PDPA Compliance Checklist for Singapore Small Businesses (2026)

I worked with a bakery in Tanjong Pagar last year — lovely place, great pastries, three staff. The owner was genuinely shocked when I told her that her Google Sheets customer list, her birthday promo emails, and even her CCTV footage all fall under the PDPA. "But I'm just a small business," she said. That's the thing — size doesn't matter under this law.

Running a small business in Singapore means juggling a hundred things at once. PDPA compliance rarely feels urgent — until a customer complaint hits the PDPC, or a data breach happens, or you realise you've been breaking the rules without knowing it.

TL;DR: Step-by-step PDPA compliance checklist for Singapore SMEs in 2026. Covers PDPC requirements, data protection policies, and how to avoid costly penalties.

The good news: it's not as complicated as it sounds. Most small businesses can get their basics sorted with a clear checklist and a few hours of focused work. This guide breaks it down in plain English, no legal jargon needed.

What Is the PDPA and Who Does It Apply To?

The Personal Data Protection Act 2012 (PDPA) is Singapore's primary data protection law. It governs how organisations collect, use, disclose, and care for personal data — which is defined as any data that can identify an individual, either on its own or in combination with other information.

This includes names, NRIC numbers, email addresses, phone numbers, photographs, IP addresses, and even CCTV footage if it captures identifiable individuals.

The PDPA applies to your business if you:

• Collect customer or employee information (which virtually every business does)
• Send marketing emails or SMS to contacts
• Store personal data on cloud platforms, spreadsheets, or physical files
• Use third-party tools like CRM software, booking platforms, or payment gateways

There is no size exemption. A hawker stall that collects customer phone numbers for table notifications is subject to PDPA. So is a freelance consultant who stores client data in a Gmail inbox.

The 11 PDPA Obligations at a Glance

The PDPA sets out 11 data protection obligations. Here is what each means for a typical Singapore SME.

1. Consent Obligation

You must obtain the individual's consent before collecting, using, or disclosing their personal data. Consent must be voluntary, informed, and given for a specific purpose. Pre-ticked checkboxes do not constitute valid consent.

Practical implication: Your website contact form, booking form, or sign-up page must clearly explain what data you are collecting and why, with a separate checkbox for marketing communications.

2. Purpose Limitation Obligation

You may only collect personal data for purposes that a reasonable person would consider appropriate given the circumstances. You cannot collect data "just in case" or use data for purposes beyond what was originally stated.

Practical implication: If you collect a customer's email address to send an order confirmation, you cannot then use it to add them to your marketing newsletter without separate consent.

3. Notification Obligation

Before or at the point of collection, individuals must be notified of the purposes for which their data is being collected, used, or disclosed. This is typically done through a Privacy Policy and point-of-collection notices.

Practical implication: Every data collection touchpoint — website forms, paper forms, verbal collection over the phone — should include a notification. A link to your Privacy Policy on your website footer is the minimum baseline.

4. Access and Correction Obligation

Individuals have the right to request access to their personal data that you hold, and to request corrections if the data is inaccurate. You must respond to these requests within 30 calendar days (or notify the individual if you need more time, up to a maximum of 60 days).

Practical implication: Have a process in place to receive, log, and respond to data access requests. A dedicated email address (e.g., dpo@yourbusiness.com.sg) works well.

5. Accuracy Obligation

You must make a reasonable effort to ensure that personal data collected is accurate and complete, especially if it will be used to make decisions that affect the individual.

Practical implication: Periodically review customer records and remove outdated information. Allow customers to update their own details through an account portal or by contacting you.

6. Protection Obligation

You must implement reasonable security arrangements to protect personal data in your possession or under your control from unauthorised access, collection, use, disclosure, copying, modification, or disposal.

Practical implication: Use strong, unique passwords for all accounts holding customer data. Enable two-factor authentication. Restrict access to personal data to employees who need it. Encrypt sensitive data at rest and in transit.

7. Retention Limitation Obligation

You must not retain personal data for longer than is necessary for the purpose it was collected. Once the purpose is fulfilled, you must destroy or anonymise the data.

Practical implication: Define retention periods for different data types. For example, customer transaction records: 5 years (for IRAS purposes). Job applicant data: 2 years. Implement a scheduled data deletion process.

8. Transfer Limitation Obligation

If you transfer personal data outside Singapore, you must ensure the receiving country or organisation provides a comparable standard of data protection, or obtain the individual's consent.

Practical implication: Check where your SaaS tools store data. If your CRM stores data on US servers, review whether the vendor provides Standard Contractual Clauses or equivalent protections.

9. Data Breach Notification Obligation

Since the 2020 PDPA amendments, you are legally required to notify the PDPC of a data breach within 3 calendar days of determining it is notifiable. A breach is notifiable if it involves personal data of 500 or more individuals, or if it is likely to cause significant harm. Affected individuals must also be notified.

Practical implication: Have an incident response plan — even a simple one. Know who to contact internally, how to assess whether a breach is notifiable, and how to submit a notification to the PDPC.

10. Data Portability Obligation

From September 2021, eligible organisations must transfer an individual's data to another organisation upon request. Currently this obligation applies to selected sectors — check PDPC's advisory guidelines to determine if it applies to your business.

11. Accountability Obligation

You must designate a Data Protection Officer (DPO), implement data protection policies and practices, and be able to demonstrate compliance. The DPO's contact details must be made publicly available.

Your PDPA Compliance Checklist

Work through this checklist to identify gaps and prioritise fixes.

Governance

• Designate a Data Protection Officer (DPO) and publish their contact details
• Document your data protection policies in writing
• Train staff on PDPA basics and their responsibilities

Data Inventory

• Map all personal data your business collects (what, from whom, why)
• Identify all systems, tools, and vendors that hold personal data
• Confirm the data storage location for each vendor (Singapore or overseas)

Consent and Notices

• Add a Privacy Policy to your website (accessible from every page)
• Include consent checkboxes on all data collection forms
• Add data collection notices at all offline touchpoints (paper forms, phone scripts)
• Separate consent for marketing from consent for service delivery

Security

• Enable two-factor authentication on all accounts holding personal data
• Restrict internal access to personal data on a need-to-know basis
• Use encrypted storage and transmission for sensitive data
• Set up automatic security updates for all devices and software

Retention and Deletion

• Define and document data retention periods for each data category
• Schedule regular data deletion or anonymisation reviews
• Securely dispose of physical documents containing personal data (cross-cut shredding)

Breach Response

• Draft a basic data breach response plan
• Know how to submit a breach notification to the PDPC (via PDPC's online portal)
• Define internal escalation procedures for suspected breaches

Third-Party Vendors

• Review contracts with vendors who process personal data on your behalf
• Include data protection clauses in vendor agreements
• Confirm overseas vendors meet transfer limitation requirements

Common PDPA Mistakes Singapore SMEs Make

Using a generic Privacy Policy template without customisation. A boilerplate policy that does not reflect your actual data practices can be worse than no policy — it creates legal exposure if it misrepresents what you do.

Assuming consent is blanket and indefinite. Consent given for one purpose does not extend to others. Sending promotional SMS to customers who only agreed to receive order updates is a breach of the Purpose Limitation Obligation.

Keeping data forever "just in case." Unnecessary data retention is a direct PDPA violation. If a breach occurs, every record you should have deleted becomes part of your liability.

Ignoring employee data. The PDPA covers HR data too — payroll records, performance reviews, medical certificates, and leave applications all count as personal data and must be managed accordingly.

Not vetting SaaS vendors. Your CRM, email marketing platform, and cloud storage provider are all processing personal data on your behalf. You remain accountable for how they handle it.

Do Not Call (DNC) Registry Obligations

The Do Not Call (DNC) Registry is part of the PDPA framework and carries its own obligations for businesses that send unsolicited commercial messages.

Before sending marketing calls, SMS, or faxes to Singapore numbers, you must check those numbers against the DNC Registry. Calling a registered number without the recipient's clear and unambiguous consent can result in fines of up to S$10,000 per breach.

Exemptions apply if the individual is an existing customer and the message relates to a product or service they have used. However, you must still give them a clear opt-out mechanism in every communication.

PDPC Enforcement: What the Penalties Look Like

The PDPC publishes all enforcement decisions on its website. Notable cases provide a useful benchmark for SMEs:

• SingHealth (2019): S$250,000 fine for Singapore's largest data breach, affecting 1.5 million patient records
• Marina Bay Sands (2023): S$1 million fine for a breach exposing data of 665,000 loyalty programme members
• Grab (2019): S$10,000 fine for exposing driver and passenger data due to a software bug

For most SMEs, the realistic penalty range for a first-time, non-egregious breach is S$5,000 to S$50,000 — plus the remediation costs, reputational fallout, and management time spent on the investigation.

Getting Compliant Without the Overhead

The practical challenge for Singapore SMEs is not understanding what PDPA requires — it is having the time and resources to implement it properly. Reviewing vendor contracts, drafting a Privacy Policy, setting up a breach response process, and keeping documentation current is a sustained operational burden.

This is where AI-powered compliance tools have changed the equation. Platforms like ComplyHQ offer AI-powered compliance that handles your PDPA obligations in minutes, not weeks — generating policies tailored to your business, tracking your compliance status across obligations, and alerting you when something needs attention. For lean teams without a dedicated legal or compliance function, that kind of structured support makes the difference between staying on top of obligations and scrambling when the PDPC comes calling.

Action Plan: Get PDPA-Ready in 2026

If you are starting from scratch, here is a sequenced approach:

Week 1 — Foundation Designate your DPO. Conduct a data inventory. Identify what personal data you hold and where.

Week 2 — Policies and Notices Draft or update your Privacy Policy. Add consent mechanisms to all forms. Review marketing lists for valid consent.

Week 3 — Security and Vendors Audit access controls. Enable MFA on key accounts. Review vendor contracts for data protection clauses.

Week 4 — Processes Document your data retention schedule. Create a basic breach response plan. Brief your team.

Ongoing Review annually or whenever you introduce a new product, service, or data processing activity. The PDPC updates its Advisory Guidelines periodically — subscribe to their newsletters to stay current.

Final Thoughts

PDPA compliance is not a one-time project — it is an ongoing operational discipline. But getting the fundamentals right is achievable for any Singapore SME, and the cost of doing so is far lower than the cost of getting it wrong.

Start with the checklist above. Identify your three biggest gaps. Fix those first. Compliance is a journey, not a destination, and every step you take reduces your risk exposure — and builds the trust that keeps customers coming back.

Sources

1. PDPC — Personal Data Protection Commission
2. Personal Data Protection Act 2012
3. CSA — Cyber Security Agency of Singapore

Looking for more? Check out Adaptels.