AuditXYZ

Compliance Framework

Personal Data Protection Act 2012 (Singapore)

Singapore's PDPA governs the collection, use, and disclosure of personal data by private organizations, with mandatory breach notification, DPO appointment requirements, and the Do Not Call Registry.

$5,000–$80,0002–8 months2020 (major amendments effective February 1, 2021)
Request a ConsultationSee process
Issuing BodyParliament of Singapore / Personal Data Protection Commission (PDPC)
First Published2012-10-15
Latest Version2020 (major amendments effective February 1, 2021)
Typical Cost$5,000–$80,000
Typical Timeline2–8 months
Audit RequiredNo
Audit FrequencyNo mandatory periodic external audit. The PDPC may investigate complaints and conduct inspections. Organizations should perform regular internal reviews.
Geographysingapore

PDPA Singapore: The Complete Guide

Singapore's Personal Data Protection Act is Southeast Asia's most mature data protection law. Enacted in 2012 and substantially amended in 2020, the PDPA establishes a baseline standard for personal data protection across all private-sector organizations in Singapore. It is administered by the Personal Data Protection Commission, which has built a strong track record of enforcement and guidance.

What the PDPA Covers

The PDPA is organized around a set of data protection obligations. The Consent Obligation requires organizations to obtain individual consent before collecting, using, or disclosing personal data. The 2020 amendments introduced important exceptions including legitimate interests and business improvement purposes, bringing the law closer to the GDPR's approach.

The Notification Obligation requires organizations to inform individuals of the purposes for data collection. The Purpose Limitation Obligation restricts use and disclosure to purposes for which consent was obtained or that fall under recognized exceptions.

Mandatory data breach notification, introduced in the 2020 amendments, requires organizations to notify the PDPC within three calendar days and affected individuals as soon as practicable when a breach results in significant harm or affects 500 or more individuals.

Who Needs to Comply

The PDPA applies to all private-sector organizations in Singapore that collect, use, or disclose personal data. It does not apply to government agencies (which are governed by separate public-sector rules), individuals acting in a personal capacity, or employees acting within the scope of employment (though the employer remains liable).

All organizations must appoint at least one Data Protection Officer, regardless of size. The PDPC provides a DPO competency framework and certification scheme.

Enforcement and Penalties

The 2020 amendments significantly increased penalties. The PDPC may impose financial penalties of up to $1 million SGD or 10% of annual turnover in Singapore for organizations with annual turnover exceeding $10 million SGD. The PDPC publishes enforcement decisions and has issued penalties across industries including healthcare, telecommunications, hospitality, and financial services.

Practical Compliance Steps

  1. DPO appointment — Designate a Data Protection Officer and register with the PDPC
  2. Data inventory — Map personal data flows across collection, use, disclosure, and storage
  3. Consent management — Implement consent collection aligned with PDPA requirements and exceptions
  4. Breach notification — Establish a 72-hour notification process for notifiable breaches
  5. DPIA practices — Conduct assessments for new processing activities or systems
  6. Do Not Call compliance — Ensure marketing communications comply with DNC Registry requirements

Get the PDPA (Singapore) starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

pdpa-thailandappigdprpipl

Get matched with a PDPA (Singapore) auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

APPI
Framework
Japan's APPI is one of Asia's longest-standing data protection laws, recently strengthened with enhanced cross-border transfer rules, mandatory breach reporting, and expanded individual rights. The EU has recognized Japan as providing adequate protection.
View
GDPR
Framework
The GDPR is the world's most influential data protection law, setting the standard for how organizations collect, process, and protect personal data of individuals in the EU and EEA. This guide covers lawful bases, data subject rights, breach notification, and practical compliance steps.
View
PDPA (Thailand)
Framework
Thailand's PDPA is a comprehensive data protection law modeled on the GDPR, establishing consent requirements, data subject rights, breach notification obligations, and cross-border transfer restrictions for organizations processing personal data in Thailand.
View
PIPL
Framework
China's PIPL is one of the world's strictest data protection laws, combining GDPR-like individual rights with stringent cross-border transfer controls, data localization requirements, and significant penalties for non-compliance.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View