Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Understanding the mandatory data breach notification of Singapore

mandatory data breach notification
The mandatory data breach notification is here for Singaporean organizations to follow!

Understanding the mandatory data breach notification of Singapore

Singapore’s Personal Data Protection Commission (PDPC) has declared that the mandatory data breach notification will soon become required in Singapore. However, not all infractions must be reported. This guide is to help businesses understand when, to whom, and how to inform in the event of a data breach.

What exactly is a data breach?

A data breach is defined as any illegal access, collection, use, disclosure, copying, modification, or disposal of personal data in the ownership or control of an organization.

When and to whom should a company report a data breach?

1. When the data breach that occurred is:

  • likely to cause significant harm or effect to the people to whom the information relates; or
  • on a significant scale (as a rule of thumb, data from 500 or more individuals is affected).

2. When a data breach is likely to cause significant harm or impact to the individuals to whom the information belongs, an organization must notify affected individuals (including parents and legal guardians of minors whose personal data is compromised).

There may be exceptions where:

  • the personal information has been encrypted and cannot be decoded; or
  • corrective efforts were implemented so that the breach is unlikely to cause significant harm or impact on the persons.

3. When a data intermediary (i.e., an organization that processes personal data on behalf of another) becomes aware of a data breach, it must notify that organization without undue delay (i.e., within 24 hours).

The mandatory data breach notification serves as a guide for Organizations in times of breach

Timeline for reporting in mandatory data breach notification


Reporting should be done as quickly as possible, but no later than three days after deciding that a violation is notifiable.

Organizations must:

  • determine whether a suspected violation is notifiable within 30 days of becoming aware of it;
  • document the procedures taken to assess the violation and keep track of the reasons for any delays.

Notifications made after three days are in violation of the PDPA.

To Individuals who have been affected:

• As soon as possible.

Also Read: Managing employee data under Singapore’s PDPA

PDPC’s data breach notification informs organizations as to the period for reporting the incident

What information should the notification contain?


  • the magnitude of the data leak;
  • the type(s) and quantities of personal data involved;
  • the cause or probable cause of the data leak;
  • whether the data breach has been resolved;
  • the controls and processes in place at the time of the data breach;
  • whether the organization has notified or will notify affected individuals; and
  • contact information for the organization’s representative(s), with whom PDPC can communicate for more information.

To affected individuals:

  • the manner and time of the data leak;
  • the type(s) of personal data at issue;
  • the nature(s) of the injury or impact on impacted individuals, if appropriate;
  • actions performed or planned by the organization in response to the dangers posed by the data breach;
  • detailed information about the data breach and related steps that impacted individuals should take to avoid data misuse; and
  • contact information for affected individuals to contact the organization for additional information and support.
This mandatory data breach notification should not be taken lightly as failure to follow it could result to a financial penalty

Other reporting requirements in Singapore to take note of

If the organization is regulated, it may be obligated to notify the relevant sector’s regulator. In Singapore, for example, financial institutions must report the Monetary Authority of Singapore (MAS) within one hour of discovering a relevant incident (i.e., a system malfunction or IT security incident which has a severe and widespread impact on their operations or materially impacts their service to customers). They must also submit a root-cause and impact analysis report to MAS within 14 days of the incident’s discovery.

While it is not required, an organization should also tell the authorities if it detects any criminal behavior (e.g., hacking, theft, or unauthorized system access). It can also contact the Singapore Computer Emergency Response Team (SingCERT) for technical assistance in the event of a computer security problem.

Depending on the jurisdiction, obligatory notification rules may apply if the data breach affects personal data stored outside of Singapore. The EU, California, the Philippines, China, Australia, and South Korea are among the jurisdictions that currently have obligatory breach reporting laws in place.

What to do before the mandatory data breach notification kicks in

  • Organizations will most likely be granted some time to establish and implement the required policies and practices to comply with the new notification requirements. However, organizations should start thinking about the following actions far in advance of any implementation deadline:
  • Ensure that agreements are evaluated to provide proper data breach protection. This may include counterparty promises on data privacy and security, incident reporting, subcontracting limits, audit rights, and insurance requirements. It is beneficial to retain outside counsel to ensure that contracts are strong and where arrangements or negotiations are more complex.
  • Create a data breach response plan by updating internal policies and procedures. Such a plan should instruct stakeholders on how to detect a breach, who to notify, how to record/document essential information, and other particular activities to take in reaction to an occurrence.
  • Provide training to staff to familiarize them with essential policies, processes, and plans, as well as setting up fake data breach exercises to put them to the test.

Also Read: Check the Do Not Call Registry in Singapore before marketing to phone numbers



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us