Here is a scenario that is no longer hypothetical.

A Singapore travel agency collects personal data from hundreds of thousands of customers — names, identification numbers, passport details, contact information — as part of its booking process. A threat actor targets the company, exfiltrates that data, and it ends up circulating online.

The company had no functioning Data Protection Officer. Its systems were running outdated software. Its password policies were weak. It had not implemented multifactor authentication.

The Personal Data Protection Commission (PDPC) investigated. In October 2025, the agency was ordered to pay a financial penalty of S$47,000.

This was not a major corporation. It was a mid-sized travel agency, doing what thousands of Singapore SMEs do every day — collecting customer information to deliver a service. The fine was not for malicious intent. It was for failing to put in place the reasonable security arrangements that the law requires.

If your company collects, uses, or discloses personal data in Singapore — and almost every company does — this article is directly relevant to your business.

What Is the PDPA and Who Does It Apply To?

The Personal Data Protection Act 2012 (PDPA) is Singapore’s primary legislation governing how private-sector organisations handle personal data. It is administered by the Personal Data Protection Commission (PDPC), a statutory board under IMDA.

“Personal data” under the PDPA means data about an individual who can be identified from that data — or from that data combined with other information the organisation has access to. This includes names, NRIC numbers, contact details, email addresses, photographs, financial information, and health records.

Here is the part that many SME owners miss: there is no minimum threshold based on company size, revenue, or number of employees. A one-person consultancy with a mailing list of 50 contacts has the same PDPA obligations as a multinational with millions of customer records. The law applies to every private organisation in Singapore that handles personal data — full stop.

And in 2026, enforcement has intensified significantly. The PDPC is conducting more investigations, issuing more financial penalties, and — as of last week — the Singapore Business Federation ran dedicated SME briefings on PDPA compliance precisely because the compliance gap in the small business community remains wide.

If you have not reviewed your PDPA compliance recently, now is the right time.

The Nine Obligations Every Singapore Business Must Meet

The PDPA establishes nine core obligations that govern how your organisation must handle personal data. Understanding these is the foundation of compliance.

1. Accountability Obligation

Your organisation must appoint at least one Data Protection Officer (DPO) and make their business contact details publicly available — typically via your company website or privacy policy. The DPO is responsible for ensuring your organisation’s ongoing compliance with the PDPA.

The DPO does not need to be a full-time role or a dedicated hire. In many SMEs, an existing employee — a manager, an HR officer, or even a director — takes on the DPO function alongside their other responsibilities. What matters is that the role is formally designated, the person understands their obligations, and their contact details are accessible to the public.

2. Notification Obligation

Before collecting personal data, you must inform individuals of the purposes for which their data will be collected, used, or disclosed. This is typically done through a Privacy Notice or Data Protection Notice — a clear document that explains what data you collect, why you collect it, and what you do with it.

If your company is collecting data through a website contact form, a customer registration process, an HR onboarding form, or any other mechanism, that collection must be accompanied by a clear notification of purpose.

3. Consent Obligation

Personal data may only be collected, used, or disclosed with the individual’s consent — unless a specific exception applies. Consent must be voluntary and informed. Pre-ticked boxes and buried clauses in terms and conditions do not constitute valid consent.

The 2020 amendments introduced deemed consent by notification and legitimate interests exceptions, which provide more flexibility in certain circumstances. But these are specific, defined exceptions — not a general licence to bypass consent requirements.

4. Purpose Limitation Obligation

Personal data may only be collected, used, or disclosed for purposes that a reasonable person would consider appropriate in the circumstances, and which the individual has been informed of. You cannot collect data for one stated purpose and then use it for a materially different one without fresh consent.

5. Accuracy Obligation

You must make reasonable effort to ensure that personal data collected is accurate and complete, particularly where it will be used to make a decision that affects the individual, or disclosed to another organisation.

6. Protection Obligation

You must make reasonable security arrangements to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, or disposal. This is the obligation most commonly breached in PDPC enforcement actions — and the one that carries the greatest enforcement risk for SMEs.

“Reasonable security arrangements” is not defined by the PDPA as a fixed technical standard. The PDPC assesses reasonableness based on the nature of the data, the volume held, the potential harm from a breach, and the security measures the organisation had in place. What was reasonable five years ago may not be reasonable now.

For a practical baseline, the PDPC expects organisations to implement:

• Strong, unique password policies
• Multifactor authentication (MFA) for systems accessing personal data
• Regular software updates and patch management
• Access controls that limit data access to those who genuinely need it
• Vendor management provisions that ensure third-party processors also protect data appropriately

7. Retention Limitation Obligation

Personal data must not be retained once the purpose for which it was collected is no longer served, and retention is no longer necessary for any business or legal purpose. Many SMEs accumulate years of customer, employee, and vendor data without a clear retention policy — this is a direct compliance gap.

A practical data retention policy specifies how long different categories of data are kept, why, and what happens when that period expires (deletion or anonymisation).

8. Transfer Limitation Obligation

When transferring personal data to organisations outside Singapore, you must ensure the recipient provides a standard of protection comparable to the PDPA. This is particularly relevant for companies using cloud services hosted overseas, or sharing customer data with foreign group entities or vendors.

In February 2026, the EU-Singapore Digital Trade Agreement entered into force, introducing binding commitments relevant to cross-border data flows between Singapore and EU member states. If your company handles data from EU residents or works with EU-based vendors, this development adds an additional layer of cross-border data governance to your compliance picture.

9. Data Breach Notification Obligation

If a data breach occurs that affects 500 or more individuals, or is likely to result in significant harm to any affected individual, you must:

• Notify the PDPC within 3 calendar days of assessing that the breach is notifiable
• Notify affected individuals within 3 business days

Significant harm is broadly defined — it includes situations where the breach involves financial data, NRIC numbers, medical records, or data that could be used for identity fraud. A breach affecting even a small number of individuals can trigger the notification obligation if the nature of the data makes harm likely.

The 3-day notification window is extremely short. Without a pre-established breach response protocol, most organisations will struggle to meet it. Having a documented incident response plan — covering who is notified internally, what constitutes a notifiable breach, and how PDPC notification is submitted — is not optional; it is the difference between a manageable incident and an enforcement action compounded by a failure to notify.

The New NRIC Authentication Deadline: 31 December 2026

This is the most time-sensitive PDPA-related obligation for Singapore businesses right now, and one of the least widely known.

In February 2026, the PDPC announced that all private organisations must stop using NRIC numbers for authentication purposes by 31 December 2026. Practices including using NRIC numbers as default passwords, combining NRIC with easily obtainable data as an authentication factor, or displaying partial NRICs as a security measure must be phased out.

This deadline is seven months away. That sounds comfortable — until you audit how many of your systems, processes, and vendor platforms currently use NRIC numbers as a form of authentication. For many SMEs, this is baked into:

• Customer login credentials or account recovery flows
• Employee system access verification
• Patient or client intake processes (healthcare, legal, financial services)
• Vendor-managed booking or appointment systems

Replacing NRIC-based authentication requires identifying every system that uses it, implementing an alternative authentication mechanism (a strong password, a PIN, a one-time password via SMS or email, or MFA), and communicating the change to users. For companies that rely on third-party software or platforms, this also requires coordinating with vendors — some of whom may need time to implement the change at their end.

Start this audit now. Businesses that leave this until Q4 2026 risk running out of time, particularly if vendor dependencies are involved.

What the PDPC Actually Fines Companies For: Real Cases

Abstract compliance obligations become concrete very quickly when you look at the companies that have been fined. The PDPC publishes its enforcement decisions in detail — and the pattern that emerges is instructive.

A SaaS HR provider (January 2026): People Central Pte Ltd was ordered to pay a financial penalty of S$17,500 after a breach resulted in the deletion of databases and exfiltration of personal data belonging to 95,000 individuals, which was likely found for sale on the dark web. The threat actor gained access following what investigators identified as poor cyber hygiene measures including weak password policies and infrequent system updates. The PDPC noted that SaaS providers face higher expectations given the volume of third-party client data they hold.

A travel agency (October 2025): Air Sino-Euro Associates Travel Pte Ltd was ordered to pay S$47,000 after a cyberattack exfiltrated personal data of 336,759 individuals. Investigators found the company had no functioning DPO, outdated software, and inadequate password and access control policies.

A data seller (earlier case): The PDPC imposed a fine of S$48,000 on an organisation that sold datasets containing personal data without proper authorisation — including a S$2,900 component representing the profit made from the sale — and a separate S$10,000 fine on the buyer who failed to conduct proper due diligence.

Three consistent themes run through virtually every PDPC enforcement action:

1. Outdated or unpatched software left systems vulnerable
2. Weak password policies — no complexity requirements, no MFA
3. Absent or ineffective DPO — no one was actively monitoring or managing data protection

None of these are sophisticated failures. They are basic, preventable gaps that exist in a large proportion of Singapore SMEs today. The PDPC’s enforcement posture in 2026 makes clear that “we are a small business” is not a mitigating factor.

The Financial Stakes: What a Breach Can Cost You

The PDPA penalty framework has two tiers:

Tier 1: For organisations with annual turnover in Singapore of S$10 million or less: Maximum financial penalty of S$1 million

Tier 2: For organisations with annual turnover in Singapore above S$10 million: Maximum financial penalty of 10% of annual turnover in Singapore

In practice, the PDPC calibrates fines based on factors including the volume of data affected, the sensitivity of the data, whether the breach was notifiable, the organisation’s level of negligence, its cooperation with the investigation, and any remediation steps taken. Voluntary self-reporting and prompt remediation are consistently treated as mitigating factors. A failure to notify the PDPC of a notifiable breach is consistently treated as an aggravating one.

Beyond the PDPC fine itself, the business costs of a data breach include:

• IT forensic investigation to understand what was accessed and exfiltrated
• Notification costs — contacting potentially thousands of affected individuals
• Legal fees if the breach leads to civil claims from affected parties
• Reputational damage — particularly acute for businesses where trust is a core product (healthcare, legal, financial services, HR technology)
• Business disruption during investigation and remediation

For many SMEs, the indirect costs of a breach outweigh the PDPC penalty. The HR SaaS provider whose breach exposed 95,000 employee records will face a very different commercial reality after that event — regardless of the S$17,500 fine.

A Practical PDPA Compliance Checklist for Singapore SMEs

The good news: PDPA compliance for a typical SME does not require an enterprise-grade legal and compliance team. It requires clear thinking, documented processes, and consistent follow-through. Here is where to start:

1. Governance:

• Designate a Data Protection Officer (DPO) — can be an existing employee
• Publish the DPO’s business contact details on your company website or privacy policy
• Draft and implement a Data Protection Policy for internal use

2. Data Inventory:

• Map all categories of personal data your company collects — customers, employees, vendors, website visitors
• Identify where data is stored (servers, cloud platforms, third-party systems, physical files)
• Identify who has access to each category of data and whether that access is necessary

3. Consent and Notification:

• Review all data collection points (website forms, intake forms, HR documents) to ensure they include a clear notification of purpose
• Verify that consent mechanisms are valid — voluntary, informed, and not pre-ticked

4. Protection:

• Implement a strong password policy across all systems — minimum length, complexity, regular rotation
• Enable multifactor authentication (MFA) on all systems that access personal data
• Ensure all software and systems are running current, patched versions
• Review access controls — ensure only those who need access to personal data have it
• Document contractual data protection obligations with all vendors who process personal data on your behalf

5. NRIC Authentication — urgent, deadline 31 December 2026:

• Audit all systems and processes that currently use NRIC numbers as an authentication factor
• Implement alternative authentication methods for each identified system
• Coordinate with third-party vendors whose platforms may require NRIC-based changes

6. Retention:

• Draft a data retention policy specifying retention periods for each data category and the deletion/anonymisation process at end of retention

7. Breach Response:

• Document a data breach response protocol — who is notified internally, who notifies the PDPC, what constitutes a notifiable breach
• Brief all staff on how to identify and escalate potential data breaches
• Test your breach response process at least annually

8. Training:

• Conduct PDPA awareness training for all staff who handle personal data — at onboarding and at least annually thereafter

One Thing Many SMEs Overlook: Your Vendors Are Your Responsibility Too

The PDPA does not let you off the hook because a third party caused the breach. If you engage a vendor to process personal data on your behalf — a payroll provider, a CRM platform, a cloud storage service, a marketing agency that manages your email list — and that vendor suffers a breach, the PDPC will assess whether you took reasonable steps to ensure the vendor protected the data appropriately.

This means your contracts with data processing vendors should include:

• Clear specification of the data being shared and the permitted uses
• Requirements for the vendor to implement reasonable security measures
• Breach notification obligations — the vendor must notify you promptly if a breach occurs
• Audit rights if appropriate

Most off-the-shelf vendor contracts do not include adequate data protection provisions. Reviewing and updating your vendor agreements as part of PDPA compliance is not optional — it is a direct obligation under the Accountability Obligation.

The Bigger Picture: Data Protection Is Now a Business Expectation, Not Just a Legal Requirement

The PDPA has been in force since 2014. For the first several years, enforcement was relatively light and many SMEs treated it as background noise. That era is over.

PDPC enforcement has intensified materially since the 2021 amendments came into effect. The cases published in 2024 and 2025 span a wide range of industries — travel, HR technology, retail, healthcare, financial services, hospitality. No sector is exempt and no company is too small to be investigated.

Beyond enforcement, customer and partner expectations have shifted. Enterprise clients increasingly require their vendors to demonstrate PDPA compliance before onboarding them. Banks and financial institutions ask about data protection practices as part of due diligence. ISO 27001 certification — which provides a structured framework that directly supports PDPA compliance — is becoming a competitive differentiator for SMEs operating in B2B markets.

Being PDPA-compliant is no longer just about avoiding a fine. It is about being a company that enterprise clients, investors, and partners can trust with their data.

How A1 Accounting Fits Into Your Compliance Picture

At A1 Accounting, our core work — bookkeeping, payroll, corporate secretarial services, and ACRA filings — puts us at the centre of the personal data your company handles every day. Employee payroll records, director information, shareholder details, customer invoices: all of this is personal data under the PDPA.

We take our own PDPA obligations seriously, which means the data you share with us as a client is handled with appropriate care and security. And as your compliance partner, we can help you ensure that the data flows between your business and your service providers — including us — are documented and contractually protected.

If you are in the process of building your PDPA compliance framework and need advice on how your accounting, payroll, and corporate governance records fit into your data inventory and retention policies, we can help you think through that picture.

For specialist PDPA compliance advice, DPO training, or breach response support, we work with trusted partners in Singapore’s data protection advisory community and can refer you to the right professionals.

Your compliance obligations do not end with ACRA and IRAS. PDPA is part of running a legitimate, trustworthy business in Singapore — and the deadline clock for the NRIC authentication change is already running.

📞 Get in Touch with A1 Accounting Today

📞 Call or WhatsApp: +65 8066 2238 (also available on WeChat, Line & Telegram) 📧 Email: [email protected] 🌐 Visit us at: acrafilingagent.com 📍 63 Jln Pemimpin, #02-03 Pemimpin Industrial Building, Singapore 577219

Whether you need help with your corporate compliance, accounting, or simply want to understand how your business’s data practices connect to your overall governance obligations — reach out today. We are here to help.

Disclaimer: This article is for general informational purposes only and does not constitute legal advice. PDPA obligations depend on your specific circumstances and the nature of your data processing activities. For specialist data protection advice, consult a qualified data protection professional or refer to the PDPC’s official guidance at pdpc.gov.sg.