Cyber Insurance SGGet Quotes
Home / PDPA

PDPA Singapore — Personal Data Protection Act 2012

A plain-English guide for Singapore businesses. Last reviewed: June 2026.

The Personal Data Protection Act 2012 (PDPA) is Singapore's primary data-protection statute. It applies to every organisation that collects, uses or discloses personal data of individuals in Singapore — regardless of where the organisation is based. The Personal Data Protection Commission (PDPC) is the enforcer.

The 10 PDPA obligations every Singapore business must satisfy

  1. Consent — collect personal data only with the individual's consent (or under one of the exemptions in the First Schedule).
  2. Purpose Limitation — use data only for purposes the individual would consider appropriate and that you've disclosed.
  3. Notification — tell the individual the purpose before or at collection.
  4. Access & Correction — give individuals access to their data and a way to correct it.
  5. Accuracy — make a reasonable effort to keep data accurate and complete.
  6. Protection — protect data with reasonable security arrangements (this is where cyber-security controls and cyber insurance map directly).
  7. Retention Limitation — don't keep data longer than the purpose requires.
  8. Transfer Limitation — only transfer overseas to jurisdictions with comparable protection (or via contractual safeguards).
  9. Openness — publish data-protection policies and appoint a Data Protection Officer (DPO).
  10. Data Breach Notification — notify PDPC (and affected individuals) when a notifiable breach occurs. See our 72-hour notification guide.

What changed in 2020–2022 (the "amended PDPA")

  • Higher fines (1 Oct 2022): up to 10% of Singapore turnover for organisations with SG annual turnover above SGD 10 million; SGD 1 million floor otherwise. Previously capped at SGD 1 million flat.
  • Mandatory data-breach notification (1 Feb 2021): see Sec 26B–26E and our notification guide.
  • Deemed consent by notification: organisations can collect/use data with consent deemed via clear notification, in limited cases.
  • Data portability obligation (Sec 26F–26J): subject to implementation.

What is a "notifiable" data breach?

A breach is notifiable to PDPC under Sec 26B if it:

  • results in, or is likely to result in, significant harm to affected individuals (e.g. identity theft, financial loss); OR
  • affects the personal data of 500 or more individuals.

The Personal Data Protection (Notification of Data Breaches) Regulations 2021 list categories of data deemed to cause significant harm (e.g. NRIC + financial information, health records, account credentials).

PDPC enforcement — how serious is this?

PDPC publishes every enforcement decision on its commission's decisions register. Examples of headline cases:

  • SingHealth (2019) — SGD 250,000 financial penalty for the 2018 data breach affecting 1.5 million patients (largest at the time). IHiS was separately fined SGD 750,000.
  • Carousell (2024) — SGD 58,000 financial penalty after a 2022 incident affecting 1.95 million accounts via a compromised admin account.
  • Many SMEs annually — fines in the SGD 5,000–50,000 range for failures of Protection (Obligation 6) — typically misconfigured cloud storage, exposed databases, phishing-led account takeovers.

See our PDPC enforcement history page for a longer list with sources.

Where cyber insurance fits

Cyber insurance does not replace PDPA compliance. It defends what compliance can't prevent: an incident that has already happened. Singapore cyber policies typically cover:

  • Incident response — forensic investigation, legal advice, PR / crisis management
  • PDPC investigation defence — legal costs of responding to a PDPC inquiry
  • PDPA financial penalties — where insurable under SG law (most policies offer a sublimit; check the schedule)
  • Notification costs — informing affected individuals (call centre, letters)
  • Third-party liability — claims from individuals whose data was exposed
  • Business interruption — lost income while systems are down
  • Ransomware — where lawful, ransom payment, restoration costs (see our ransomware guide)

Independent comparison: we are not a licensed financial adviser. Use our quote form to get real, named quotes from up to 8 Singapore insurers. Each quote will disclose the regulatory-defence sublimit and any restrictions on PDPA-fine coverage in that policy.

Related guides

FAQ

What is the PDPA in Singapore?

The Personal Data Protection Act 2012 (PDPA) is Singapore's primary data-protection law. It governs how organisations collect, use, disclose and protect personal data of individuals in Singapore. Enforced by the Personal Data Protection Commission (PDPC).

What is the maximum PDPA fine in Singapore?

Since 1 October 2022, PDPC can impose financial penalties of up to 10% of the organisation's annual turnover in Singapore (for organisations with annual SG turnover above SGD 10 million) or up to SGD 1 million, whichever is higher. Before 2022 the cap was SGD 1 million flat.

Is data-breach notification mandatory under PDPA?

Yes. Since 1 February 2021, organisations must notify PDPC of a notifiable data breach as soon as practicable, and in any case no later than 3 calendar days, after determining that the breach is notifiable. See PDPA Sec 26D.

Does cyber insurance cover PDPA fines?

Most Singapore cyber insurance policies provide regulatory-defence cover (legal costs of responding to a PDPC investigation) and, where insurable under law, a sublimit for PDPA financial penalties. Insurability of fines varies by insurer and policy wording — always check the policy schedule. Submit our quote form and we will return real quotes that disclose the regulatory sublimit each insurer offers.