Data Retention Policy Singapore: PDPA Compliance Guide for SMEs (2026)

Every Singapore business collects personal data. Customer names and emails. Employee NRIC numbers and salary details. Vendor contact information. Job applicant resumes. Over months and years, this data accumulates in databases, email inboxes, shared drives, filing cabinets, and forgotten spreadsheets.

The question most SMEs never ask -- until it is too late -- is: how long should we keep all of this?

Under Singapore's Personal Data Protection Act (PDPA), the answer is not "forever" and it is not "as long as we want." The Retention Limitation Obligation requires organisations to stop retaining personal data when it is no longer needed for the purpose it was collected, and to dispose of it properly when that time comes. Violating this obligation can result in penalties of up to S$1 million.

Yet data retention remains one of the most neglected areas of PDPA compliance among Singapore SMEs. This guide explains what the law requires, how to build a practical data retention policy, and how to implement it without disrupting your business operations.

What the PDPA Says About Data Retention

The Retention Limitation Obligation is one of the nine key obligations under the PDPA. It is found in Section 25 and states two requirements:

Requirement 1: Purpose limitation. An organisation shall not retain personal data for any purpose that the data was not collected for. If you collected a customer's email address to send order confirmations, you cannot keep it indefinitely for future marketing unless you have separate consent for marketing.

Requirement 2: Cease retention. An organisation shall cease to retain personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which that personal data was collected is no longer being served, and retention is no longer necessary for legal or business purposes.

In plain English: keep personal data only as long as you have a legitimate reason. When the reason expires, dispose of it.

What the PDPA Does NOT Specify

The PDPA does not prescribe specific retention periods for different types of data. There is no rule that says "keep employee data for 7 years" or "delete customer records after 3 years." The law requires you to determine appropriate retention periods based on your own business context, the purposes of collection, and any other applicable laws that mandate minimum retention.

This lack of specific timeframes is deliberate. Different industries, different data types, and different business purposes warrant different retention periods. But it also means that each organisation must do the work of defining its own policy.

Other Laws That Affect Retention Periods

While the PDPA does not set specific retention periods, several other Singapore laws do. Your data retention policy must account for these mandatory minimums:

Employment Act

• Payroll records: Must be retained for the current period plus the preceding 2 years
• Employee records: Should be retained for the duration of employment plus a reasonable period after termination (recommended: 2 years to cover potential claims)
• Leave records: Must be retained for the current period plus the preceding 2 years

Income Tax Act

• Tax records and supporting documents: Must be retained for at least 5 years from the relevant Year of Assessment
• This affects employee payroll data, business expense records, and any financial documents containing personal data

Companies Act

• Accounting records: Must be retained for at least 5 years from the end of the financial year in which the transactions occurred
• Register of members: Must be maintained and retained for the life of the company

Workplace Safety and Health Act

• Workplace accident records: Must be retained for at least 5 years
• Risk assessment records: Should be retained for at least 3 years

Limitation Act

• Contract claims: The limitation period is 6 years, meaning contract-related data should be retained for at least 6 years after the end of the contract to defend against potential claims
• Personal injury claims: 3 years

The practical effect: even after a business purpose expires, legal requirements may mandate continued retention. Your policy must account for both.

Building Your Data Retention Policy: Step by Step

Step 1: Map Your Personal Data

Before you can set retention periods, you need to know what personal data you hold and why. Conduct a data inventory:

• Customer data: Names, emails, phone numbers, addresses, purchase history, payment details, communication records
• Employee data: NRIC/FIN, addresses, salary information, performance reviews, medical certificates, disciplinary records
• Vendor/supplier data: Contact details, bank account information, contracts
• Job applicant data: Resumes, interview notes, assessment results
• Website/app data: Cookies, analytics data, form submissions, account details

For each data category, document the purpose of collection and the legal basis (consent, contractual necessity, legitimate interest, or legal obligation).

Step 2: Determine Retention Periods

For each data category, set a specific retention period based on:

1. Business purpose: How long do you actually need this data to serve the purpose it was collected for?
2. Legal requirements: Does any law mandate a minimum retention period?
3. Practical considerations: Warranty periods, potential disputes, insurance requirements

Here are recommended retention periods for common SME data categories:

Customer data (active customers)

• Contact details and account information: Duration of relationship plus 2 years
• Transaction records: 7 years (to cover tax and accounting requirements)
• Communication history: 2 years from last interaction
• Payment card details: Do not store. Use a payment processor.

Customer data (inactive customers)

• All personal data: 2 years from last transaction, then anonymise or delete

Employee data

• Personnel files: Duration of employment plus 7 years (covers tax, CPF, and potential claims)
• Payroll records: Current year plus 5 years (tax requirement)
• Medical records: Duration of employment plus 3 years
• Disciplinary records: Duration of employment plus 2 years

Job applicant data (unsuccessful)

• Resumes and application materials: 6-12 months from application date, then delete
• Interview notes and assessments: 6 months from rejection notification

Vendor and supplier data

• Contract and contact details: Duration of contract plus 6 years (limitation period)
• Payment records: 7 years (tax and accounting)

Marketing data

• Consent records: Duration of consent plus 2 years after withdrawal
• Email subscriber data: Until unsubscribe, then delete within 30 days (retain opt-out record)

Step 3: Define Disposal Methods

Your policy must specify how data will be destroyed when retention periods expire:

Digital data:

• Database records: Permanent deletion (not just marking as inactive)
• Files on shared drives: Secure deletion using data wiping software
• Email: Permanent deletion from all mailboxes including archive
• Cloud storage: Verify deletion with provider; check backup retention
• Backups: Include data in backup rotation/expiry cycles

Physical data:

• Paper records: Cross-cut shredding (not strip shredding, which can be reconstructed)
• Storage media (hard drives, USB drives): Physical destruction or degaussing
• Do not simply place records in recycling or general waste

Step 4: Assign Responsibilities

A data retention policy is useless without clear ownership:

• Data Protection Officer (DPO): Overall responsibility for policy compliance
• Department heads: Responsible for data within their departments
• IT team: Responsible for technical implementation of deletion procedures
• All staff: Responsible for flagging data that may need review

Step 5: Set Review Schedules

Data retention is not a one-time exercise. Build in regular reviews:

• Quarterly: Automated reports identifying data past its retention period
• Annually: Full review of retention periods against current business needs and legal changes
• On trigger events: When a customer relationship ends, when an employee departs, when a contract terminates

Common Mistakes Singapore SMEs Make

Mistake 1: "We Keep Everything Forever"

This is the most common and most dangerous approach. Retaining personal data indefinitely without a documented purpose violates the PDPA. It also increases your liability in the event of a data breach -- the more data you hold, the more data that can be compromised.

Mistake 2: Deleting Data That Must Be Retained

Some SMEs, alarmed by the retention limitation obligation, delete data prematurely without checking legal retention requirements. Deleting payroll records after 1 year, for example, violates the Employment Act's 2-year requirement and the Income Tax Act's 5-year requirement.

Mistake 3: No Documented Policy

"We have a policy -- we just haven't written it down" is not compliance. The PDPC expects documented policies that staff can follow. In enforcement cases, the absence of a written retention policy has been cited as evidence of inadequate data protection practices.

Mistake 4: Forgetting Physical Records

Digital data gets most of the attention, but filing cabinets, printed forms, and physical archives containing personal data are equally subject to the PDPA. Many SMEs carefully manage digital retention while leaving boxes of old employee files in a storeroom indefinitely.

Mistake 5: Ignoring Backups

Deleting data from your production systems means nothing if it persists in backups that are never purged. Your data retention policy must address backup data, including backup rotation schedules and the maximum period that deleted data may persist in backup archives.

PDPC Enforcement Examples

The PDPC has taken action against organisations for retention-related violations:

In a 2023 enforcement decision, an organisation was found to have retained the personal data of former customers for over 10 years without a legitimate purpose. The PDPC noted the absence of any data retention policy and directed the organisation to establish one within 60 days, in addition to imposing a financial penalty.

In another case, excessive data retention was cited as an aggravating factor when determining the penalty for a data breach. The PDPC noted that the organisation had held personal data far longer than necessary, increasing the volume of data compromised in the breach.

These cases reinforce a clear message: data retention is not optional, and "keep everything" is not a strategy.

How ComplyHQ Helps With Data Retention

Managing data retention manually -- tracking retention periods across categories, monitoring expiry dates, ensuring timely disposal -- is error-prone and time-consuming for SMEs without dedicated compliance teams.

ComplyHQ's compliance platform includes:

• Data inventory management: Map and categorise all personal data holdings
• Automated retention tracking: Set retention periods and receive alerts before deadlines
• Disposal workflow: Assign disposal tasks with audit trails
• Compliance calendar: Integrates retention deadlines with your ACRA, tax, and PDPA compliance schedule
• Policy templates: Pre-built data retention policy templates customised for Singapore SME requirements

A data retention policy does not need to be complex. It needs to be clear, documented, and consistently enforced.

Related guides: 10 PDPA Obligations Every Singapore Business Must Follow, PDPA Compliance Checklist for SMEs, and Cross-Border Data Transfer Under PDPA.