What to Do If Your Singapore Business Has a Data Breach (Step-by-Step)
How to respond to a data breach in Singapore: contain it, assess notifiability, and report to the PDPC within 3 calendar days. A step-by-step PDPA breach response guide for SMEs.
What to Do If Your Singapore Business Has a Data Breach (Step-by-Step)
A customer email lands in the wrong inbox. Your staff laptop is stolen at a hawker centre. A vendor accidentally exposes your customer database. For Singapore SME owners, the first response is usually panic — followed by the practical question: what exactly am I supposed to do now?
I have walked half a dozen clients through this exact moment, and the businesses that come out best are always the ones who had a plan before the crisis hit. The ones who scramble — calling lawyers, Googling "PDPC breach notification," trying to figure out who is in charge — those are the ones who miss deadlines and face harsher enforcement outcomes.
TL;DR: A plain-English guide for Singapore SMEs on PDPA breach response: what to report, when to notify PDPC, and how to avoid penalties up to S$1 million.
The PDPA gives you specific obligations and tight timelines. This guide walks through every step from the first hour to closing out the incident.
How to report a data breach to the PDPC (quick answer)
If your Singapore business suffers a data breach, the PDPA requires you to:
- Contain the breach and preserve evidence immediately.
- Assess whether it is notifiable — you have up to 30 calendar days from discovery to complete this assessment.
- Notify the PDPC within 3 calendar days of determining the breach is notifiable, via the Personal Data Breach Portal.
- Notify affected individuals as soon as practicable if significant harm is likely.
A breach is notifiable if it is likely to cause significant harm to individuals, or if it affects 500 or more individuals. The rest of this guide walks through each step in detail.
Your Legal Obligations
The PDPA's Mandatory Data Breach Notification (MDBN) — in force since 1 February 2021 — applies to every organisation handling personal data in Singapore, including SMEs and sole proprietors.
The key numbers:
- 30 calendar days from discovery to complete your assessment of whether the breach is notifiable
- 3 calendar days to notify the PDPC after you determine it is notifiable
- Notify affected individuals as soon as reasonably practicable if significant harm is likely
- How you respond matters as much as the breach itself
Step 1: Contain the Breach (Hours 0-4)
Stop the bleeding before worrying about paperwork.
- Revoke compromised account credentials
- Isolate affected systems — disconnect but do not power off (you need logs)
- Suspend any third-party integrations that may have been the entry point
- Alert your IT provider immediately
- Preserve all evidence — logs, access records, system snapshots
Do not delete files, wipe systems, or "clean up" before documenting the state. Destroying evidence — even accidentally — complicates your PDPC response and can worsen enforcement outcomes.
If a data intermediary (a vendor processing data on your behalf) is involved, notify them immediately. You remain responsible for meeting notification deadlines.
Step 2: Assemble Your Team (Hours 4-12)
For most SMEs, this is 2-4 people:
- A decision-maker authorised to make notification calls
- Your DPO — activate them immediately, even if the role is part-time or outsourced
- Your IT contact (internal or external) for the technical investigation
- Legal counsel if sensitive data categories or potential litigation are involved
The PDPC expects your DPO to be meaningfully involved — not just a name on a form filed years ago.
Step 3: Investigate and Scope (Days 1-5)
Your 30-day assessment window is running. Use it wisely — rushing to a premature conclusion leads to under-reporting, but dragging your feet without documented progress looks like concealment.
Answer these questions:
- What data was affected? (Names, NRIC, financial data, health records, credentials)
- How many individuals?
- Was data actually accessed or exfiltrated, or merely exposed?
- What was the root cause? (Phishing, misconfiguration, insider, vendor failure)
- Is the exposure still ongoing?
Document every finding with timestamps. The PDPC expects you to keep records of all breaches, notifiable or not.
Step 4: Assess Notifiability (Days 5-30)
A breach is notifiable if it:
- Results in or is likely to result in significant harm to affected individuals, OR
- Affects 500 or more individuals
Data types that presume significant harm:
- Government IDs (NRIC, FIN, passport)
- Financial data (bank accounts, credit cards, CVV)
- Health and medical records
- Biometric data
- Authentication credentials
- Sensitive location or communication data
Factors that may reduce harm assessment (document these):
- Data was encrypted with strong, uncompromised keys
- Data was pseudonymised or anonymised
- Confirmed recipient agreed to destroy the data
- Breach was internal and contained before external access
Step 5: Notify the PDPC (Within 3 Days of Assessment)
Submit via the PDPC's Personal Data Breach Portal at go.gov.sg/pbp.
You will need: Organisation name, UEN, DPO contact, breach discovery date and time, data categories affected, estimated number of individuals, breach nature, containment steps taken, harm assessment, and your plan for notifying individuals.
You can submit an initial notification and follow up with details later. The PDPC understands investigations take time. What matters is notifying within the window.
Step 6: Notify Affected Individuals (If Significant Harm Is Likely)
Your notification must be in plain language — not legalese. Explain what happened, what data was involved, what you are doing about it, and provide a contact point for questions.
Do not downplay the breach. The PDPC has found in multiple enforcement decisions that misleading or incomplete notifications make the original violation worse. Be honest, specific, and helpful.
Step 7: Remediate and Prevent Recurrence
Technical: Patch the vulnerability, rotate all credentials, review access controls, enable MFA, audit vendor integrations.
Process: Update data handling procedures, retrain staff on phishing, review vendor contracts for data protection clauses.
Governance: Update your Data Protection Policy, verify your data inventory, schedule a DPO audit.
Document everything. Your remediation record demonstrates good faith and directly influences enforcement outcomes.
Step 8: Close Out and Maintain Records
Your incident file should include: full timeline, root cause analysis, evidence of system security, copies of PDPC notifications, copies of individual notifications, and post-incident review findings. Retain for at least three years.
Penalties
For organisations with turnover exceeding S$10 million: up to 10% of annual Singapore turnover. For smaller organisations: up to S$1 million per breach.
The PDPC weighs self-reporting, data sensitivity, concealment, speed of response, remediation quality, and compliance history. Organisations that respond promptly and transparently consistently receive better outcomes than those that delay or obfuscate.
Build Your Plan Before You Need It
The SMEs that struggle with breach response are the ones that never mapped what data they hold, who can access it, or who is responsible for protecting it. The PDPC's stance is clear: proactive compliance demonstrates accountability, and accountability is a legal obligation under the PDPA.
Platforms like ComplyHQ help Singapore SMEs build Data Protection Policies, breach response procedures, and DPO documentation before regulators come knocking — not after. AI-powered compliance that handles your PDPA obligations in minutes, not weeks.
Quick Reference: PDPA Breach Response Timeline
| Timeframe | Action Required |
|---|---|
| Immediately | Contain the breach; preserve evidence |
| Within 24 hours | Activate your DPO and incident team |
| Days 1-30 | Investigate and assess notifiability |
| Within 3 days of notifiable assessment | Notify PDPC via Breach Portal |
| As soon as practicable after PDPC notification | Notify affected individuals (if significant harm) |
| Within 30 days of PDPC notification | Submit full incident report if initially incomplete |
| Ongoing | Remediate, document, retrain, review |
Final Thoughts
A data breach is stressful, but it is manageable — especially with a plan. The PDPC consistently rewards organisations that respond promptly, transparently, and with genuine remediation. The harshest outcomes go to those who delay, conceal, or fail to act.
If you are not sure whether your current practices would hold up to scrutiny, now is the time to review them. Waiting for a breach to discover your gaps is always the more expensive option.
ComplyHQ helps Singapore SMEs build and maintain PDPA-compliant data protection programs — from policies to breach response plans — without needing a dedicated legal team. Learn more at complyhq.app.
Sources
- PDPC — Data Breach Notification
- CSA — Cyber Security Agency of Singapore
- Personal Data Protection Act 2012
Looking for more? Check out Adaptels.
Simplify Your Compliance
ComplyHQ's AI can assess your PDPA compliance gaps in under 15 minutes and generate the policies you need.
Try Free AssessmentFrequently Asked Questions
Do I need to report every data breach to PDPC?
What counts as 'significant harm' under Singapore's PDPA?
What happens if I don't report a data breach on time?
Ready to get PDPA compliant?
Stop guessing about compliance. ComplyHQ uses AI to assess your gaps, generate policies, and guide you through every PDPA obligation.