2025) -- The PDPC ordered a SGD 47,000 penalty for a breach that exfiltrated personal data belonging to 336,759 individuals. The Commission found failures to conduct regular security reviews, update an outdated operating system, and implement multi-factor authentication for administrative accounts. The organization was also directed to appoint a DPO, confirming that the absence of a DPO is treated as an aggravating factor in enforcement.

May 2024 Enforcement Round -- In a single round, the PDPC imposed a total of SGD 102,000 in fines across three organizations, all for Protection Obligation breaches. The cases consistently identified inadequate IT security and absent vendor management frameworks as recurring systemic failures.

People Central Pte Ltd (January 2026) -- Fined SGD 17,500 after a breach resulted in the deletion of databases and exfiltration of personal data belonging to 95,000 individuals.

Singapore Data Hub Pte Ltd (January 2026) -- Fined SGD 17,500 for a breach resulting in the exfiltration of personal data belonging to 689,000 individuals.

2026 Development: NRIC Authentication Ban

On 2 February 2026, the PDPC announced that private organizations must stop using NRIC numbers for authentication by 31 December 2026. The announcement followed a June 2025 joint advisory issued by the PDPC and the Cyber Security Agency of Singapore (CSA) clarifying that NRIC numbers must not be used as identity verification credentials.

The prohibition covers the use of full or partial NRIC numbers as passwords, login credentials, default authentication tokens, or verification factors, including in combination with other easily guessable personal data such as date of birth. Relying on NRIC numbers for authentication is treated as a failure to implement reasonable security arrangements under the Protection Obligation, because NRIC numbers are widely known and can be exploited by unauthorized parties to access personal data.

Organizations are expected to transition to stronger authentication methods, including multi-factor authentication, strong password policies, hardware or software tokens, and biometric verification. Sector-specific guidance has been issued by the Monetary Authority of Singapore (MAS) for financial services, the Ministry of Health (MOH) for healthcare, and the Infocomm Media Development Authority (IMDA) for telecommunications.

Beginning 1 January 2027, the PDPC will take active enforcement action, including issuing directions and financial penalties, against organizations that continue to rely on NRIC authentication.

AI Governance and Data Protection

Singapore has taken a regional leadership role in AI governance, favoring a guidance-based rather than a legislative approach.

PDPC Advisory Guidelines on AI (March 2024)

On 1 March 2024, the PDPC issued Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems. These guidelines clarify how the PDPA's existing obligations apply when personal data is used to train or develop AI systems.

Key points from the guidelines:

• The consent and notification obligations apply in full. Organizations must obtain consent or rely on a recognized exception before using personal data to train AI models or populate recommendation engines.
• The business improvement exception may apply where AI development is aimed at improving operational efficiency or personalizing services, provided the processing would not adversely affect individuals.
• Organizations should use anonymized data in AI systems wherever possible, since anonymized data falls outside the PDPA.
• Accountability obligations require internal fairness safeguards proportionate to the impact of the AI system's decisions on individuals.
• Organizations must maintain transparency about how AI systems use personal data and be able to explain the data types and attributes influencing outputs.

The March 2024 guidelines do not address generative AI training specifically. The PDPC has indicated it will issue separate guidance on the use of personal data in generative AI systems.

Broader AI Governance Frameworks

Singapore's broader AI governance landscape includes several voluntary frameworks developed primarily by IMDA:

• Model AI Governance Framework (2019, updated 2020) -- Voluntary guidance on responsible AI deployment across all sectors
• AI Verify (2022) -- An open-source AI testing toolkit allowing organizations to evaluate AI systems against ethics principles
• Model AI Governance Framework for Generative AI (2024) -- Addresses risks specific to large language models, including hallucinations, bias, and intellectual property concerns
• Model AI Governance Framework for Agentic AI (January 2026) -- The most recent addition, addressing governance challenges of autonomous AI agents that take actions on behalf of users

The PDPA's existing data protection obligations are the binding legal framework for personal data in AI systems. The governance frameworks provide practical implementation guidance for organizations building or deploying AI.

Children's Personal Data

In March 2024, the PDPC issued Advisory Guidelines on the PDPA for Children's Personal Data in the Digital Environment. For these guidelines, a "child" is defined as any individual 18 years of age or younger.

The guidelines apply to organizations whose products or services are "likely to be accessed by children," covering both services designed for children and services that children access in practice.

Consent age thresholds: Children aged 13 to 17 can give valid consent under the PDPA, provided privacy policies are written in language understandable to that age group. Children under 13 require parental or guardian consent. If an organization has reason to believe that a 13 to 17 year old lacks sufficient understanding of the nature and consequences of providing consent, parental consent is also required.

Heightened protection standard: Children's personal data is treated as sensitive personal data requiring a higher standard of care. Organizations must apply technical and organizational measures proportionate to this sensitivity.

Privacy by design: The guidelines encourage organizations to apply strong privacy settings by default for child-facing services.

How Singapore's PDPA Compares to Other Frameworks

Singapore's PDPA shares structural similarities with the EU's GDPR but differs in important ways:

Singapore's framework is generally considered more business-friendly than the GDPR: broader consent exceptions, no mandatory data protection impact assessments, and no formal transfer approval processes. However, the enhanced penalties and stepped-up enforcement since 2022 signal a clear trend toward stricter compliance expectations.

For businesses operating in Singapore that also serve EU individuals, the PDPA and GDPR operate independently. Compliance with the GDPR does not automatically mean PDPA compliance.

Business Compliance Checklist

Governance and accountability

• Designate at least one DPO and register their business contact information via the PDPC portal
• Make the DPO's contact details publicly accessible on your website
• Draft and publish a privacy policy that addresses all 9 data protection obligations
• Establish internal oversight for ongoing PDPA compliance

Consent and purpose

• Review all data collection flows for valid consent mechanisms or applicable exceptions
• Document the consent basis for each category of personal data collected
• Ensure privacy notices are specific about collection purposes

Data security

• Conduct annual security reviews of systems holding personal data
• Implement multi-factor authentication for accounts with privileged access to personal data
• Ensure all third-party vendors processing personal data have signed data processing agreements
• Stop using NRIC numbers as authentication factors by 31 December 2026

Breach response

• Develop and test a documented incident response plan
• Train staff to recognize and escalate potential data breaches immediately
• Establish an internal assessment process that completes within 30 days of breach discovery
• Build templates for PDPC notification submissions and for notifying affected individuals

Marketing and DNC compliance

• Register with the DNC Registry if sending marketing messages to Singapore telephone numbers
• Check the DNC Registry before each marketing campaign
• Maintain records of DNC checks and any consent obtained directly from contacts

Cross-border transfers

• Map all outbound data flows outside Singapore
• Confirm each transfer is covered by a valid mechanism
• Review cross-border transfer agreements annually as data flows evolve

Internal Links

Singapore's recording consent rules for individuals and organizations are covered separately at Singapore Recording Laws.