Knowledge Center / PDPA (SG)
PDPC (Singapore) · Singapore

PDPA (Singapore)

Singapore’s Personal Data Protection Act.

Introduction: The Singapore Personal Data Protection Act (PDPA)

The Personal Data Protection Act 2012 (PDPA) is Singapore's baseline data protection law. It governs the collection, use, disclosure and care of personal data by organisations, and establishes the Do Not Call (DNC) Registry regime for marketing messages. Administered by the Personal Data Protection Commission (PDPC), which sits within the Infocomm Media Development Authority (IMDA), the PDPA balances the right of individuals to protect their personal data against the legitimate needs of organisations to use data for reasonable purposes. This deep-dive gives CyberSigma clients an auditor-grade view of every obligation, how to scope an assessment, how to build an implementation programme, and how to evidence compliance during a PDPC investigation or a customer-driven data protection audit.

The PDPA has evolved materially since inception. The Personal Data Protection (Amendment) Act 2020 (in force from 1 February 2021) introduced mandatory data breach notification, a new Accountability obligation, expanded consent exceptions (Legitimate Interests and Business Improvement), data portability provisions, and significantly higher financial penalties. Any current assessment must reflect the amended Act, the associated Regulations (including the Personal Data Protection (Notification of Data Breaches) Regulations 2021), and the PDPC's Advisory Guidelines. This guide is written to the amended PDPA as it stands in 2026.

Copyright and source note
This guide is an original CyberSigma work product. The Personal Data Protection Act 2012, its subsidiary Regulations, and the PDPC Advisory Guidelines are Crown/statutory materials published by the Singapore Government and PDPC. We paraphrase and interpret those obligations for practitioner use; we do not reproduce the statutory or guideline text verbatim. Always read this alongside the current Act, Regulations and Advisory Guidelines on the PDPC website, and obtain Singapore-qualified legal advice before relying on any position taken here.

What is the PDPA (SG)?

The PDPA is a principles-based, technology-neutral statute that regulates 'personal data' — data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access. It applies regardless of whether the data is in electronic or physical form. The Act does not prescribe specific security technologies; instead it imposes outcome-based obligations and expects organisations to make reasonable arrangements appropriate to the sensitivity, volume and risk of the data they handle.

The PDPA is structured around two central pillars. The first is the Data Protection Provisions (Parts 3 to 6B of the Act), which set out the obligations organisations owe when handling personal data — consent, purpose, notification, access, correction, accuracy, protection, retention limitation, transfer limitation, accountability, breach notification and data portability. The second is the Do Not Call (DNC) Provisions (Part 9B), which restrict the sending of specified marketing messages (voice calls, text and fax) to Singapore telephone numbers registered on the DNC Registry, and impose sender-identification and consent-checking duties.

Enforcement is investigation-led. The PDPC can require the production of documents, issue directions to stop collecting or to destroy data, and impose financial penalties. Following the 2020 amendments, the maximum financial penalty is the higher of S$1 million or 10% of an organisation's annual turnover in Singapore (for organisations with turnover exceeding S$10 million). Certain egregious acts — such as unauthorised disclosure, improper use, or re-identification of anonymised data by individuals — are now criminal offences carrying fines and imprisonment.

AttributeDetail
Full namePersonal Data Protection Act 2012 (as amended by the PDP (Amendment) Act 2020)
RegulatorPersonal Data Protection Commission (PDPC), under IMDA
RegionSingapore
In forceData Protection provisions from 2 July 2014; amendments from 1 Feb 2021 onwards
ScopePersonal data of individuals, in electronic or non-electronic form
ModelPrinciples/outcome-based; technology-neutral
Max financial penaltyHigher of S$1m or 10% of annual Singapore turnover (>S$10m turnover)
Breach notificationMandatory to PDPC and affected individuals for notifiable breaches

Who must comply?

The PDPA applies to all private-sector 'organisations' that collect, use or disclose personal data in Singapore, whether or not the organisation is formed or resident in Singapore and whether or not the personal data or activities are located there. 'Organisation' is defined broadly to include individuals, companies, associations and bodies of persons, corporate or unincorporated. The Act uses two operative roles that mirror the controller/processor distinction: the organisation (accountable for the data) and the data intermediary (a party that processes personal data on behalf of, and for the purposes of, another organisation under a written contract).

  • Private companies, partnerships and sole proprietors operating in Singapore or handling data of individuals in Singapore.
  • Foreign organisations that collect, use or disclose personal data in Singapore (extra-territorial reach), including cloud and SaaS providers serving Singapore customers.
  • Data intermediaries (processors) — subject to the Protection and Retention Limitation obligations and breach notification duties in respect of data processed on behalf of another organisation.
  • Charities, clubs, societies and non-profit associations acting as organisations.
  • Marketing senders and telemarketers subject to the Do Not Call provisions when sending messages to Singapore numbers.
Actor / scenarioPDPA applicability
Singapore-incorporated companyFull Data Protection and DNC obligations
Overseas SaaS serving SG customersApplies to collection/use/disclosure of SG individuals' data
Data intermediary (processor)Protection, Retention Limitation and breach-notification duties; other obligations flow to the principal organisation
Public agency (Government body)Excluded from PDPA; governed instead by the Public Sector (Governance) Act and internal IM instructions
Individual acting personally/domesticallyExcluded when acting in a personal or domestic capacity
Employee acting for their employerExcluded personally; obligations rest with the employer organisation
Business contact information (BCI)Consent/notification/purpose obligations do not apply to BCI used for business purposes
Public sector carve-out
Public agencies and organisations acting on behalf of public agencies are not subject to the PDPA. Their handling of personal data is governed by the Public Sector (Governance) Act 2018 and Government instruction manuals. Private organisations must not assume equivalence — a private vendor to Government is still bound by the PDPA for its own collections.

Structure of the PDPA (SG)

The PDPA is best assessed as a set of eleven Data Protection obligations plus the Do Not Call regime. The PDPC's own Advisory Guidelines on Key Concepts group the substantive duties into named 'obligations'. The table below maps each obligation to its statutory anchor and the practical control question it raises. Use these as the top-level domains for any PDPA assessment — every requirement in the master checklist rolls up to one of these.

Domain / obligationStatutory anchor (Act)Core control question
ConsentSections 13-17Do we obtain, and can we evidence, valid consent (or a lawful exception)?
Purpose LimitationSection 18Do we only collect/use/disclose for purposes a reasonable person considers appropriate and that were notified?
NotificationSection 20Do we inform individuals of purposes on/before collection?
AccessSections 21, 21ACan individuals obtain their personal data and disclosure history?
CorrectionSection 22Can individuals have inaccurate data corrected and corrections propagated?
AccuracySection 23Do we make reasonable effort to ensure data is accurate and complete?
ProtectionSection 24Do we make reasonable security arrangements to protect data?
Retention LimitationSection 25Do we cease retention/anonymise when purpose and legal need ends?
Transfer LimitationSection 26Do overseas transfers meet comparable-protection standards?
Accountability (incl. DPO, policies)Sections 11, 12Do we appoint a DPO, have policies, and demonstrate governance?
Data Breach NotificationSections 26A-26EDo we assess, notify PDPC and individuals of notifiable breaches?
Data PortabilitySections 26F-26JCan we transmit data to another organisation on request (once in force)?
Do Not Call (DNC)Part 9B (ss.36-48)Do we check the DNC Registry and identify senders for marketing messages?

Master assessment checklist

This is the core of the assessment. Each obligation below is expanded into concrete verification points and the typical evidence an auditor would request. Do not skip any group — a PDPC investigation or a mature third-party audit will test each one. Where an obligation has statutory sub-provisions (for example the consent exceptions, or breach assessment criteria), they are called out explicitly.

1. Consent (ss.13-17)

An organisation may collect, use or disclose personal data only with consent, unless an exception applies. Consent must be for purposes that have been notified, must not be a condition of providing a product/service beyond what is reasonable, and must not be obtained through false or misleading information or deceptive practices. Deemed consent, deemed consent by contractual necessity, deemed consent by notification, Legitimate Interests and Business Improvement exceptions must each be documented where relied upon.

What to verifyTypical evidence
Consent is obtained before or at collection and tied to notified purposesConsent capture screens, timestamps, opt-in logs
Failure of consent conditions (bundling / forced consent) is avoidedProduct terms review, consent-not-a-condition analysis
Deemed consent scenarios are identified and documentedDeemed-consent register, contractual-necessity notes
Reliance on Legitimate Interests exception is risk-assessedLegitimate Interests Assessment (LIA) records
Reliance on Business Improvement exception is scoped and documentedBusiness Improvement purpose documentation
Withdrawal of consent is honoured and downstream effects communicatedWithdrawal request logs, cessation confirmations
Consent for minors follows PDPC guidance on capacityAge-gating logic, parental consent records

2. Purpose Limitation (s.18)

What to verifyTypical evidence
Purposes are limited to what a reasonable person considers appropriatePurpose register mapped to processing activities
Data is not used/disclosed beyond notified or reasonable purposesData flow maps, RoPA, use-case sign-offs
New/secondary purposes trigger fresh notification or consentChange-control records for new purposes

3. Notification (s.20)

What to verifyTypical evidence
Purposes are notified on or before collectionPrivacy notices, just-in-time notices, forms
Notices are clear, accessible and specific to the collection contextPublished privacy policy, layered notices
Where deemed consent by notification is used, the notice is properNotification records and opt-out windows

4. Access (ss.21, 21A)

What to verifyTypical evidence
Access requests are logged, verified and answered within reasonable timeAccess request register, response templates
Disclosure history (to whom, within a year) can be providedDisclosure-tracking logs
Statutory exceptions to access are applied and documentedException decision records, legal sign-off
Reasonable fees, if charged, are disclosed in advanceFee schedule, applicant communications

5. Correction (s.22)

What to verifyTypical evidence
Correction requests are actioned and, where refused, reasons recordedCorrection request register
Corrections are propagated to third parties who received the dataDownstream correction notifications
Where correction is disputed, an annotation is madeAnnotation/notation records

6. Accuracy (s.23)

What to verifyTypical evidence
Reasonable effort is made to ensure accuracy where data is used to make a decision affecting the individual or is disclosedData validation rules, source-of-truth policy
Data quality checks exist at capture and update pointsValidation logs, de-duplication reports

7. Protection (s.24)

The Protection obligation is the most security-heavy. Organisations must make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. This is where CyberSigma's technical controls assessment concentrates, mapping to administrative, physical and technical measures.

What to verifyTypical evidence
Administrative controls: security policy, roles, training, NDAsPolicy set, training records, signed NDAs
Access control on a need-to-know / least-privilege basisRBAC matrix, access reviews, joiner-mover-leaver logs
Encryption of data at rest and in transit for sensitive dataEncryption standards, TLS/cert config, key management
Network security, patching and endpoint protectionPatch reports, EDR coverage, firewall rules
Logging, monitoring and alerting on data accessSIEM configuration, audit trails, alert runbooks
Physical security for premises, media and paper recordsAccess badge logs, clean-desk policy, disposal records
Secure disposal / destruction of media and documentsCertificates of destruction, wiping records
Data intermediary security is contractually mandated and verifiedProcessor contracts, security schedules, audit rights
Vulnerability management and penetration testingVA/PT reports, remediation tracker

8. Retention Limitation (s.25)

What to verifyTypical evidence
A retention schedule maps data categories to retention periods and legal basisData retention policy and schedule
Data is destroyed or anonymised when purpose and legal need ceaseDeletion logs, anonymisation records
Backups and archives are covered by retention rulesBackup retention config, archive purge logs

9. Transfer Limitation (s.26 & Regulations)

What to verifyTypical evidence
Overseas transfers are inventoried with destination countriesTransfer register / data map
Comparable protection is ensured via contract, BCR, certification (e.g. APEC CBPR/PRP) or specified exceptionsData transfer agreements, model clauses, certifications
Cloud and sub-processor locations are identified and coveredSub-processor list, hosting-region documentation

10. Accountability, DPO and Policies (ss.11-12)

What to verifyTypical evidence
A Data Protection Officer (DPO) is designated and contactableDPO appointment letter, published DPO contact
Internal data protection policies and practices are documentedPolicy suite, procedures, DPMP
Staff are trained and complaints/queries are handledTraining completion, complaints handling procedure
Data Protection Impact Assessments (DPIA) are conducted for higher-risk processingDPIA templates and completed assessments
A record of processing (data inventory / RoPA) is maintainedData inventory / RoPA

11. Data Breach Notification (ss.26A-26E)

A breach is notifiable if it results in, or is likely to result in, significant harm to affected individuals, or is of significant scale (affecting 500 or more individuals). Notifiable breaches must be reported to the PDPC as soon as practicable and in any case within 3 calendar days of assessing it as notifiable, and affected individuals must be notified where required.

What to verifyTypical evidence
An incident response and breach assessment procedure existsIR plan, breach assessment methodology
Breach assessment against significant-harm and 500-individual thresholdsBreach assessment records, decision logs
PDPC notification within 3 days of notifiable determinationSubmitted PDPC notification, timeline log
Affected individuals notified where required, with mitigation adviceIndividual notification templates and dispatch logs
Data intermediaries notify the principal organisation without undue delayProcessor notification clauses and records
Post-incident review and remediation trackedPIR reports, remediation tracker

12. Data Portability (ss.26F-26J)

What to verifyTypical evidence
Portability requests can be received and validated (once provisions commence)Portability request procedure
Applicable data can be transmitted to a receiving organisation in a machine-readable formExport tooling, data format specification
Exclusions (derived/opinion/third-party data) are correctly appliedData classification for portability

13. Do Not Call Registry (Part 9B, ss.36-48)

What to verifyTypical evidence
DNC Registry is checked before sending specified marketing messagesDNC check logs and confirmation IDs
Valid confirmation of clear/dirty status is retained for the required periodRetained DNC confirmations (60-day validity records)
Messages identify the sender and provide contact detailsMessage templates with sender ID and contact info
Calling-line identity is not concealed for voice callsTelephony configuration evidence
Ongoing-relationship exemption is documented where relied uponConsent records and relationship evidence

Scoping the assessment

Accurate scoping prevents both under-assessment (missing regulated processing) and wasted effort. PDPA scope is defined by the personal data an organisation handles and the activities performed on it, not by a network boundary. Begin by inventorying every business process that touches personal data of individuals in Singapore, then map the systems, third parties and locations involved.

  • Identify all personal data categories held: customer, employee (note employment-context nuances), marketing, vendor-contact, CCTV, biometric and any special categories such as health or financial data.
  • Map business processes and data flows end-to-end, including collection channels (web, app, call centre, paper), storage, internal use and disclosures.
  • Enumerate data intermediaries (processors) and sub-processors, including cloud, payroll, CRM, analytics and outsourced call centres.
  • Determine overseas transfer destinations and hosting regions for each system.
  • Distinguish personal data from Business Contact Information (BCI), which is largely exempt from Consent/Notification/Purpose obligations when used for business purposes.
  • Identify marketing channels subject to the Do Not Call provisions (voice, SMS, fax to Singapore numbers).
  • Flag high-risk processing (large-scale, sensitive data, profiling, new technology) that warrants a DPIA.
Scope boundary tip
Employee personal data is in scope for most PDPA obligations, but there are specific consent exceptions for managing or terminating an employment relationship. Treat HR data as in-scope and document the exceptions relied upon rather than excluding it wholesale.

Implementation approach (phased)

CyberSigma delivers PDPA readiness as a structured programme. Each phase has defined activities and tangible deliverables so progress is auditable and leadership can track maturity growth.

Phase 1 — Governance and discovery

  • Activities: appoint/confirm the DPO, establish a data protection steering group, run data discovery and build the data inventory (RoPA), and map data flows and third parties.
  • Deliverables: DPO appointment, RoPA/data inventory, data flow diagrams, third-party (intermediary) register, initial scope statement.

Phase 2 — Gap assessment

  • Activities: assess each of the eleven obligations plus DNC against current state; run technical controls review for the Protection obligation; assess overseas transfers and retention.
  • Deliverables: gap assessment report with risk-rated findings, prioritised remediation roadmap, DPIA for high-risk processing.

Phase 3 — Policy and control build

  • Activities: draft/refresh the Data Protection Management Programme (DPMP), privacy notices, consent mechanisms, retention schedule, transfer agreements, and access/correction procedures; implement or harden security controls.
  • Deliverables: DPMP, policy suite, standard notices and consent flows, retention schedule, data transfer agreements, updated processor contracts.

Phase 4 — Operationalisation

  • Activities: deploy access/correction request handling, breach response runbook, DNC checking process, DPO query mailbox; deliver staff and role-based training.
  • Deliverables: request-handling workflow, incident/breach runbook with 3-day clock, DNC procedure, training records.

Phase 5 — Assurance and continual improvement

  • Activities: internal audit against the checklist, tabletop breach exercise, management review, and metrics reporting; align with PDPC's Data Protection Trustmark (DPTM) certification where desired.
  • Deliverables: internal audit report, tabletop findings, KPI dashboard, management review minutes, DPTM readiness pack.

Maturity / capability model

CyberSigma scores each PDPA obligation on a five-level capability scale. This gives leadership a defensible, comparable view of readiness and a target operating maturity, and aligns with the accountability expectations underpinning the DPTM.

LevelNameDescription
0AbsentNo policy, owner or control; obligation not addressed
1InitialAd hoc, reactive handling; no documentation or ownership
2DevelopingBasic policies drafted; inconsistent application; partial evidence
3DefinedDocumented, owned and operating across the organisation with records
4ManagedMeasured with KPIs, periodically reviewed and audited
5OptimisedContinually improved, automated where possible, embedded by design

Assessment and audit approach

  1. Confirm scope: agree the entities, processes, systems, data categories and geographies in scope, and the obligations to be tested.
  2. Kick-off and information request: issue the evidence request list and schedule interviews with the DPO, IT, HR, marketing and legal.
  3. Data mapping validation: verify the RoPA/data inventory and data flow diagrams against reality through walkthroughs.
  4. Control testing: test each obligation's controls using inquiry, inspection and re-performance; sample access/correction requests and consent records.
  5. Technical review: assess Protection-obligation controls (access control, encryption, logging, patching, disposal) and review VA/PT results.
  6. Third-party review: examine intermediary contracts, transfer safeguards and sub-processor coverage.
  7. Breach-readiness test: walk through the breach assessment and 3-day notification workflow, ideally via a tabletop.
  8. Gap analysis and risk rating: rate each finding by likelihood and impact against PDPA exposure.
  9. Reporting: deliver findings, root causes, and a prioritised remediation roadmap with owners and dates.
  10. Re-assessment: verify remediation and update the maturity scores; advise on DPTM certification if in scope.

Evidence request list

The following categorised evidence set supports a full PDPA assessment. Provide current, dated versions and be prepared to demonstrate live systems during walkthroughs.

  • Governance: DPO appointment, org chart, data protection steering minutes, DPMP.
  • Policies: data protection policy, retention schedule, breach/incident response plan, acceptable use, disposal policy.
  • Data mapping: RoPA/data inventory, data flow diagrams, systems inventory.
  • Consent and notice: privacy notices, consent capture screens/logs, deemed-consent and LIA records.
  • Individual rights: access and correction request registers, response templates, disclosure logs.
  • Protection controls: access control matrix, access review records, encryption/key management standards, patch and EDR reports, SIEM/log samples, physical security logs, destruction certificates.
  • Third parties: intermediary and sub-processor register, processor contracts and security schedules, audit reports.
  • Transfers: overseas transfer register, data transfer agreements, certifications (APEC CBPR/PRP), hosting-region documentation.
  • Retention and disposal: deletion/anonymisation logs, backup retention configuration.
  • Breach management: past breach assessments, PDPC notifications, individual notifications, PIR reports.
  • DNC: DNC check logs and confirmations, marketing message templates with sender identification.
  • Training and awareness: training material, completion records, phishing-simulation results.

Roles and responsibilities

RolePDPA responsibilities
Board / Senior ManagementOwn accountability, approve the DPMP, provide resources, review risk
Data Protection Officer (DPO)Ensure compliance, act as PDPC/individual contact, oversee policies, advise on DPIAs
IT / SecurityImplement Protection-obligation controls, logging, encryption, breach detection
HRManage employee data, apply employment consent exceptions, deliver training
MarketingOperate consent and DNC checks, ensure sender identification
Legal / ComplianceAdvise on obligations, draft contracts and transfer agreements, manage enforcement
Business / Process ownersMaintain accurate RoPA entries, honour purpose limitation, action requests
Data IntermediariesProtect data, observe retention limits, notify principal of breaches

KPIs to track

  • Percentage of processing activities recorded in the RoPA / data inventory.
  • Access and correction requests closed within target time (%).
  • Mean time to assess and notify a breach (target within the 3-day statutory window).
  • Percentage of staff completing annual data protection training.
  • Number of overdue remediation items from the gap assessment.
  • Percentage of data intermediary contracts with compliant security and breach clauses.
  • Percentage of systems covered by the retention schedule and automated purge.
  • DNC check compliance rate for outbound marketing campaigns.
  • Number of DPIAs completed for high-risk processing versus identified.
  • Encryption coverage of sensitive personal data at rest and in transit (%).

Readiness checklist

  • A DPO is appointed and their contact details are published.
  • A Data Protection Management Programme (DPMP) and policy suite are approved and current.
  • A complete RoPA / data inventory and data flow maps exist and are maintained.
  • Consent, notification and purpose practices are documented with evidence.
  • Access and correction request procedures operate within reasonable timelines.
  • Reasonable security arrangements protect personal data (access, encryption, logging, disposal).
  • A retention schedule is enforced with deletion/anonymisation records.
  • Overseas transfers are inventoried and covered by comparable-protection safeguards.
  • A breach response plan enforces the 3-day PDPC notification clock and individual notification.
  • Data intermediary contracts include protection, retention and breach-notification clauses.
  • DNC Registry checks and sender identification are in place for marketing.
  • Staff receive role-appropriate data protection training and it is recorded.
  • DPIAs are completed for higher-risk processing.
  • Internal audit / management review of PDPA compliance occurs periodically.

Common gaps

  • No DPO formally appointed, or the DPO role is nominal with no authority or resources.
  • Incomplete or stale data inventory, so unknown processing and shadow systems escape controls.
  • Consent relied upon informally with no records, or forced/bundled consent that breaches s.14.
  • No breach assessment methodology, causing failure to notify PDPC within the 3-day window.
  • Data intermediary contracts lacking protection, retention or breach-notification clauses.
  • Overseas transfers with no comparable-protection safeguards or hidden sub-processor regions.
  • No retention schedule, leading to indefinite retention and increased breach exposure.
  • Weak Protection controls: shared accounts, no encryption of sensitive data, poor log retention.
  • Marketing sent without DNC checks or sender identification, risking Part 9B penalties.
  • No DPIA process for new products, profiling or AI-driven processing.
  • Privacy notices that are generic and do not reflect actual purposes or collection contexts.
  • Access/correction requests handled ad hoc with no register or timeline discipline.

PDPA (SG) mapped to other frameworks

Organisations subject to multiple regimes can reuse controls. The mapping below is indicative — obligations are analogous, not identical — and should guide, not replace, a control-by-control cross-walk.

PDPA (SG) obligationGDPR (EU)ISO/IEC 27701NIST Privacy Framework
ConsentArt. 6-7 lawful basis / consentConsent management (7.2/7.3)CT.PO / Control-Consent
NotificationArt. 13-14 transparencyNotice to data subjects (7.3.2)Communicate-P
Access & CorrectionArt. 15-16 rightsPII principal requests (7.3.6-7.3.9)Control-P (individual participation)
ProtectionArt. 32 securityAnnex A/B security controls; ISO 27001Protect-P
Retention LimitationArt. 5(1)(e) storage limitationRetention & disposal (7.4.7)Control-P (data lifecycle)
Transfer LimitationArt. 44-49 transfersInternational transfers (7.5)Govern-P / Control-P
Accountability / DPOArt. 5(2), 24, 37-39Governance & DPO role (6.x)Govern-P
Breach NotificationArt. 33-34 breach notificationIncident managementDetect / respond functions
Data PortabilityArt. 20 portabilityPII principal requestsControl-P
Do Not CallePrivacy / marketing rulesN/A (marketing-specific)N/A

How CyberSigma helps

Partner with CyberSigma for PDPA readiness
CyberSigma combines CERT-In empanelled and PCI QSA expertise with hands-on Singapore data-protection practice to take your organisation from discovery to defensible compliance. We build your RoPA and data flow maps, run a full gap assessment against all eleven obligations plus the DNC regime, harden your Protection-obligation controls with technical testing, draft your DPMP, notices, retention schedule and transfer agreements, and stand up a breach-response capability that meets the 3-day PDPC clock. We then support internal audit, tabletop exercises, and — where you want external assurance — readiness for the PDPC Data Protection Trustmark (DPTM). Talk to CyberSigma to turn PDPA obligations into an operating advantage.

Frequently asked questions

Does the PDPA require breach notification?
Yes — notifiable data breaches must be reported to the PDPC and, where required, to affected individuals within the stipulated timeframe.
Official documents

Need help with PDPA (SG)?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.