Data & Privacy - Singapore

The Personal Data Protection Commission (PDPC), operating under the Infocomm Media Development Authority (IMDA), administers and enforces the PDPA, issues advisory guidelines, and handles complaints and breach reports.

Organisations must comply with obligations covering consent, purpose limitation, notification, access and correction, accuracy, protection/security, retention limitation, transfer limitation, accountability, and data portability. Consent must be informed and may be withdrawn at any time.

Since the regime took effect (1 Feb 2021), organisations must notify the PDPC of breaches likely to cause significant harm or affecting 500 or more individuals, no later than 3 calendar days after assessing the breach is notifiable, and notify affected individuals as soon as practicable.

Effective 1 October 2022 (under the 2020 amendments), the maximum financial penalty is 10% of an organisation's annual turnover in Singapore where that exceeds S$10 million, or S$1 million in any other case.

Every organisation must appoint at least one Data Protection Officer (DPO) and make their business contact details available; the DPO's details must be registered/notified to PDPC (a requirement reinforced from 1 June 2025).

Following a PDPC advisory, private organisations must cease using NRIC numbers for authentication (e.g., as passwords or login credentials) by 31 December 2026, with stepped-up enforcement from 1 January 2027; sector regulators (MAS, IMDA, MOH) have issued aligned guidance.