PlaybookSingaporePDPA Breach Notification

Singapore PDPA Breach Notification Playbook

Use this playbook when an incident may involve unauthorised access, collection, use, disclosure, copying, modification, or disposal of personal data under Singapore's PDPA.

It turns PDPC guidance into assessment steps, notification thresholds, owner handoffs, evidence records, and source-linked escalation checks.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 17, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
6

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 17, 2026
Overview

Singapore PDPA breach response starts with fast containment, then a documented assessment of whether the incident is a notifiable data breach. A breach is notifiable when it is likely to result in significant harm to affected individuals, or when it reaches significant scale by involving the personal data of 500 or more individuals. Once the organisation determines that a breach is notifiable, it must notify the PDPC as soon as practicable and no later than three calendar days, and notify affected individuals where required as soon as practicable, at the same time as or after notifying the PDPC.

Section 1

1. Triage and contain the incident

Open the playbook when there are credible grounds to believe a personal data breach has occurred. The intake record should cover who discovered the incident, when it was discovered, the systems and vendors involved, whether a data intermediary reported it, and whether personal data was accessed, copied, altered, disclosed, lost, or disposed of without authorisation.

Security or incident response should contain the incident before the notification decision is final: isolate affected systems where appropriate, block further unauthorised access, preserve logs and forensic copies, and record the containment steps already taken or planned. If the organisation is a data intermediary, route the incident immediately to the organisation or public agency for which it processes the personal data.

  • Incident lead: owns the live timeline, containment status, recovery blockers, and stakeholder bridge.
  • Security lead: preserves system events, affected-system logs, forensic copies, indicators, and containment actions.
  • Privacy or DPO lead: confirms whether personal data is involved and starts the PDPA notifiable-breach assessment.
  • Vendor owner: confirms whether a processor, platform provider, or other data intermediary has evidence needed for the assessment.
  • Communications lead: prepares holding lines but does not send affected-individual or public statements before the PDPC sequencing check.
Sources for this answer
Guide on Managing and Notifying Data Breaches Under the PDPA
Supports the playbook's initial containment, data intermediary handoff, evidence preservation, and incident response roles.
PDPC Self-assessment for Organisations Experiencing Data Breaches
Defines a personal data breach and confirms that organisations should assess whether a breach is notifiable before reporting.
Section 2

2. Assess whether the breach is notifiable

Once the organisation has credible grounds to believe a breach occurred, the assessment clock should be visible in the incident record. PDPC guidance says organisations must take reasonable and expeditious steps to assess whether the breach is notifiable within 30 calendar days, and document all steps taken in that assessment.

The assessment should answer two threshold questions. First, is the breach likely to result in significant harm to affected individuals, including because prescribed personal data under the notification regulations is compromised? Second, does the breach involve the personal data of 500 or more individuals, or is there reason to believe the number is at least 500 even if the final count is not yet confirmed?

  • Significant harm route: document the affected data classes, the affected individual groups, the likely physical, psychological, emotional, economic, financial, reputational, or other harm, and the basis for treating the data as prescribed personal data where relevant.
  • Significant scale route: count confirmed affected individuals and record any estimate supporting a belief that at least 500 individuals are affected.
  • Unclear route: use the PDPC self-assessment tool as a decision aid and record why the team did or did not notify.
  • Late assessment risk: if the assessment cannot be completed within 30 calendar days, keep a written explanation for the time taken or required.
  • Decision output: record the notifiable or not-notifiable conclusion, approving reviewer, evidence relied on, and any uncertainty that must be updated later.
Sources for this answer
Guide on Managing and Notifying Data Breaches Under the PDPA
Grounds the 30-calendar-day assessment expectation, significant-harm route, significant-scale route, and requirement to document assessment steps.
PDPC Report Your Organisation's Data Breach
Confirms that notification is legally required when a breach is likely to cause significant harm or affects a significant scale of individuals.
PDPC Self-assessment for Organisations Experiencing Data Breaches
Supports use of the PDPC self-assessment tool when determining whether a breach is notifiable.
Section 3

3. Notify the PDPC and affected individuals

If the breach is notifiable, open the notification workstream immediately. The PDPC notice is due as soon as practicable and no later than three calendar days after the organisation determines the breach is notifiable. The first day of the three-day period starts on the day after that determination.

Affected individuals are notified where required as soon as practicable, at the same time as or after notifying the PDPC. If the breach is likely to attract widespread public attention or interest, notify the PDPC first before affected individuals and before any public or media statement.

  • PDPC notice packet: date and circumstances of awareness, how the breach occurred, affected-individual count, affected personal data classes, potential harm, chronology of response steps, mitigation and remediation actions, public or affected-individual communication plan, and authorised representative contact details.
  • Affected-individual notice packet: how the organisation became aware, the personal data classes affecting that individual, potential harm, steps already taken or planned, protective steps the individual can take, and at least one authorised contact for help.
  • Late-notification record: if PDPC notification is not made within three calendar days after determining the breach is notifiable, record the reasons and supporting evidence.
  • No-individual-notice record: if affected individuals will not be notified, record the PDPA or other written-law ground for that decision in the PDPC notification.
  • Other regulators: sectoral regulator or law enforcement notification does not supersede PDPA notification to the PDPC or affected individuals where the PDPA requires it.
Sources for this answer
PDPC Required to Notify the PDPC
Supports the three-calendar-day PDPC notification requirement and affected-individual sequencing.
Guide on Managing and Notifying Data Breaches Under the PDPA
Lists the information expected in PDPC notifications, affected-individual notifications, late-notification explanations, and no-individual-notice grounds.
PDPC Guidance on Notification to Affected Individuals
Supports notifying affected individuals as soon as practicable and notifying the PDPC first for breaches likely to attract widespread public attention.
PDPC Report Your Organisation's Data Breach
Provides the public PDPC reporting route for organisations that have determined a breach is notifiable.
Section 4

4. Preserve the evidence record and improve the plan

The playbook should produce an evidence bundle that can be read without reconstructing the incident from chat threads. Keep the bundle aligned to the PDPC notification fields, the affected-individual notice fields, and the post-breach evaluation questions.

After containment, notification, and recovery, complete a post-breach review. The review should identify the root cause, exploited weakness, missed monitoring signs, short-term and long-term containment actions, backup and recovery status, vendor responsibilities, senior-management involvement, and whether the data breach management plan or response training needs to change.

  • Minimum record: incident summary, discovery source, first-awareness date, affected systems, affected data classes, affected-individual count or estimate, harm assessment, notifiability decision, reviewer approval, PDPC notification timestamp, and affected-individual notification timestamp where applicable.
  • Technical evidence: system events, security alerts, affected-system logs, forensic copies, containment steps, eradication steps, patches, account disables, password resets, backup restoration, and monitoring plan.
  • Governance evidence: role assignments, DPO or privacy review, legal review of exceptions or restrictions, vendor or data intermediary notices, sectoral regulator checks, board or senior-management updates, and communications approvals.
  • Lessons learned: root cause, underlying control weakness, whether existing procedures were followed, whether audits or training missed the issue, and plan changes assigned to named owners.
Sources for this answer
Guide on Managing and Notifying Data Breaches Under the PDPA
Supports the evidence bundle, post-breach evaluation, root-cause review, and cyber incident response records.
Guide on Managing and Notifying Data Breaches Under the PDPA
Supports ongoing use of PDPC breach-management guidance to identify, prepare for, manage, and report data breaches.
Recommended next step

Turn the Singapore PDPA breach playbook into assigned work

Use this Singapore PDPA playbook to create assessment tasks, owner assignments, evidence requests, notification packets, and post-breach remediation records inside Sorena.

Assessment workflow
Open Assessment Autopilot for Singapore PDPA

Convert breach facts into notifiability questions, owner tasks, and evidence fields.

Explore next step
Research workflow
Review Singapore PDPA source evidence

Use Research Copilot to answer follow-up breach-notification questions with cited source material.

Explore next step
Talk to Sorena
Talk through implementation

Review assessment thresholds, notification sequencing, evidence gaps, and next actions with Sorena.

Explore next step
Primary sources

References and citations

PDPC Guidance on Notification to Affected Individuals
pdpc.gov.sg
Referenced sections
  • Supports notifying affected individuals as soon as practicable and notifying the PDPC first for breaches likely to attract widespread public attention.
"notify the PDPC first before notifying the affected individuals"
PDPC Report Your Organisation's Data Breach
pdpc.gov.sg
Referenced sections
  • Provides the public PDPC reporting route for organisations that have determined a breach is notifiable.
"If you have already determined that a data breach incident at your organisation is notifiable"
PDPC Required to Notify the PDPC
pdpc.gov.sg
Referenced sections
  • Supports the three-calendar-day PDPC notification requirement and affected-individual sequencing.
"no later than three (3) calendar days"
Related guides

Explore more topics

Singapore PDPA Anonymisation and DPIA Records
Build Singapore PDPA anonymisation and DPIA records around PDPC guidance: release model, re-identification risk, data flows, action plans, safeguards, and monitoring.
Singapore PDPA anonymisation FAQ
FAQ on anonymisation under the Singapore PDPA: de-identification, pseudonymisation, re-identification risk, when PDPA may no longer apply, and evidence records.
Singapore PDPA Applicability Test
Test whether Singapore PDPA obligations apply by checking personal data, organisation role, data intermediary status, public agency and individual boundaries, and business contact information.
Singapore PDPA breach notification thresholds FAQ
FAQ on Singapore PDPA notifiable data breach tests: significant harm, significant scale, 500 affected individuals, assessment timing, PDPC notices, and affected-individual notices.
Singapore PDPA Breach Notification Workflow
A grounded Singapore PDPA workflow for containing a personal data breach, assessing notifiability, notifying PDPC or affected individuals, and retaining evidence.
Singapore PDPA Compliance Checklist
A grounded Singapore PDPA checklist for scope, DPO accountability, consent, data intermediaries, breach notification, DNC checks, transfers, and evidence records.
Singapore PDPA Compliance Guide
Build a Singapore PDPA compliance plan covering DPO accountability, consent and notification, protection, retention, access and correction, transfers, breach notification, and DNC checks.
Singapore PDPA Consent and Deemed Consent Workflow
Choose express consent, deemed consent by conduct, contractual necessity, notification, or the legitimate interests exception under Singapore PDPA with grounded intake fields and evidence records.
Singapore PDPA Consent, Notification and Purpose Rules
How Singapore PDPA consent, notification, purpose limitation, deemed consent, withdrawal, and consent exceptions should be handled in product and privacy workflows.
Singapore PDPA Cross-Border Transfers
Grounded Singapore PDPA guidance for overseas personal data transfers, comparable protection, ASEAN MCCs, APEC certifications, vendor roles, and evidence records.
Singapore PDPA Data Breach Notification Thresholds
Grounded Singapore PDPA breach notification thresholds covering significant harm, the 500-individual significant-scale test, assessment records, and notification timing.
Singapore PDPA Data Intermediaries FAQ
FAQ guidance on Singapore PDPA data intermediary roles, direct obligations, organisation accountability, contracts, retention, protection, and breach escalation.
Singapore PDPA Data Intermediary Responsibilities
Practical Singapore PDPA guide to data intermediary role boundaries, organisation accountability, protection, retention, breach escalation, and contract evidence.
Singapore PDPA Deadlines and Compliance Calendar
A grounded Singapore PDPA compliance calendar for breach notification, DNC checks, access and correction requests, retention reviews, and DPMP maintenance.
Singapore PDPA Deemed Consent and Legitimate Interests
How to apply Singapore PDPA deemed consent by conduct, contractual necessity, notification, and legitimate interests with opt-out, adverse-effect, disclosure, and assessment records.
Singapore PDPA Deemed Consent FAQ
FAQ on Singapore PDPA deemed consent by conduct, contractual necessity, notification, opt-out periods, adverse-effect assessment, withdrawal, and direct-marketing limits.
Singapore PDPA DNC and Marketing Messages Guide
A grounded Singapore PDPA guide to DNC checks, specified marketing messages, Singapore telephone numbers, consent evidence, opt-outs, sender duties, and excluded messages.
Singapore PDPA DNC checking FAQ: when to check the DNC Registry
FAQ guidance on Singapore PDPA DNC checking: when to check the DNC Registry, which registers apply, 8-digit numbers, 21-day result validity, consent evidence, on-behalf checks, opt-outs, and supported exclusions.
Singapore PDPA DNC Marketing Checks
Operational checklist for Singapore PDPA DNC marketing checks: account evidence, register status, 21-day result validity, consent evidence, and campaign owner records.
Singapore PDPA DNC Marketing Workflow
Workflow for Singapore PDPA DNC marketing campaigns: classify specified messages, check Singapore telephone numbers, document consent, suppress opt-outs, and approve sends.
Singapore PDPA DPIAs: when to run and what to document
FAQ-style implementation guidance on Singapore PDPA DPIAs, including when PDPC guidance recommends them, data-flow mapping, risk treatment, DPO review, and evidence records.
Singapore PDPA DPMP Accountability FAQ | DPO, Policies, Evidence
FAQ for implementing Singapore PDPA accountability through a DPMP: DPO designation, policies, evidence, training, monitoring, incident logs, and review records.
Singapore PDPA DPMP Accountability Guide
Build a Singapore PDPA Data Protection Management Programme with DPO ownership, policies, data inventories, DPIAs, training, monitoring, breach logs, and review records.
Singapore PDPA FAQ: scope, DPO, consent, breaches and DNC
FAQ answers for Singapore PDPA implementation, covering scope, accountability, consent, access and correction, security, retention, transfers, data intermediaries, breach notification, and DNC checks.
Singapore PDPA legitimate interests FAQ
FAQ guidance on Singapore PDPA legitimate interests: assessment fields, adverse effects, mitigation, balancing, disclosure, records, and marketing limits.
Singapore PDPA NRIC Handling FAQ
FAQ guidance on when Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC and other national identification numbers under PDPC guidance.
Singapore PDPA NRIC Handling Rules
When Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC numbers under PDPC guidance.
Singapore PDPA Penalties and Enforcement Cases
How PDPC enforcement under Singapore's PDPA works: directions, voluntary undertakings, published decisions, financial penalty caps, and implementation lessons from cases.
Singapore PDPA Penalties and Fines
Singapore PDPA penalty ceilings, PDPC directions, undertakings, breach notification context, and practical controls grounded in official PDPC and Singapore Statutes sources.
Singapore PDPA Privacy Policy Template
A Singapore PDPA privacy policy template for writing notices, DPO contact details, access and correction routes, retention, transfers, protection, withdrawal, and complaint handling without overclaiming compliance.
Singapore PDPA Requirements: Core Obligations
Map Singapore PDPA obligations across consent, notification, access, security, retention, transfers, accountability, breaches, DNC checks, and data intermediaries.
Singapore PDPA Scope, Exclusions, and Data Intermediaries
Classify Singapore PDPA coverage, business contact information, personal or domestic activity, employee acts, and data intermediary obligations with grounded implementation records.
Singapore PDPA Transfer Assessment Workflow
A Singapore PDPA workflow for assessing overseas personal data transfers, comparable protection, ASEAN MCCs, APEC CBPR/PRP certifications, vendor due diligence, onward transfers, and evidence records.
Singapore PDPA Transfer Clauses
Draft Singapore PDPA transfer clauses for overseas vendors, affiliates, data intermediaries, onward transfers, breach support, ASEAN MCCs, and APEC CBPR or PRP evidence.
Singapore PDPA transfer clauses FAQ
FAQ guidance on Singapore PDPA transfer clauses, comparable protection, ASEAN MCCs, APEC CBPR and PRP certifications, onward transfers, and evidence records.
Singapore PDPA Vendor Outsourcing and Contracts
Contract and operating checklist for Singapore PDPA vendor outsourcing: data intermediary status, written terms, security, retention, breach, transfers, sub-contracting, and exit evidence.
Singapore PDPA vs GDPR Comparison
Compare Singapore PDPA and GDPR implementation work across consent, DPO accountability, processors, transfers, breach notification, DNC marketing, rights, retention, and penalties.