PDPA Penalties and Fines: What You Risk for Non-Compliance

PDPA compliance is not optional, and the consequences of getting it wrong are substantial. The Personal Data Protection Commission (PDPC) has the power to impose financial penalties of up to S$1 million per breach — or 10% of annual turnover for larger organisations — along with directions that can materially impact how you run your business.

This guide breaks down the penalty framework, real enforcement trends, and what Singapore businesses can learn from published cases.

The PDPA Penalty Framework

Financial Penalties

The PDPC can impose financial penalties at two levels:

Standard cap (most organisations):

• Up to S$1 million per breach

Enhanced cap (larger organisations):

• For organisations with annual turnover exceeding S$10 million in Singapore: up to 10% of annual turnover
• This enhanced cap was introduced by the Personal Data Protection (Amendment) Act 2020 and came into effect on 1 February 2021

The enhanced cap means that for a company with S$50 million in annual revenue, the maximum penalty is S$5 million per breach. For a company with S$200 million in revenue, it is S$20 million.

Directions

In addition to (or instead of) financial penalties, the PDPC can issue binding directions requiring organisations to:

• Stop collecting, using, or disclosing personal data in a specific manner
• Destroy personal data that was improperly collected
• Provide access to personal data in response to requests
• Implement specific measures (e.g., improve security, conduct staff training, appoint a DPO)
• Pay compensation to affected individuals

Failure to comply with a PDPC direction is itself a breach, potentially resulting in additional penalties.

Criminal Liability

In severe cases, individuals may face criminal liability:

• Directors and officers: Under Section 51, if a breach was committed with the consent, connivance, or neglect of a director, manager, secretary, or similar officer, that individual is personally liable.
• Misuse of personal data: Under Section 48F, individuals who knowingly or recklessly misuse personal data can face criminal charges, with penalties of up to S$5,000 fine or up to 2 years' imprisonment, or both.
• Egregious cases: Individuals who misuse personal data for wrongful gain or to cause harm can face fines up to S$10,000 or up to 3 years' imprisonment, or both.

Public Naming

All PDPC enforcement decisions are published on the PDPC website. The published decision includes:

• The full name of the organisation
• A detailed description of the breach
• The PDPC's reasoning
• The penalty or direction imposed

These decisions are permanent, searchable, and frequently covered by Singapore media outlets like The Straits Times, CNA, and The Business Times. For many businesses, the reputational damage from a published decision is more costly than the financial penalty itself.

How the PDPC Determines Penalty Amounts

The PDPC considers multiple factors when deciding the amount of a financial penalty:

Aggravating Factors (Higher Penalties)

• Large volume of personal data affected
• Sensitive data involved (NRIC, health records, financial data)
• Deliberate or reckless conduct
• Repeated breaches or failure to address known issues
• Failure to notify a notifiable data breach
• Lack of cooperation with the PDPC's investigation
• No data protection policies or DPO in place
• No staff training on data protection

Mitigating Factors (Lower Penalties)

• Prompt containment and notification of breaches
• Voluntary remediation measures implemented
• Cooperation with the PDPC's investigation
• Existing compliance measures that were reasonable but insufficient
• Small scale of the breach
• First-time breach with no prior history
• Evidence of good faith efforts to comply

Real PDPC Enforcement Cases

The PDPC has published hundreds of enforcement decisions since the PDPA came into full effect. Here are notable cases that illustrate the range of penalties and the types of breaches that trigger enforcement.

Major Cases

SingHealth / IHIS (2019) — S$1,000,000 total (S$250,000 SingHealth + S$750,000 IHIS) The landmark PDPA case. A cyberattack compromised the personal data of 1.5 million patients, including the Prime Minister. The PDPC found systemic failures in the Protection Obligation: inadequate staff training, insufficient security monitoring, delayed incident detection, and poor breach response. This remains the highest penalty imposed to date.

Grab (2020) — S$10,000 Grab updated its privacy policy to allow broader data sharing with third-party partners without obtaining proper consent. The PDPC found a breach of the Consent Obligation. Despite the relatively modest fine, the case attracted significant media attention and public scrutiny, demonstrating that reputational consequences often exceed financial penalties.

SME-Relevant Cases

The PDPC regularly acts against small and medium-sized businesses. Typical penalties for SMEs range from S$5,000 to S$100,000, depending on the severity.

Common breach patterns in SME enforcement cases include:

• Unpatched software: A website running outdated CMS software was compromised, exposing customer data. Penalty: S$15,000-S$50,000 range.
• Employee errors: Staff emailing personal data to wrong recipients, losing devices containing personal data, or leaving documents exposed. Penalty: S$5,000-S$20,000 range.
• Inadequate access controls: Shared login credentials, no access restrictions based on job function. Penalty: S$10,000-S$30,000 range.
• NRIC over-collection: Collecting NRIC numbers without a lawful basis, particularly for visitor registration and membership sign-ups. Penalty: warnings to S$10,000.

Enforcement Trends

The PDPC's enforcement activity has increased significantly since the 2020 amendments. Key trends include:

1. Higher penalties: The average penalty amount has increased year over year
2. More proactive investigations: The PDPC increasingly initiates investigations (rather than responding only to complaints)
3. Focus on the Protection Obligation: Security failures remain the most common basis for enforcement
4. Breach notification failures: The PDPC is actively penalising organisations that fail to report notifiable breaches
5. SME enforcement: The PDPC is not limiting enforcement to large organisations — SMEs are regularly subject to penalties

The Hidden Costs of Non-Compliance

Financial penalties are only part of the picture. The true cost of PDPA non-compliance includes:

Reputational Damage

A published PDPC decision appears in Google search results when someone searches for your business name. For B2B companies, this can affect partnerships and contracts. For consumer-facing businesses, it erodes trust.

Business Disruption

A PDPC direction to stop collecting or using data in a specific manner can force operational changes. If your business relies on a data practice that the PDPC prohibits, you may need to restructure processes, update systems, and retrain staff — all while continuing to operate.

Loss of Contracts

Increasingly, large organisations and government agencies require PDPA compliance from their vendors and suppliers. A published enforcement decision can disqualify your business from contracts and tenders.

Investigation Costs

Cooperating with a PDPC investigation requires time and resources. You may need to engage external consultants, review internal systems, produce documentation, and prepare responses. For a small business, this can be a significant distraction from core operations.

Customer Loss

Data breaches damage customer relationships. Research consistently shows that a significant percentage of consumers will stop doing business with a company after a data breach, particularly if the company's response is perceived as inadequate.

How to Minimise Your Risk

The most cost-effective approach is prevention. Here is what the PDPC consistently looks for when evaluating compliance:

The Basics That Every Business Should Have

1. A designated DPO with public contact information
2. A written Data Protection Policy
3. A privacy policy on your website
4. Staff training on data protection basics
5. Basic security measures: access controls, encryption, software updates
6. A data breach response plan
7. DNC Registry compliance for marketing activities

What Demonstrates Good Faith

The PDPC consistently treats the following as mitigating factors:

• Having policies and procedures in place, even if they were not perfect
• Investing in staff training
• Responding promptly to data breaches
• Cooperating fully with PDPC investigations
• Taking voluntary remediation steps before being directed to do so
• Engaging external experts when needed

The difference between a warning and a S$50,000 fine often comes down to whether the organisation can demonstrate that it made reasonable efforts to comply.

Not sure where your compliance gaps are? ComplyHQ's AI-powered gap assessment evaluates your current practices against each PDPA obligation and identifies the areas that need attention. It takes 10 minutes and could save you from a costly enforcement action. Start a free assessment

Comparing PDPA Penalties Internationally

For businesses operating across borders, it helps to understand how PDPA penalties compare to other data protection regimes:

While PDPA penalties are lower than GDPR in absolute terms, they are significant for Singapore SMEs and can be existentially damaging for smaller businesses.

For a detailed comparison, see PDPA vs GDPR: Key Differences Singapore Businesses Should Know.

Related Resources

• PDPA Compliance Checklist for Singapore SMEs (2026 Edition) — Complete checklist to help you comply
• 10 PDPA Obligations Every Singapore Business Must Follow — All 10 obligations explained
• PDPA Data Breach Notification: Step-by-Step Guide — How to handle breaches properly
• PDPC Published Decisions — Full database of enforcement actions
• NRIC Collection Rules in Singapore: What Changes by December 2026 — Avoid this common compliance pitfall