How to Write a PDPA-Compliant Privacy Policy for Your Singapore Business

I reviewed a privacy policy for a Singapore SME last month. It was three years old, referenced Mailchimp (they'd switched to Brevo a year ago), listed a payment processor they no longer used, claimed they didn't share data internationally (they use Google Analytics, which processes data in the US), and described a consent process that bore no resemblance to what their website actually did. If the PDPC had investigated, every one of those discrepancies would have been a finding.

This is more common than you'd think. Many SME owners either skip the privacy policy, copy one from a foreign website, or paste together a generic template and never look at it again. None of those approaches survive scrutiny.

TL;DR: Your Singapore business needs a privacy policy that covers eight specific areas under the PDPA. Copying a GDPR template from a UK website won't work — different law, different concepts, different terminology. Your policy must accurately reflect what you actually do with data. The gap between your policy and your practice is what the PDPC investigates.

What the PDPA Actually Requires

The PDPA governs how Singapore organisations collect, use, disclose, and care for personal data. "Personal data" means anything that can identify an individual — names, NRIC numbers, emails, phone numbers, photos, IP addresses, and combinations that together make someone identifiable.

Under the Accountability Obligation (one of eleven obligations in the Act), your organisation must develop and implement data protection policies, make them available to individuals, and designate a Data Protection Officer (DPO) — a role that can be held by an existing employee.

The PDPC's Advisory Guidelines on Key Concepts are explicit: a published privacy policy is the baseline expectation.

The 2020 Amendments Raised the Stakes

The PDPA was significantly strengthened by amendments that came into force on 1 February 2021:

• Mandatory breach notification: Notify the PDPC and affected individuals within 3 calendar days of discovering a notifiable breach
• Deemed consent by contractual necessity: Must be reflected in your policy
• Enhanced penalties: Up to S$1 million, or 10% of annual Singapore turnover for larger organisations
• Legitimate interests exception: Can process data without consent in limited circumstances, but only if documented

If your privacy policy was written before 2021, it almost certainly needs an overhaul.

The Eight Sections Every Singapore Privacy Policy Needs

1. Who You Are and DPO Contact

Start with your organisation's full legal name, business registration number, registered address, and your DPO's contact details. The PDPA requires individuals to be able to reach your DPO easily — a generic "contact us" form buried on your website isn't sufficient. Include a dedicated email address for data protection queries.

2. What Personal Data You Collect

Be specific. "We may collect various types of information" is a red flag during PDPC audits. List what you actually collect, organised by how:

Direct collection: Name, email, phone, NRIC/passport, payment details. Automated collection: IP addresses, cookies, device identifiers, browsing behaviour. Third-party collection: Data from referral partners, social logins, marketing platforms. Sensitive data: Health info, race, religion — these need explicit handling disclosures.

3. Why You Collect It

This is the most scrutinised section in PDPC enforcement decisions. The Purpose Limitation Obligation requires data to be collected for a specific purpose and only used for that purpose.

Don't write vague catch-all purposes. Be concrete: "We collect your email address to send order confirmations and delivery updates." "We collect your IP address to detect fraudulent login attempts." "We process payment card details solely through [Gateway Name] — we don't store full card numbers."

4. Legal Basis for Collection

Explain how you obtain consent and what happens when individuals withdraw it. Under Section 15, consent must be voluntary, informed, and specific. Also disclose any legitimate interests exceptions you rely on — the 2020 amendments require you to state what those interests are and confirm you've conducted a balancing test.

5. Who You Share Data With

Name your third-party data processors and explain why. Cloud services, payment gateways, email platforms, analytics tools — these are all data-sharing arrangements that must be disclosed. Include the name or category, the purpose, and whether they're located outside Singapore.

6. Overseas Data Transfers

The Transfer Limitation Obligation requires that data transferred outside Singapore receives comparable protection. This applies to any cloud service, SaaS tool, or partner with overseas servers.

Many Singapore SMEs unknowingly breach this by using US-based tools like Mailchimp, HubSpot, or Google Analytics without disclosing the transfer or ensuring adequate safeguards.

7. How Long You Keep Data

The Retention Limitation Obligation means data shouldn't be kept longer than necessary. Specify retention periods for each category:

Customer transaction records: typically 5-7 years (IRAS and accounting). Marketing data: until opt-out, plus a reasonable suppression period. Job applications: PDPC suggests 1-2 years for unsuccessful applicants. CCTV footage: no longer than 30 days unless specifically justified.

8. Individual Rights

Individuals can access their data, correct inaccuracies, withdraw consent, and (for certain data types) port their data. Your policy must explain how to submit requests, your response timeline (30 calendar days under the PDPA), and any applicable fees.

The Mistakes That Get SMEs in Trouble

Copying a Foreign Privacy Policy

I see this constantly. GDPR policies reference "data controllers," "lawful basis," and "supervisory authorities" — none of which are PDPA concepts. Using one signals to the PDPC that you haven't thought about your actual obligations.

Template That Doesn't Match Reality

The PDPC's enforcement decisions repeatedly cite organisations whose policies described practices that didn't match what they actually did. If your policy says you anonymise data within 90 days but you don't, that inconsistency is an aggravating factor during an investigation.

Burying the Policy

The Accountability Obligation requires your policy to be "available" — which the PDPC interprets as reasonably easy to find. Link it from your website footer, your sign-up forms, and anywhere you collect personal data. A policy buried in a PDF three clicks deep is treated as effectively non-existent.

Never Updating It

A 2019 policy that still references your old payment processor, a tool you no longer use, or practices you've changed is a liability. Each discrepancy is a potential finding during investigation.

Getting Your Policy Done: Three Phases

Phase 1 — Data mapping. Before writing a word, map what personal data you actually collect, where it comes from, where it goes, and how long you keep it. Your policy can only be accurate if you know the ground truth.

Phase 2 — Drafting. Use your data map to populate each of the eight sections. Write in plain English — the PDPC encourages clear language that customers can actually understand.

Phase 3 — Maintenance. Schedule quarterly reviews and establish a process for flagging when new tools or workflows require a policy update.

For SMEs that want to get this done without hiring a law firm or spending weeks on internal workshops, platforms like ComplyHQ offer AI-powered policy generation that reflects your actual data practices — handling your PDPA obligations in minutes instead of weeks.

How the PDPC Uses Your Privacy Policy

The PDPC doesn't just investigate breaches reported to it. They conduct proactive audits, respond to individual complaints, and monitor organisations in high-risk sectors. Smaller businesses are not immune — the PDPC has published enforcement decisions against single-outlet F&B operators and one-person recruitment firms.

A well-maintained, accurate privacy policy is consistently cited as a mitigating factor in enforcement decisions. It signals that the organisation takes its obligations seriously, which can reduce penalties.

The absence of a policy — or one that clearly doesn't match actual practices — is routinely cited as an aggravating factor.

Key Takeaways

• The PDPA applies to every Singapore business handling personal data, regardless of size
• Your privacy policy must cover: who you are, what data you collect, why, who you share it with, overseas transfers, retention periods, and individual rights
• Copy-pasting a GDPR or foreign template is one of the most common compliance mistakes
• The 2020 amendments increased penalties significantly and added mandatory breach notification
• The gap between your policy and your practice is the primary finding in PDPC enforcement actions

A clear, honest, current privacy policy is the foundation of PDPA compliance. Start with your data map, build out each section, and review it when things change. That's it.

Sources

1. PDPC — Advisory Guidelines on Key Concepts
2. Personal Data Protection Act 2012
3. PDPC — Personal Data Protection Commission

Looking for more? Check out Adaptels.