Is data breach notification mandatory under the PDPA?

Yes. Since the 2021 amendments, organizations must notify the PDPC and affected individuals of breaches that are of significant scale or likely to cause significant harm.

Do organizations need a Data Protection Officer?

Yes. The PDPA requires organizations to designate at least one individual as a Data Protection Officer responsible for ensuring compliance.

🇸🇬 Singapore · Data privacy

PDPA

Personal Data Protection Act 2012

The PDPA governs the collection, use and disclosure of personal data by private-sector organizations in Singapore. It is administered by the Personal Data Protection Commission and was significantly amended in 2021 to add mandatory breach notification, refined consent rules and stronger enforcement.

Jurisdiction:🇸🇬 Singapore

Type:Data privacy

In effect:2012

Authority:Personal Data Protection Commission (PDPC)

Who it applies to

Private-sector organizations that collect, use or disclose personal data of individuals in Singapore, regardless of whether the organization is formed or resident in Singapore.

Identity requirements

Obtain and record consent for collection, use and disclosure of personal data, with defined exceptions and deemed-consent provisions
Provide notice of the purposes for which personal data is collected, used or disclosed
Honor individuals' rights to access and correct their personal data
Make reasonable security arrangements to protect personal data against unauthorized access, modification or disposal
Notify the PDPC and affected individuals of data breaches that meet the notifiable threshold
Appoint a Data Protection Officer responsible for ensuring PDPA compliance

How it impacts identity systems

Identity area	Impact
Customer identity & consent (CIAM)	Consent and purpose-limitation rules shape how identity data is collected and managed in customer-facing systems.
Breach notification	Notifiable data breaches must be reported to the PDPC and affected individuals within the prescribed timeframe.
Audit, logging & accountability	Organizations must appoint a DPO and demonstrate accountability for personal data handling.
Authentication & MFA	Reasonable security arrangements drive access controls and authentication to protect personal data from unauthorized access.

Penalties

Financial penalties of up to 1 million Singapore dollars, or up to 10 percent of annual turnover in Singapore for organizations with local turnover exceeding 10 million Singapore dollars.

Official source

https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act

PDPA: frequently asked questions

Is data breach notification mandatory under the PDPA?: Yes. Since the 2021 amendments, organizations must notify the PDPC and affected individuals of breaches that are of significant scale or likely to cause significant harm.
Do organizations need a Data Protection Officer?: Yes. The PDPA requires organizations to designate at least one individual as a Data Protection Officer responsible for ensuring compliance.
Does the PDPA apply to organizations based outside Singapore?: Yes. It applies to organizations that collect, use or disclose personal data of individuals in Singapore even if the organization is not physically located there.

Educational summary, not legal advice. Confirm current requirements with the relevant authority or counsel. See all Singapore regulations or the full country index.