Cyber Insurance SGGet Quotes
Home / Data breach / Notification template

PDPC data-breach notification template

Last reviewed: June 2026. Reference: PDPA Sec 26D + Personal Data Protection (Notification of Data Breaches) Regulations 2021.

This template is a starting skeleton, not legal advice. Always have outside counsel review before filing. The actual PDPC e-service form structures the response; this template helps you prepare the underlying content.

1. PDPC notification — content checklist (Regulation 5)

  1. Facts and circumstances of the data breach
  2. Number of affected individuals (or best estimate)
  3. Categories of personal data affected
  4. Potential harm to affected individuals
  5. Actions taken / planned to remediate and prevent recurrence
  6. Whether affected individuals have been notified (and if not, why not)
  7. Contact details for follow-up

2. Skeleton text (adapt & legally review)

Personal Data Protection Commission
Data Breach Notification — [ORGANISATION NAME]

1. Organisation details
- Legal name: [ORGANISATION NAME]
- UEN: [UEN]
- DPO: [DPO NAME, EMAIL, PHONE]

2. Breach summary
Between [START DATE/TIME] and [END DATE/TIME], [ORGANISATION] became aware
that [BRIEF DESCRIPTION OF INCIDENT]. The breach was discovered on
[DISCOVERY DATE] when [HOW DISCOVERED]. We determined the breach was
notifiable under PDPA Sec 26B on [DETERMINATION DATE].

3. Affected individuals
- Number affected (or estimate): [N]
- Categories: [e.g. customers in SG / employees / contractors]

4. Personal data affected
- [LIST EACH CATEGORY: full name, NRIC, contact details, account credentials,
  financial information, health information, etc.]
- Whether the data was encrypted / pseudonymised: [DETAIL]

5. Potential harm
- [Identity theft / financial loss / reputational harm / etc., per categories above]

6. Remediation
- Containment actions taken on [DATE]: [SUMMARY]
- Forensic investigation engaged: [IR FIRM NAME], commenced [DATE]
- System hardening / control changes: [SUMMARY]
- Preventive actions planned: [SUMMARY]

7. Individual notification
- Method: [email / post / both]
- Sent on / planned for: [DATE]
- Content: [SUMMARY OR ATTACHMENT]

8. Contact for follow-up
- [NAME, ROLE, EMAIL, PHONE]
- External counsel: [FIRM, PARTNER NAME, CONTACT]

9. Additional information
- [Anything material — e.g. ransom demand, threat-actor identification,
  cross-border data, third-party processor involvement.]

3. Individual notification letter — skeleton

[Letterhead / email header]

[DATE]

Dear [NAME],

Important update about your personal data.

We are writing to inform you of a data security incident at [ORGANISATION]
that may have affected your personal information.

What happened
On [DATE] we discovered [SHORT DESCRIPTION]. We acted immediately to contain
the incident, engaged external cyber-forensics specialists, and have
notified the Personal Data Protection Commission of Singapore.

What information was involved
Based on our investigation to date, the following information of yours may
have been affected:
- [LIST CATEGORIES]

What we are doing
- [Containment + remediation summary]
- We have offered [12 months of credit-monitoring / identity-protection]
  at no cost — to enrol, visit [URL] using access code [CODE]
- We have engaged [LAW FIRM] for ongoing legal advice and [PR FIRM] for
  communications

What you can do
- Be alert to unsolicited contact referencing your [DATA TYPE]
- [Reset passwords / freeze credit / monitor statements / etc.]
- Contact our dedicated helpline at [PHONE] (Mon–Fri, 9am–6pm SGT)
  or email [DEDICATED INBOX]

We are sorry that this happened, and we are committed to making it right.

Sincerely,
[EXECUTIVE NAME], [TITLE]
[ORGANISATION]

4. Things to triple-check before sending

  • Have you reviewed the notice with outside counsel?
  • Have you notified your cyber insurer (and got a claim number)?
  • Are all material facts disclosed? (Material non-disclosure to PDPC is itself a breach.)
  • Have you cleared the comms with senior leadership and your board?
  • Are your customer-service teams briefed and your helpline live?
  • Have you tested any URLs / codes in the individual letter?
  • If your contracts require B2B customer notification within X hours, have those gone out?

Cyber insurance pays for the legal review of this template and the actual filing process — so the cost of getting it right is shifted to your insurer rather than your P&L. Get quotes from 8 SG insurers.

Related reading