PDPA Compliance11 min read30 April 2026

Data Retention Policy Singapore: PDPA Compliance Guide for SMEs (2026)

How to create a PDPA-compliant data retention policy for your Singapore business. Retention periods, disposal requirements, and a step-by-step template for SMEs.

ComplyHQ Team

Data Retention Policy Singapore: PDPA Compliance Guide for SMEs (2026)

When I ask a new client, "How long do you keep customer data?" the most common answer I hear is a shrug. Some say "forever." Others say "we never really thought about it." Both answers represent a compliance problem.

TL;DR: How to create a PDPA-compliant data retention policy for your Singapore business. Retention periods, disposal requirements, and a step-by-step template for SMEs.

Every Singapore business accumulates personal data over time: customer names and emails, employee NRIC numbers and salary records, vendor contacts, job applicant resumes. It piles up in databases, email inboxes, shared drives, filing cabinets, and forgotten spreadsheets.

The PDPA's Retention Limitation Obligation says you cannot keep it forever and you cannot keep it without reason. When the purpose expires and no law compels you to hold on, you must dispose of it properly. Violations can result in penalties up to S$1 million — and in enforcement cases, excessive retention has been treated as an aggravating factor when calculating fines.

Yet data retention is one of the most neglected areas of PDPA compliance among SMEs. This guide explains what to do about it.

What the PDPA Requires

Section 25 sets out two requirements:

Purpose limitation: Do not retain personal data for any purpose it was not collected for.

Cease retention: Stop holding personal data as soon as the original purpose is no longer served and retention is not necessary for legal or business reasons. Either destroy it or remove the identifying information.

The PDPA deliberately does not specify exact retention periods — no rule says "keep employee data for 7 years." Different industries, data types, and business contexts warrant different periods. But this means each organisation must define its own policy.

Other Laws That Set Minimum Periods

Several Singapore laws impose mandatory retention that your policy must respect:

  • Employment Act: Payroll and leave records for current period plus 2 years
  • Income Tax Act: Tax records and supporting documents for at least 5 years from the relevant Year of Assessment
  • Companies Act: Accounting records for at least 5 years
  • WSHA: Workplace accident records for 5 years; risk assessments for 3 years
  • Limitation Act: Contract-related data for at least 6 years after contract end (to defend against potential claims)

Even when a business purpose expires, legal requirements may mandate continued retention.

Building Your Policy: Step by Step

Step 1: Map Your Data

Before setting retention periods, know what you hold. Inventory: customer data (names, contacts, purchase history, payment details), employee data (NRIC, salary, performance reviews, medical certs), vendor data (contacts, bank details, contracts), applicant data (resumes, interview notes), and website data (cookies, analytics, form submissions).

For each category, document the purpose and legal basis.

Step 2: Set Retention Periods

For each category, determine a specific period based on business purpose, legal requirements, and practical considerations.

Recommended periods for common SME data:

Active customers: Contact and account info for duration of relationship plus 2 years. Transactions for 7 years (tax/accounting). Communications for 2 years from last interaction. Payment card details: do not store — use a payment processor.

Inactive customers: All personal data for 2 years from last transaction, then anonymise or delete.

Employees: Personnel files for duration plus 7 years. Payroll for current year plus 5 years. Medical records for duration plus 3 years. Disciplinary records for duration plus 2 years.

Unsuccessful applicants: Resumes for 6-12 months. Interview notes for 6 months from rejection.

Vendors: Contract details for duration plus 6 years. Payment records for 7 years.

Marketing: Consent records for duration plus 2 years after withdrawal. Subscriber data until unsubscribe, then delete within 30 days (retain opt-out record only).

Step 3: Define Disposal Methods

Digital: Permanent database deletion (not just "inactive" flagging). Secure file wiping. Email deletion from all mailboxes including archive. Verify cloud deletion with providers. Include data in backup rotation cycles.

Physical: Cross-cut shredding (not strip shredding — it can be reconstructed). Physical destruction or degaussing of storage media. Do not put records in general waste or recycling.

Step 4: Assign Responsibilities

  • DPO: Overall policy compliance
  • Department heads: Data within their area
  • IT: Technical deletion procedures
  • All staff: Flagging data for review

Step 5: Set Review Schedules

  • Quarterly: Automated reports identifying data past retention period
  • Annually: Full review of retention periods against current business needs
  • On triggers: Customer relationship end, employee departure, contract termination

Common Mistakes

"Keep everything forever." The most common and most dangerous approach. It violates the PDPA and increases your breach liability — more data means more exposure.

Deleting too early. Some SMEs panic about retention and purge prematurely. Deleting payroll records after 1 year violates the Employment Act's 2-year requirement and the Income Tax Act's 5-year minimum.

No written policy. "We have a policy but it is not written down" is not compliance. The PDPC expects documentation that staff can follow.

Forgetting paper records. Filing cabinets full of old employee files sitting in a storeroom indefinitely are just as subject to the PDPA as your digital records.

Ignoring backups. Deleting from production systems means nothing if data persists in backups that are never purged. Your policy must address backup rotation and retention.

PDPC Enforcement Examples

The PDPC has acted on retention violations. In one case, an organisation retained former customer data for over 10 years without legitimate purpose. No retention policy existed. The PDPC directed them to establish one within 60 days, on top of a financial penalty. In another case, excessive retention was cited as an aggravating factor in breach penalty calculations — the organisation held far more data than necessary, increasing the volume compromised.

How ComplyHQ Helps

ComplyHQ's platform includes data inventory management, automated retention tracking with alerts, disposal workflow with audit trails, compliance calendar integration, and pre-built retention policy templates for Singapore SMEs.

A data retention policy does not need to be complex. It needs to be clear, documented, and consistently enforced.

Related guides: 10 PDPA Obligations Every Singapore Business Must Follow, PDPA Compliance Checklist for SMEs, and Cross-Border Data Transfer Under PDPA.

Sources

  1. PDPC — Personal Data Protection Commission
  2. Personal Data Protection Act 2012
  3. CSA — Cyber Security Agency of Singapore

Looking for more? Check out Adaptels.

Simplify Your Compliance

ComplyHQ's AI can assess your PDPA compliance gaps in under 15 minutes and generate the policies you need.

Try Free Assessment

Frequently Asked Questions

How long can I keep personal data under the PDPA?
The PDPA does not prescribe a specific retention period. Instead, the Retention Limitation Obligation requires organisations to stop retaining personal data when it is no longer needed for the purpose for which it was collected, and when retention is no longer necessary for legal or business purposes. You must establish your own retention periods based on the purpose of collection, applicable laws, and legitimate business needs.
What happens if I keep personal data longer than necessary?
Retaining personal data beyond what is necessary violates the Retention Limitation Obligation under the PDPA. The Personal Data Protection Commission (PDPC) can issue directions to destroy the data, impose financial penalties of up to S$1 million per breach, and publish enforcement decisions. In PDPC enforcement cases, excessive data retention has been cited as an aggravating factor in determining penalty amounts.
Do I need a written data retention policy?
While the PDPA does not explicitly mandate a written policy document, the PDPC expects organisations to have documented retention policies and procedures. Having a written data retention policy is considered best practice and is effectively required for demonstrating compliance during audits or investigations. Without documented policies, you cannot demonstrate that you have a systematic approach to retention and disposal.
What is the difference between data retention and data disposal?
Data retention refers to how long you keep personal data and the rules governing that duration. Data disposal refers to the process of permanently destroying or anonymising personal data when the retention period expires. Both are covered under the PDPA's Retention Limitation Obligation. A complete data retention policy must address both: when to keep data and how to dispose of it securely.
Does the PDPA data retention requirement apply to paper records?
Yes. The PDPA applies to personal data in both electronic and physical form. Paper records containing personal data -- employee files, customer forms, contracts with personal information -- are subject to the same retention limitation obligation. Paper records must be securely disposed of (shredding, not just recycling) when no longer needed, and your data retention policy should cover both digital and physical records.
Tags:PDPAdata retentiondata disposalcompliancepersonal dataSME

Ready to get PDPA compliant?

Stop guessing about compliance. ComplyHQ uses AI to assess your gaps, generate policies, and guide you through every PDPA obligation.

Start Free AssessmentView Pricing
Gap AssessmentPolicy GeneratorAI Compliance Chat

Related Articles

10 May 202611 min read

Data Protection Impact Assessment (DPIA) Singapore Guide for SMEs

Learn how to conduct a Data Protection Impact Assessment (DPIA) for your Singapore business. Step-by-step process, PDPA requirements, templates, and common mistakes.

Read more
30 April 202611 min read

Cross-Border Data Transfer Under PDPA Singapore: What SMEs Must Know (2026)

Complete guide to transferring personal data overseas under Singapore's PDPA. Legal mechanisms, ASEAN clauses, EU-Singapore agreement, and compliance steps for SMEs.

Read more
5 June 20267 min read

Data Retention Policy Under PDPA: How Long Can Singapore Businesses Keep Data?

Learn PDPA data retention rules for Singapore SMEs. Discover legal holding periods, best practices, and how to build compliant retention policies under Singapore law.

Read more