Cyber Insurance SGGet Quotes
Home / PDPA / Data breach notification

PDPA data-breach notification — the 3-day rule (Sec 26D)

Last reviewed: June 2026. References: PDPA Part 6A (Sec 26A–26E); Personal Data Protection (Notification of Data Breaches) Regulations 2021.

Since 1 February 2021, Singapore organisations have been legally required to notify PDPC of a notifiable data breach. Below is what triggers the obligation, the timeline, what goes in the notice, and what cyber insurance pays for.

When is a breach notifiable?

Under PDPA Sec 26B, a breach must be notified to PDPC if it:

  1. Results in, or is likely to result in, significant harm to affected individuals; OR
  2. Affects the personal data of 500 or more individuals.

What counts as "significant harm"?

The Personal Data Protection (Notification of Data Breaches) Regulations 2021 prescribe categories of data that are deemed to cause significant harm. They include:

  • Full name + NRIC / FIN / passport number
  • Full name + financial account number (bank, credit card)
  • Full name + health information
  • Full name + account credentials (username + password)
  • Full name + identifiable photograph + identifying number

If the breach affects fewer than 500 individuals but the data above is exposed, the breach is still notifiable.

The timeline

  1. Hour 0 — Discovery. You become aware that an event MAY have caused a breach.
  2. Up to 30 days — Assessment. The PDPA allows up to 30 days to assess whether a breach is notifiable. Faster is better.
  3. Determination. The moment you determine the breach IS notifiable, the clock starts.
  4. Within 3 calendar days of determination — Notify PDPC. Use the PDPC Data Breach Notification e-service.
  5. As soon as practicable — Notify affected individuals. Unless an exception applies (Sec 26D(5)–(6)).

What goes in the PDPC notice

Under Regulation 5, the notice must contain (so far as known):

  • The facts and circumstances of the breach
  • The number of affected individuals (or best estimate)
  • The categories of personal data affected
  • The potential harm
  • The actions taken / planned to remediate
  • Contact details for follow-up

Penalties for non-notification

Failure to notify is itself a PDPA breach and can attract the same financial penalty regime — up to 10% of SG turnover or SGD 1 million (whichever is higher). PDPC has fined organisations for late or absent notification on top of fines for the underlying security failure.

What cyber insurance pays for

The notification process is expensive. A typical cyber policy covers:

  • Forensic investigation — determining what happened, what was exposed, who was affected
  • Legal counsel — advising on whether the breach is notifiable, drafting the PDPC notice and individual letters
  • Notification costs — printing + posting letters, call-centre capacity, email infrastructure
  • Credit monitoring / identity-theft monitoring for affected individuals (where appropriate)
  • PR / crisis-management advice for the media and customer communications
  • PDPC investigation defence — legal costs of responding to the inquiry that follows

The numbers stack up fast. For a breach affecting 50,000 SG individuals, notification + monitoring alone runs into six figures, before any PDPC fine or third-party claim. Get quotes for cyber coverage from up to 8 Singapore insurers, with the notification-costs sublimit disclosed on each.

Template: 3-day PDPC notification (skeleton)

See our sample notification text. We provide a structured template you can adapt; do not file it without legal review.

Related reading