Category: Compliance

The PDPA Compliance Singapore Checklist

In 2018, a cyberattack on SingHealth exposed the records of 1.5 million patients, including the Prime Minister. The Personal Data Protection Commission (PDPC) handed down S$1 million in combined penalties, and that decision still sits on its public enforcement page today. The Personal Data Protection Act (PDPA) has sharper teeth than it did a few years ago. Since October 2022, the PDPC can impose financial penalties of up to 10% of an organisation’s annual turnover in Singapore, or S$1 million, whichever is higher. Breach notification is now mandatory. And a hard deadline is approaching: from 1 January 2027, using NRIC numbers for authentication becomes an enforcement target. A checklist is how you turn all of that into something you can actually execute against, rather than a legal document you skim once and forget. What Is the PDPA Compliance Checklist? A PDPA compliance checklist translates the law’s 11 data protection obligations into concrete, verifiable actions. The obligations themselves are principles: Consent, Purpose Limitation, Notification, Access and Correction, Accuracy, Protection, Retention Limitation, Transfer Limitation, Data Breach Notification, Accountability, and Data Portability (legislated in 2020 but not yet in force). A principle tells you what good looks like. A checklist tells you whether you have done it. The distinction matters because the PDPC does not accept good intentions as a defense. When it investigates, it looks for documented policies, a named Data Protection Officer (DPO), evidence of consent, and a breach plan that existed before the breach. The checklist is what produces that evidence trail. SOC 2, ISO 27001 and HIPAA done for you. Fixed fee, 100% audit pass rate. Audit-ready in 6 weeks. Not 6 months. Schedule Free Assessment Who Needs to Follow the PDPA Compliance Checklist in Singapore Every private sector organisation that collects, uses, or discloses personal data in Singapore falls under the PDPA. That covers sole proprietorships, partnerships, companies, and foreign entities with Singapore operations. Headcount is irrelevant. A five-person startup carries the same obligations as a multinational, and the PDPC has shown it will penalize small and mid-sized businesses, not only household names. Physical presence is not the trigger either. If your processing touches individuals in Singapore, the Act can reach you even without a local office. Public sector agencies sit under separate legislation, but the private sector rules administered by the PDPC, which operates under the Info-communications Media Development Authority (IMDA), apply broadly. One useful carve-out: business contact information used purely for business purposes is largely exempt from the consent rules. Worth Knowing: PDPA Roles Explained The PDPA distinguishes an organisation from a data intermediary, a party that processes data on another’s behalf. Intermediaries carry a narrower but real set of duties, mainly protection and retention. If you outsource payroll, hosting, or email marketing, you are the organisation and your vendor is the intermediary, and the contract between you needs to say so explicitly. PDPA Compliance Checklist: Step-by-Step Guide The 15 steps below move roughly in the order you should tackle them, from governance foundations through operational controls to ongoing assurance. Treat them as a sequence, not a menu. Step 1: Appoint a Data Protection Officer (DPO) The PDPA requires every organisation to designate at least one individual responsible for compliance, and to make that person’s business contact details available to the public. You do not have to hire a specialist. In smaller firms, an existing employee can hold the DPO role alongside other duties. What matters is that the role is named, resourced, and reachable, because the DPO is who the PDPC and affected individuals contact first. Publish the contact details on your website and inside your privacy notice. Step 2: Map and Inventory Personal Data You cannot protect data you cannot see. Build a data inventory that records what personal data you hold, where it lives, which systems and people can access it, why you collected it, and how long you keep it. This map is the single most useful artifact in your entire program. It feeds your privacy notice, your retention schedule, your breach assessments, and your vendor reviews. Most compliance failures trace back to a blind spot, a spreadsheet of customer records nobody remembered, or a legacy database still holding data long past its purpose. Step 3: Establish Lawful Basis and Obtain Valid Consent Under the Consent Obligation, you generally need an individual’s consent before you collect, use, or disclose their personal data, and that consent must be tied to a specific, notified purpose. The 2020 amendments added flexibility: deemed consent covers scenarios like contractual necessity, and the legitimate interests exception lets you process data where the benefit outweighs any adverse effect, provided you document the assessment. You cannot make consent to unrelated data uses a condition of providing a service. Important: Bundled consent is a common enforcement trigger. A single checkbox that forces a customer to agree to marketing in order to complete a purchase is not valid consent for the marketing. Separate the purposes, and let people say yes to one without being forced into the other. Step 4: Draft and Publish a Compliant Privacy Notice Your privacy notice is the public expression of how you handle personal data. It should state what you collect, the purposes you collect it for, who you share it with, how long you retain it, and how individuals can contact your DPO or exercise their access and correction rights. Write it in plain language. A notice dense enough to deter reading does not satisfy the spirit of the Notification Obligation, and regulators notice the difference. Step 5: Implement the Notification of Purpose Requirement The Notification Obligation and the Purpose Limitation Obligation work as a pair. You must inform individuals of the purpose before or at the point of collection, and you must then confine your use of the data to that purpose. Practically, that means a clear notice at every collection point: sign-up forms, website pop-ups, contact forms, event registrations. Selling a customer list you gathered for order fulfillment is precisely the kind of