PDPA Compliance16 min read5 July 2026

PDPA Compliance Checklist for Singapore SMEs (2026)

A practical, step-by-step PDPA compliance checklist for Singapore SMEs — all core obligations, what to do first, and the penalties for getting it wrong. Free to use and reference.

ComplyHQ Team

PDPA Compliance Checklist for Singapore SMEs (2026)

PDPA Compliance Checklist for Singapore SMEs (2026)

Most Singapore SMEs do not fail PDPA compliance because they are careless. They fail because "personal data protection" sounds like a legal project with no obvious starting point — so it sits on the to-do list until a customer complaint, a job application, or a lost laptop turns it into an urgent one.

This page is built to remove that excuse. It is a complete, practical checklist you can work through in order: what the Personal Data Protection Act actually requires, what to do first, and what it costs to get it wrong. It is written for the person who has to actually implement it — usually an operations manager, office manager, or founder wearing several hats — not for lawyers.

TL;DR: Every Singapore business that touches personal data must comply with the PDPA. Start by appointing a DPO and building a data inventory, then work through consent, notification, protection, retention, and a breach response plan. Penalties can reach the higher of S$1 million or 10% of annual local turnover, and notifiable breaches must be reported to the PDPC within 3 calendar days.

Who This Checklist Is For

The PDPA applies to every private sector organisation in Singapore that collects, uses, or discloses personal data — from a two-person consultancy to a 200-person manufacturer. There is no small-business carve-out. What changes with size is proportionality: the PDPC expects the extent of your safeguards to match the volume and sensitivity of the data you handle, not for a florist to run the same controls as a hospital.

If you collect customer names and phone numbers, keep a staff payroll, run a mailing list, or store CVs from job applicants, this checklist is for you.

The Core PDPA Obligations at a Glance

The PDPA is organised around a set of data protection obligations. Understanding the shape of them first makes the checklist below far less abstract. In broad terms, an organisation must:

  • Be accountable — appoint a DPO, put policies in place, and be able to demonstrate compliance (the Accountability Obligation).
  • Obtain consent — collect, use, or disclose personal data only with valid consent, unless an exception applies (the Consent Obligation).
  • Notify purposes — tell individuals why you are collecting their data, on or before collection (the Notification Obligation).
  • Limit to purpose — use the data only for the purposes a reasonable person would consider appropriate (the Purpose Limitation Obligation).
  • Keep data accurate — make a reasonable effort to ensure personal data is accurate and complete (the Accuracy Obligation).
  • Protect the data — apply reasonable security arrangements to guard against unauthorised access, loss, or disclosure (the Protection Obligation).
  • Limit retention — stop keeping personal data once it no longer serves a legal or business purpose (the Retention Limitation Obligation).
  • Control transfers overseas — ensure data sent abroad receives a comparable standard of protection (the Transfer Limitation Obligation).
  • Honour access and correction — let individuals see and correct the data you hold about them (the Access and Correction Obligation).
  • Report breaches — notify the PDPC and affected individuals when a breach is notifiable (the Data Breach Notification Obligation).

Separately, if you carry out telemarketing to Singapore phone numbers, the Do Not Call (DNC) provisions require you to check the DNC Registry before sending marketing messages.

For a deeper walkthrough of each of these, see our companion guide on the 10 PDPA obligations every Singapore business must follow.

Do This First: The Ordering That Actually Works

The obligations are not sequential in the Act, but in practice there is a smart order to tackle them. Trying to write consent forms before you know what data you hold is backwards. Work top to bottom:

  1. Appoint a DPO — nothing else has an owner until this exists.
  2. Build a data inventory — you cannot protect, retain, or delete what you have not mapped.
  3. Fix consent and notification — clean up how you collect data at the front door.
  4. Lock down protection — apply security controls to the data you now know you hold.
  5. Set retention and disposal rules — stop hoarding data you no longer need.
  6. Prepare a breach response plan — because the 3-day clock is unforgiving.
  7. Handle access, correction, and transfers — the ongoing operational obligations.

The rest of this page is that order, expanded into an actionable checklist.

Step 1 — Appoint a Data Protection Officer (DPO)

Why first: Every organisation must designate at least one individual to be responsible for ensuring PDPA compliance. Without a named owner, every other item on this list becomes "someone's problem" — which means no one's.

Checklist:

  • Designate at least one DPO (an existing employee is fine — it does not need to be a new hire).
  • Make the DPO's business contact information available to the public, for example on your website or privacy policy. A generic role-based email (e.g. dpo@yourcompany.sg) is acceptable and recommended.
  • Register the DPO's business contact details with ACRA where applicable, and ensure the person actually has the authority and time to do the job.
  • Give the DPO a mandate: developing policies, handling queries and complaints, and liaising with the PDPC.

The DPO does not personally have to do all the compliance work, but they are the accountable point of contact. For the full appointment process, see our guide on how to appoint a DPO in Singapore.

Step 2 — Build a Personal Data Inventory (Data Mapping)

Why next: You cannot apply consent, protection, retention, or breach rules to data you have not catalogued. A data inventory is the single highest-leverage document in your whole compliance programme.

Checklist:

  • List every type of personal data you collect (names, contact details, NRIC/FIN, financial details, CVs, CCTV footage, etc.).
  • For each type, record why you collect it, where it is stored, who can access it, and how long you keep it.
  • Note where data flows out of your organisation — payroll vendors, cloud CRMs, overseas parent companies, marketing platforms.
  • Flag high-risk data, especially NRIC/FIN numbers, financial account details, and any health or biometric data.
  • Keep the inventory current — review it whenever you add a new system or vendor.

A specific watch-out for Singapore SMEs: stop collecting NRIC numbers by default. The PDPC's rules restrict the collection, use, and disclosure of NRIC numbers, and over-collecting them is one of the most common enforcement triggers. Our data inventory and mapping guide walks through building this from scratch.

Why: Consent and notification govern the front door — how data enters your organisation in the first place. Getting these right prevents most downstream problems.

Checklist:

  • Ensure you have a lawful basis (usually consent) before collecting, using, or disclosing personal data.
  • On or before collection, tell individuals the purposes you will use their data for (the Notification Obligation).
  • Publish a clear, plain-language privacy policy covering what you collect, why, and how individuals can contact your DPO.
  • Make consent specific — do not bundle "agree to marketing" into "agree to receive your order".
  • Provide an easy way to withdraw consent, and honour withdrawals promptly.
  • Where you rely on deemed consent or a legitimate-interests basis, document your reasoning.

If you are unsure whether your website even needs one, start with do I need a privacy policy for my Singapore website.

Step 4 — Lock Down Protection (Security)

Why: The Protection Obligation is, by a wide margin, the most commonly breached obligation in published PDPC enforcement decisions. Most breaches are not sophisticated attacks — they are unpatched systems, weak access controls, and human error.

Checklist:

  • Apply access controls — staff should only reach the personal data their role genuinely needs.
  • Encrypt personal data at rest and in transit where practical, especially on laptops and portable media.
  • Enforce strong passwords and enable multi-factor authentication on key systems (email, CRM, cloud storage).
  • Keep software, operating systems, and plugins patched and up to date.
  • Secure physical records — lock filing cabinets, control office access, and shred documents before disposal.
  • Put a data protection clause in every vendor contract that handles your data on your behalf.
  • Train staff — a large share of breaches trace back to a well-meaning employee doing the wrong thing.

The security bar is "reasonable" relative to your risk, not "military-grade". But "we never got around to it" is not a defence the PDPC accepts.

Step 5 — Set Retention and Disposal Rules

Why: The Retention Limitation Obligation requires you to stop keeping personal data once it no longer serves a legal or business purpose. Old data you have forgotten about is pure liability — it can still be breached, but it delivers you no value.

Checklist:

  • Define a retention period for each category of personal data in your inventory.
  • Anchor retention to a legal basis where one exists (for example, statutory record-keeping periods for employment and tax records).
  • Securely dispose of or anonymise data once its retention period lapses.
  • Apply this to backups and archives too, not just live systems.
  • Document your retention schedule so you can show the PDPC a deliberate policy, not neglect.

Our data retention policy guide includes a template schedule you can adapt.

Step 6 — Prepare a Data Breach Response Plan

Why: When a breach happens, you do not have time to invent a process. The Data Breach Notification Obligation gives you 3 calendar days to notify the PDPC once you determine a breach is notifiable — and a breach is notifiable if it is likely to cause significant harm to individuals, or affects 500 or more individuals.

Checklist:

  • Write a breach response plan now, before you need it — containment, assessment, notification, and remediation steps.
  • Name who leads the response (usually the DPO) and who to escalate to.
  • Define how you will assess whether a breach is notifiable, and record that assessment.
  • Prepare notification templates for the PDPC and for affected individuals so you are not drafting under pressure.
  • Know where to report: the PDPC provides an online data breach reporting channel.
  • Run a tabletop test at least once so the plan is not purely theoretical.

For the full step-by-step, see our data breach response guide for Singapore businesses. Missing the 3-day deadline is itself a breach of the PDPA and a common trigger for enforcement.

Step 7 — Handle Access, Correction, and Overseas Transfers

Why: These are the ongoing, business-as-usual obligations that keep tripping organisations up months after the initial setup.

Checklist:

  • Have a process to respond to access requests — an individual asking to see what data you hold on them.
  • Have a process to correct data when an individual points out an error, and to pass corrections to third parties you shared the data with.
  • For any personal data you send overseas (including to a cloud provider or overseas parent), ensure the recipient is bound to a standard of protection comparable to the PDPA — usually through contractual clauses.
  • Map your overseas transfers against your data inventory so nothing slips through unnoticed.

Our cross-border data transfer guide covers the contractual mechanisms in detail.

Step 8 — Do Not Call (If You Do Telemarketing)

Why: Separate from the core obligations, the DNC provisions apply if you send marketing messages to Singapore telephone numbers.

Checklist:

  • Before sending marketing calls, texts, or faxes to Singapore numbers, check the numbers against the relevant Do Not Call Registry.
  • Keep records of your DNC checks.
  • Include clear identification and an opt-out in marketing messages.

See our Do Not Call Registry guide for businesses for the operational steps.

The Penalties: What Getting It Wrong Costs

The PDPC's enforcement powers were strengthened by amendments that took effect on 1 October 2022. The headline figures every SME owner should know:

  • Financial penalties can reach the higher of S$1 million, or 10% of the organisation's annual turnover in Singapore (the 10% cap applies to organisations with local annual turnover above S$10 million).
  • Directions — the PDPC can order you to stop collecting or using data, destroy data, or implement specific measures.
  • Reputational exposure — enforcement decisions are published and name the organisation. For many SMEs, the public naming stings more than the fine.

Importantly, PDPC enforcement decisions consistently show that organisations which self-report promptly, cooperate, and can demonstrate a genuine compliance programme tend to face lower penalties than those that ignored the obligations. Accountability is not just a box to tick — it is a mitigating factor. For a fuller picture, read our breakdown of the cost of non-compliance for Singapore SMEs.

A One-Page Summary Checklist

Print this, stick it on the wall, and work down it:

  1. DPO appointed and business contact published.
  2. Data inventory built and kept current.
  3. Consent obtained and withdrawable; privacy policy published.
  4. Purposes notified on or before collection.
  5. Security controls in place (access, encryption, patching, training).
  6. Retention schedule set; old data disposed of securely.
  7. Breach response plan ready; 3-calendar-day PDPC deadline understood.
  8. Access and correction processes in place.
  9. Overseas transfers covered by comparable protection.
  10. DNC checks done (if you do telemarketing).

Compliance is not a one-off project — it is a habit. Set a calendar reminder to revisit this checklist each quarter, and every time you add a new system, vendor, or data collection point.

How ComplyHQ Helps

Working through this checklist manually is entirely doable, but it is the kind of task that quietly slips. ComplyHQ is built to keep Singapore SMEs on top of exactly these obligations — mapping your data, generating the policies and notices you need, and reminding you when something needs review — so PDPA compliance becomes a standing system rather than an annual scramble.

Sources

Simplify Your Compliance

ComplyHQ's AI can assess your PDPA compliance gaps in under 15 minutes and generate the policies you need.

Try Free Assessment

Frequently Asked Questions

What is the first thing an SME should do to comply with the PDPA?
Appoint a Data Protection Officer (DPO). Every organisation in Singapore is required to designate at least one individual responsible for ensuring PDPA compliance, and this appointment is the foundation for every other obligation. The DPO's business contact information must be made available to the public. Once a DPO is in place, the next priority is building a data inventory so you know exactly what personal data you hold, where it lives, and why.
Does the PDPA apply to my small business?
Yes. The PDPA applies to every private sector organisation in Singapore that collects, uses, or discloses personal data, regardless of how small it is. There is no exemption based on revenue, headcount, or industry. The PDPC applies a proportionality principle — a sole proprietor is not expected to have the same controls as a bank — but the core obligations apply to everyone. Business contact information used strictly for business purposes is treated differently.
What is the maximum penalty for a PDPA breach in Singapore?
Following amendments that took effect on 1 October 2022, the PDPC can impose a financial penalty of up to 10% of an organisation's annual turnover in Singapore (for organisations with local turnover exceeding S$10 million), or up to S$1 million, whichever is higher. Beyond financial penalties, the PDPC can issue directions to stop data processing, require remediation, and publish enforcement decisions naming the organisation.
How long do I have to report a data breach to the PDPC?
Once you determine that a data breach is notifiable, you must notify the PDPC no later than 3 calendar days. A breach is notifiable if it is likely to result in significant harm to affected individuals, or if it affects 500 or more individuals. You should also notify affected individuals as soon as practicable. Having a documented breach response plan ready in advance is what makes hitting this deadline realistic.
Do I need a written privacy policy to comply with the PDPA?
A written privacy policy is not named as a standalone obligation in the Act, but in practice you cannot satisfy the Notification and Consent Obligations without one. Individuals must be informed of the purposes for which you collect, use, and disclose their personal data on or before collection — a published privacy policy is the standard way organisations meet this. It also demonstrates accountability, which the PDPC weighs favourably during enforcement.
Tags:PDPAcompliance checklistSingaporeSMEdata protectionPDPCDPO

Ready to get PDPA compliant?

Stop guessing about compliance. ComplyHQ uses AI to assess your gaps, generate policies, and guide you through every PDPA obligation.

Gap AssessmentPolicy GeneratorAI Compliance Chat
30 May 20267 min read

DPO Appointment Requirements in Singapore: Who Needs One and How to Appoint

Complete guide to PDPA DPO appointment requirements for Singapore SMEs. Learn who needs one, legal obligations, and how to comply with PDPC guidelines.

Read more
5 July 20267 min read

Cookie Consent Implementation Guide for Singapore

A practical cookie consent guide for Singapore SMEs. Learn PDPA-compliant consent banners, cookie categories, and PDPC requirements for your website.

Read more
2 July 20267 min read

PDPA for Beauty Salons and Spas: Client Data Rules

A practical PDPA compliance Singapore guide for beauty salons and spas — how to handle client data, consent, and medical history under the PDPA and avoid PDPC fines.

Read more