PDPA Compliance Checklist for SMEs in Singapore (2026 Guide)
A practical PDPA compliance checklist for Singapore small businesses. Learn the 9 key obligations, 2021 amendment changes, and step-by-step actions to avoid penalties.
PDPA Compliance Checklist for SMEs in Singapore
If you run a small or medium-sized business in Singapore, the Personal Data Protection Act (PDPA) applies to you — no exemptions. Whether you have 2 employees or 200, the obligations are the same.
Many SME owners assume data protection is only a concern for large corporations. That assumption can be costly. In recent years, PDPC (Personal Data Protection Commission) has issued penalties to organisations of all sizes, including fines of S$250,000 to SingHealth and IHIS for the 2018 data breach, and S$10,000 to Grabcar for a data exposure incident.
This guide provides a practical checklist to help your business stay compliant with the PDPA.
What Is the PDPA?
The PDPA (Personal Data Protection Act 2012) is Singapore's main data protection law. It was significantly amended in 2020/2021, with key changes taking effect from February 2021.
Key 2021 Amendment Changes
| Change | Impact |
|---|---|
| Mandatory data breach notification | Must notify PDPC within 3 calendar days of assessing a breach as notifiable |
| Increased financial penalties | Up to 10% of annual turnover in Singapore or S$1 million, whichever is higher |
| Deemed consent by contractual necessity | Broader bases for processing personal data |
| Data portability obligation | Individuals can request data transfer to another organisation |
The 9 Key PDPA Obligations
Every organisation must comply with these nine obligations:
- Consent Obligation — Obtain consent before collecting, using, or disclosing personal data
- Purpose Limitation Obligation — Only collect data for reasonable purposes
- Notification Obligation — Inform individuals of the purpose of data collection
- Access Obligation — Provide individuals access to their data upon request
- Correction Obligation — Correct errors in personal data when requested
- Accuracy Obligation — Ensure personal data is accurate and complete
- Protection Obligation — Protect data with reasonable security measures
- Retention Limitation Obligation — Stop retaining data when no longer needed
- Transfer Limitation Obligation — Ensure adequate protection for overseas data transfers
Your SME Compliance Checklist
Use this step-by-step checklist to assess and improve your PDPA compliance:
1. Appoint a Data Protection Officer (DPO)
This is mandatory for ALL organisations in Singapore — no exceptions. Your DPO can be an existing employee or an outsourced professional. Make sure their business contact information is publicly available on your website.
2. Develop a Data Protection Policy
Document how your business collects, uses, stores, and disposes of personal data. This policy should be accessible to employees and customers.
3. Conduct a Data Inventory
Map out what personal data you collect, where it is stored, who has access, and how it flows through your organisation. This is the foundation for all other compliance activities.
4. Review Consent Collection Practices
Ensure you are obtaining valid consent for each purpose of data collection. Under the 2021 amendments, you may also rely on deemed consent or legitimate interests in certain situations — but document your rationale.
5. Implement a Data Breach Response Plan
With the mandatory breach notification requirement, you need a documented plan for:
- Identifying and containing breaches
- Assessing whether a breach is notifiable
- Notifying PDPC within 3 calendar days
- Notifying affected individuals when significant harm is likely
6. Train Employees on Data Handling
Regular training ensures every team member understands their responsibilities. PDPC provides free e-learning modules that are a good starting point.
7. Review Vendor and Third-Party Contracts
If you share personal data with vendors, your contracts must include data protection clauses. You remain responsible for data handled by your service providers.
8. Ensure Cross-Border Transfer Protection
If you transfer personal data outside Singapore, ensure the receiving country provides comparable protection, or put contractual safeguards in place.
9. Set Up Data Retention and Disposal Schedule
Establish clear retention periods for different data categories and implement secure disposal procedures when data is no longer needed.
Helpful PDPC Resources
| Resource | Details |
|---|---|
| Data Protection Trustmark (DPTM) | Free certification programme for SMEs |
| PDPC e-Learning | Free online courses on PDPA compliance |
| DPO Competency Framework | Guidance on skills required for DPOs |
| Advisory Guidelines | Detailed guidance on each PDPA obligation |
Sharing Sensitive Compliance Documents Securely
During your compliance process, you will need to share data audit reports, breach assessment documents, and policy drafts with your DPO, legal advisors, or management team.
Sending these via regular email or messaging apps like iMessage carries risks — especially if the documents contain personal data inventories or vulnerability assessments.
LOCK.PUB lets you create password-protected memos to share sensitive audit documents securely. You can set an expiration time so the information is only accessible for as long as needed. This approach aligns with the PDPA's Protection Obligation — ensuring that even compliance documents are handled securely.
Penalties for Non-Compliance
| Penalty Type | Amount |
|---|---|
| Financial penalty (organisations) | Up to 10% of annual turnover in Singapore or S$1 million, whichever higher |
| Directions from PDPC | Orders to stop collecting/using data, destroy data, etc. |
| Criminal liability (for egregious misuse) | Fines up to S$5,000 or imprisonment up to 2 years |
Real Enforcement Examples
- SingHealth breach (2018): S$250,000 fine each for SingHealth and IHIS
- Grabcar (2019): S$10,000 fine for a data exposure incident
Get Started Today
PDPA compliance is not optional, and PDPC is actively enforcing the law. The good news is that for most SMEs, the steps are manageable — especially with the free resources PDPC provides.
Start with the checklist above, appoint your DPO, and work through each item systematically. When you need to share sensitive compliance documents during the process, consider using LOCK.PUB to add a layer of password protection.
Your customers' data — and your business's reputation — depend on it.
Keywords
You might also like
Singapore PDPA Privacy Guide: Your Rights Under the Personal Data Protection Act
A comprehensive guide to Singapore's Personal Data Protection Act (PDPA). Understand your data rights, what organizations can and cannot do, and how to file complaints with the PDPC.
Data Breach Notification in Singapore: The 3-Day Rule Explained
Understand Singapore's mandatory data breach notification requirements under the PDPA. Learn the 3-day rule, what makes a breach notifiable, and the steps you must follow.
Digital Undertakers in Korea: The Unique Industry That Erases Your Online Past
Discover Korea's digital undertaker industry — professionals who remove unwanted online content, from defamatory posts to leaked personal data.
Create your password-protected link now
Create password-protected links, secret memos, and encrypted chats for free.
Get Started Free