PDPA Compliance12 min read12 April 2026

PDPA Compliance Checklist for Singapore SMEs (2026 Edition)

Complete 2026 PDPA compliance checklist for Singapore SMEs. Cover all 10 obligations with practical steps, common mistakes to avoid, and a free gap assessment.

ComplyHQ Team

PDPA Compliance Checklist for Singapore SMEs (2026 Edition)

The Personal Data Protection Act (PDPA) applies to every private sector organisation in Singapore. There is no exemption for small businesses, startups, or sole proprietors. If your business collects any personal data — customer names, email addresses, phone numbers, or payment information — you must comply.

This checklist covers all 10 PDPA obligations in practical, actionable terms. It is written specifically for SME owners who need to know what to do, not legal theory.

Before You Start: What You Need to Know

Who Must Comply

Every private sector organisation operating in Singapore, including:

  • Companies (Pte Ltd, LLP, LP)
  • Sole proprietors and freelancers
  • Partnerships and associations
  • Foreign companies processing data in Singapore
  • Online businesses based in Singapore

Government agencies are excluded. Individuals acting in a personal or domestic capacity are also excluded.

What Counts as Personal Data

Personal data is any data that can identify a specific individual, whether on its own or combined with other data your organisation has access to. This includes:

  • Names, NRIC/FIN numbers, passport numbers
  • Phone numbers, email addresses, home addresses
  • Photographs and video recordings
  • IP addresses (in certain contexts)
  • Financial and employment information
  • Health and medical records

Business contact information (work email, work phone, business title) is generally excluded when used for business purposes.

The 10-Point PDPA Compliance Checklist

1. Appoint a Data Protection Officer (DPO)

Requirement: Every organisation must designate at least one individual as its Data Protection Officer under Section 11(3) of the PDPA.

What to do:

  • Designate a DPO (can be the business owner, a manager, or an outsourced provider)
  • Ensure the DPO understands the basics of PDPA compliance
  • Make the DPO's contact information publicly available (e.g., on your website)
  • Register your DPO's details with ACRA via BizFile+

For SMEs: The DPO does not need to be a full-time or dedicated role. In most small businesses, the owner or a senior manager takes on this responsibility alongside their existing duties. No formal qualifications are legally required, but the PDPC offers free training resources.

For a detailed guide on DPO appointment, see How to Appoint a Data Protection Officer in Singapore.

2. Create a Data Protection Policy

Requirement: Your organisation must have documented data protection policies and practices.

What to do:

  • Draft an internal Data Protection Policy covering how your organisation collects, uses, stores, and disposes of personal data
  • Include procedures for handling data access requests, correction requests, and complaints
  • Define roles and responsibilities for data protection within your organisation
  • Store the policy where all employees can access it

What to include in your policy:

  • Types of personal data your organisation collects
  • Purposes for which data is collected and used
  • How consent is obtained
  • Security measures in place
  • Data retention periods
  • Procedures for data breaches
  • Third-party data sharing arrangements

3. Build a Personal Data Inventory

Requirement: You need to know what personal data you have, where it is stored, and why you have it. This is the foundation of PDPA compliance.

What to do:

  • List all types of personal data your organisation collects
  • Document the purposes for each type of data
  • Identify where each type of data is stored (physical files, databases, cloud services, email)
  • Record who has access to each type of data
  • Note any third parties you share data with
  • Document your legal basis for collecting each type of data

Common data sources to audit:

  • Customer databases and CRM systems
  • Email marketing lists
  • HR and payroll systems
  • Website contact forms and analytics
  • Social media accounts
  • Physical records (paper forms, visitor logs)
  • CCTV systems
  • Mobile apps

Build your data inventory step by step. ComplyHQ's data inventory builder walks you through the process with guided prompts and organises everything in one place. Try it free

4. Review Consent Collection Mechanisms

Requirement: Under the Consent Obligation (Part IV, Division 1), you must obtain consent before collecting, using, or disclosing personal data. Consent must be informed — individuals must know the purposes.

What to do:

  • Review all points where you collect personal data (forms, sign-ups, purchases)
  • Ensure each collection point clearly states the purpose of collection
  • Provide a way for individuals to give or withhold consent
  • Do not bundle consent — avoid making consent a condition of service beyond what is reasonable
  • Implement a mechanism for individuals to withdraw consent
  • Document all consent obtained and withdrawn

Types of consent under PDPA:

  • Express consent: The individual actively agrees (e.g., checking a box, signing a form)
  • Deemed consent: The individual voluntarily provides data for a purpose that is obvious (e.g., giving their email to receive a newsletter)
  • Deemed consent by notification: You notify the individual and provide a reasonable period to opt out

For a deeper dive, see Understanding Consent Under PDPA.

5. Draft or Update Your Privacy Policy

Requirement: Under the Notification Obligation (Part IV, Division 3), you must notify individuals of the purposes for collecting their data. A privacy policy is the standard way to fulfil this obligation.

What to do:

  • Create a privacy policy (or review your existing one)
  • Include all required elements: purposes of collection, types of data collected, DPO contact details, consent withdrawal process, data retention practices, and third-party sharing
  • Make it accessible on your website (typically linked in the footer)
  • Use plain language — avoid dense legal jargon
  • Review and update at least annually or whenever your data practices change

Not sure where to start? See our guide: Do I Need a Privacy Policy for My Singapore Website? or generate one automatically with ComplyHQ's AI privacy policy generator.

6. Implement Data Security Measures

Requirement: Under the Protection Obligation (Section 24), you must make reasonable security arrangements to protect personal data against unauthorised access, disclosure, and loss.

What to do:

  • Use strong passwords and enable multi-factor authentication on all systems containing personal data
  • Encrypt sensitive data at rest and in transit
  • Restrict access to personal data on a need-to-know basis
  • Keep software and operating systems updated with security patches
  • Use reputable antivirus and firewall solutions
  • Secure physical documents in locked cabinets
  • Implement secure data disposal (shredding paper, wiping hard drives)
  • Regularly back up data with encrypted backups

"Reasonable" is proportionate: The PDPC considers your organisation's size, resources, the nature of the data, and the potential harm from a breach. A 5-person startup is not held to the same standard as a bank, but every business must demonstrate they have taken appropriate steps.

7. Set Up a Data Breach Response Plan

Requirement: Since February 2021, the Mandatory Data Breach Notification framework (Part VIA) requires organisations to notify the PDPC within 3 calendar days of completing their assessment that a breach is notifiable.

What to do:

  • Create a written Data Breach Response Plan
  • Define what constitutes a data breach in your organisation
  • Assign roles and responsibilities for breach response
  • Document the assessment process for determining if a breach is notifiable
  • Prepare template notifications for PDPC and affected individuals
  • Include contact details for the PDPC and your DPO
  • Conduct a tabletop exercise at least once a year

A breach is notifiable if:

  1. It results in or is likely to result in significant harm to affected individuals, OR
  2. It affects or is likely to affect 500 or more individuals

For a step-by-step guide, see PDPA Data Breach Notification: Step-by-Step Guide.

8. Train Your Employees

Requirement: Your staff are your first line of defence. Untrained employees are a leading cause of data breaches in Singapore.

What to do:

  • Conduct PDPA awareness training for all employees who handle personal data
  • Cover the basics: what personal data is, why protection matters, and what their obligations are
  • Include practical scenarios relevant to your business (e.g., handling customer data requests, responding to suspicious emails)
  • Train new employees during onboarding
  • Provide refresher training at least annually
  • Document training attendance and content

Low-cost training options:

  • PDPC's free online learning modules at pdpc.gov.sg
  • In-house briefings led by your DPO
  • Industry-specific workshops offered by trade associations

9. Review Third-Party Data Processors

Requirement: If you share personal data with vendors, service providers, or partners, you remain responsible for the data under the PDPA. You cannot outsource your obligations.

What to do:

  • List all third parties that process personal data on your behalf (payroll providers, CRM platforms, email marketing tools, cloud hosting, IT support, etc.)
  • Review contracts with each third party to ensure they include data protection clauses
  • Verify that third parties have adequate security measures
  • For overseas transfers, ensure the recipient country has comparable data protection or you have binding contractual clauses in place
  • Maintain a record of all third-party data sharing arrangements

10. Check DNC Registry Compliance

Requirement: Under Part IX of the PDPA, organisations must check the Do Not Call (DNC) Registry before sending marketing messages via voice calls, text messages (SMS), or fax to Singapore telephone numbers.

What to do:

  • Register for a DNC Registry account at dnc.pdpc.gov.sg
  • Check the registry before every marketing campaign
  • Ensure checks are done within 30 days before sending messages
  • Include an opt-out facility in every marketing message
  • Keep records of consent for marketing communications
  • Stop marketing to any number on the registry unless you have clear and unambiguous consent

Penalties: Up to S$10,000 per breach for individuals, and financial penalties from the PDPC for organisations.

Common PDPA Mistakes SMEs Make

Avoid these frequent pitfalls:

  1. Thinking a privacy policy is enough. A privacy policy fulfils one of ten obligations. Compliance requires action across all ten.

  2. Collecting NRIC numbers by default. NRIC collection is restricted. See our guide on NRIC Collection Rules.

  3. Not knowing where your data is. Without a data inventory, you cannot protect what you do not know you have.

  4. Ignoring the DNC Registry. Many SMEs send marketing SMS without checking the registry. This is a common and easily avoidable violation.

  5. No breach response plan. When a breach happens, you have 3 calendar days to notify the PDPC. Without a plan, you will scramble and risk missing the deadline.

  6. Assuming small businesses are exempt. There is no size exemption. A sole proprietor with 10 customers must comply, just as a company with 10,000 customers must.

  7. Using personal email for business data. Sending customer data via personal Gmail or WhatsApp creates security and retention risks.

  8. Not training staff. A single careless email or lost USB drive can trigger a notifiable breach.

  9. Outdated privacy policies. If your data practices have changed but your privacy policy has not, you are in breach of the Notification Obligation.

  10. Ignoring overseas data transfers. If you use cloud services hosted outside Singapore, the Transfer Limitation Obligation applies. Review your cloud provider contracts.

How to Get Started Today

Feeling overwhelmed? You do not need to do everything at once. Here is a practical order:

Week 1:

  • Appoint your DPO (even if it is you)
  • Start your data inventory

Week 2:

  • Draft or update your privacy policy
  • Review consent collection points

Week 3-4:

  • Implement basic security measures
  • Set up your DNC Registry account
  • Draft your breach response plan

Month 2:

  • Conduct staff training
  • Review third-party contracts
  • Create your internal Data Protection Policy

Not sure where you stand? ComplyHQ's AI-powered gap assessment takes 10 minutes and identifies exactly which obligations you have covered and which need attention. Start a free assessment

Government Resources

Related Articles

Simplify Your Compliance

ComplyHQ's AI can assess your PDPA compliance gaps in under 15 minutes and generate the policies you need.

Try Free Assessment

Frequently Asked Questions

Is my small business exempt from the PDPA?
No. The PDPA applies to all private sector organisations in Singapore regardless of size, including sole proprietors, freelancers, and home-based businesses. There is no revenue threshold or employee count exemption. However, compliance expectations are proportionate to your organisation's size and the volume of data you handle.
How long does PDPA compliance take for an SME?
Most SMEs can achieve baseline compliance within 4 to 8 weeks if they work through it systematically. The key steps — appointing a DPO, drafting a privacy policy, and building a basic data inventory — can be done in the first two weeks. Implementing security measures and staff training typically takes another 2 to 4 weeks.
Do I need to hire a consultant for PDPA compliance?
Not necessarily. Many SMEs achieve compliance using the PDPC's free resources and tools like ComplyHQ. A consultant may be helpful for complex situations, such as large-scale data processing, cross-border transfers, or if you have experienced a data breach. For most SMEs, a combination of self-service tools and the PDPC's compliance toolkit is sufficient.
What is the most common PDPA mistake SMEs make?
The most common mistake is assuming compliance means having a privacy policy on your website. A privacy policy is important, but PDPA compliance involves all 10 obligations, including appointing a DPO, building a data inventory, training staff, implementing security measures, and having a breach response plan. Many SMEs also overlook the Do Not Call Registry requirements when sending marketing messages.
Can I use the PDPC's free tools instead of compliance software?
Yes. The PDPC provides free tools including a Data Protection Toolkit for SMEs, a Data Protection Notice Generator, and self-assessment checklists. These are a good starting point. Compliance software like ComplyHQ adds value through AI-powered guidance, ongoing monitoring, automated assessments, and structured workflows that make it easier to maintain compliance over time.

Ready to get PDPA compliant?

Stop guessing about compliance. ComplyHQ uses AI to assess your gaps, generate policies, and guide you through every PDPA obligation.

Start Free AssessmentView Pricing
Gap AssessmentPolicy GeneratorAI Compliance Chat

Related Articles

12 April 202614 min read

10 PDPA Obligations Every Singapore Business Must Follow

Complete guide to all 10 PDPA obligations for Singapore businesses. Learn each requirement with real examples, compliance tips, and penalties for non-compliance.

Read more
12 April 20268 min read

Do I Need a Privacy Policy for My Singapore Website?

Yes, if you collect personal data. Learn what your Singapore website's privacy policy must include under PDPA, common mistakes, and how to create one quickly.

Read more
12 April 20268 min read

How to Appoint a Data Protection Officer in Singapore

Step-by-step guide to appointing a DPO under PDPA. Learn requirements, responsibilities, in-house vs outsourced options, and costs for Singapore businesses.

Read more