• 30 April, 2026
• No Comments

1 mandatory DPO, 0 payroll strain: why outsourcing fits liquidation

Liquidation is often described as the end of a business, but from a data protection perspective, it is rarely an immediate stop. Even as operations wind down, organisations may still hold employee records, customer contact details, invoices, complaint emails, reservation logs, supplier contracts, access logs, and archived correspondence. In Singapore, that creates a practical accountability problem: personal data still exists, people can still ask questions about it, and mistakes made during wind-down can still become incidents.

That is why the Data Protection Officer remains relevant during liquidation. Under the Personal Data Protection Act, organisations are expected to designate at least one individual to be responsible for ensuring compliance, and to make the DPO’s business contact information publicly available. When staff are leaving, and budgets are being constrained, an outsourced DPO is often the simplest way to keep that responsibility properly covered, without committing to an unnecessary full-time salary.

Liquidation does not automatically remove your PDPA obligations

A common misconception is that PDPA obligations end the moment a company stops trading. In practice, obligations are tied to whether the organisation still has personal data in its possession or under its control. Even a dormant company can still have HR data, historical customer emails, or archived records that remain subject to protection duties. Some practitioners and compliance commentators note that this logic applies to organisations in liquidation or ceasing operations, so long as personal data is still held or processed.

During liquidation, data risk can actually increase. There is often a hurried handover, systems are decommissioned, mailboxes are closed, laptops are returned, and shared drives are copied “just in case”. Each of these steps can create accidental over-retention, unsecured copies, or unauthorised access. Without a clear data protection function, decisions get made ad hoc, and that is where small errors turn into reputational and regulatory trouble.

The DPO role is clear in scope, yet essential throughout the wind-down

The DPO does not need to be a large department. At its core, the DPO is the named person responsible for overseeing personal data protection compliance and acting as the organisation’s contact point. PDPC guidance frames appointing a DPO as a mandatory step and highlights the importance of having a clear contact.

In liquidation, that “contact point” function becomes more important, not less. Former customers may ask for clarification about what data is retained. Ex-employees may raise concerns about disclosures during offboarding. Vendors may query whether they should continue processing personal data. A DPO ensures these queries are handled consistently, recorded properly, and responded to in a way that reduces risk.

Why an outsourced DPO is often the most rational option

A full-time DPO hire is usually unjustifiable during liquidation. The organisation is reducing headcount, conserving cash, and focusing on closing obligations. Yet the requirement to have a DPO and a public contact remains practical and, in many cases, expected.

An outsourced DPO fits liquidation realities better. First, it avoids the overhead of hiring and salary commitments for a role that may be needed intermittently, but continuously. Second, it creates continuity when internal staff leave, and knowledge disappears. Third, it provides professional discipline around decisions that frequently cause issues during liquidation, such as retention, disposal, access rights, and data transfer to liquidators or successor entities.

The hidden risk is not only breaches, but also unmanaged access and over-retention

Liquidation workflows often leave behind “ghost access”. Shared admin accounts stay active because no one owns the clean-up. Dormant mailbox forwarding remains enabled. Old VPN accounts and MFA devices are not revoked. Cloud storage links continue to exist after the original custodian leaves. These gaps are exactly what attackers and opportunistic insiders exploit.

CSA’s broader cyber hygiene messages consistently emphasise the value of reducing unnecessary access and deleting dormant accounts, because unused access is still access. While that is often discussed in cybersecurity advisories, it is equally relevant to PDPA risk, because access failures are one of the fastest routes to unauthorised disclosure. An outsourced DPO can drive a practical checklist for liquidation: who still needs access, what should be disabled, what must be preserved for statutory purposes, and what should be disposed of securely.

Making DPO contact information public, and what changed with BizFile+

Under the PDPA, organisations must make the DPO’s business contact information publicly available. For years, many organisations used ACRA’s BizFile+ as a convenient way to satisfy this “public contact” expectation. However, ACRA announced that from 1 December 2024, DPO registration on BizFile+ would be unavailable until further notice, and organisations should register or update DPO information through an online form on the PDPC website instead.

This shift makes outsourced DPO arrangements even more practical. Liquidating firms can keep a stable contact point that does not depend on internal employee turnover. It also reduces the risk of publishing an ex-employee’s contact details or leaving outdated information visible, which can confuse and missed communications at exactly the wrong time.

What “capped annual fees” and “unlimited advisories” mean strategically

Liquidation can be lengthy, unpredictable, and administratively heavy. One month may be quiet, the next may involve urgent requests, system decommissioning, and communications with multiple parties. This is where a DPOaaS model with capped annual fees and unlimited advisory support becomes strategic.

Instead of paying a salary, benefits, and recruitment costs for a full-time DPO, the organisation locks in a known fee that is easier to justify to liquidators and stakeholders. Unlimited advisory access also matters in liquidation because questions are usually urgent and context-specific. A vendor may need a decision on data transfer. A former customer may escalate a complaint. A staff member may ask about retention. Quick, consistent guidance reduces the chance of conflicting answers and poor documentation.

How Privacy Ninja can help you

Privacy Ninja supports organisations that need a pragmatic, compliant way to maintain the DPO function during liquidation without building unnecessary internal headcount. An outsourced DPO provides a stable point of contact, keeps PDPA compliance activities organised, and ensures personal data questions and issues are handled consistently while the organisation winds down.

With DPO-as-a-Service, organisations can cap annual costs, maintain unlimited advisory support for the inevitable questions that arise during liquidation, and reduce risk created by staff turnover, unmanaged access, and hurried disposal of systems. Where technical assurance is needed, Privacy Ninja can also help validate practical risk areas that often go overlooked in wind-down phases, such as exposed accounts, residual access paths, and insecure data storage.

Liquidation does not eliminate data responsibility. It often increases the chance of mistakes, because the organisation is changing quickly while still holding personal data. The DPO role in Singapore is meant to create accountability and a clear contact point, and that need remains relevant through wind-down. For many liquidating firms, the most sensible way to meet that obligation without unnecessary salary cost is an outsourced DPO, backed by a clear fixed fee and ongoing advisory support that fits the real cadence of liquidation.