Artifact GuideSingaporePDPA breach thresholds

Singapore PDPA Breach Notification Thresholds

A Singapore PDPA data breach becomes notifiable when it meets the significant harm test or the significant scale test. Significant scale is set at 500 or more affected individuals.

Use this page to structure the threshold assessment, evidence record, PDPC notification content, and affected-individual notification decision. This guidance is practical, source-linked, and should be validated against current legal and policy requirements before implementation.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 17, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 17, 2026
Overview

Use this page when an incident response team needs to decide whether a Singapore PDPA personal data breach is notifiable to the Personal Data Protection Commission, affected individuals, or both. The key tests are significant harm and significant scale, supported by documented assessment steps and timing evidence.

Section 1

What are the Singapore PDPA breach notification thresholds?

The Singapore PDPA breach notification threshold is not a single headcount rule. A breach can be notifiable because it is likely to result in significant harm to affected individuals, or because it is of significant scale.

Significant scale is the clearer numeric threshold: the Personal Data Protection (Notification of Data Breaches) Regulations 2021 prescribe 500 affected individuals. PDPC guidance states that an organisation should notify the Commission when it has reason to believe the affected count is at least 500, even if the actual count is still being established.

The 500-individual test does not supersede the significant harm test. A smaller breach can still be notifiable if the compromised personal data falls within the prescribed significant-harm categories or otherwise presents significant harm.

  • Use significant harm to decide whether both the Commission and affected individuals may need notification.
  • Use significant scale to decide whether the Commission must be notified when 500 or more individuals are affected.
  • Do not close a breach as non-notifiable only because the affected count is below 500; check the data classes and harm analysis first.
  • When the count is uncertain, document the estimate, the source of the estimate, and why it is or is not reasonable to believe the count reaches 500.
Sources for this answer
Personal Data Protection (Notification of Data Breaches) Regulations 2021
Regulations 3 and 4 define the prescribed significant-harm trigger and set significant scale at 500 affected individuals.
Guide on Managing and Notifying Data Breaches Under the PDPA
PDPC guidance explains that significant-scale breaches require Commission notification even without prescribed significant-harm data.
Section 2

How should teams assess significant harm?

Start with the data involved, not the incident label. The Regulations deem significant harm where the breach involves an individual's full name, alias, or identification number together with prescribed personal data classes in the Schedule, subject to the Schedule's limits.

The Regulations also deem significant harm where the breach involves all required account-access elements: an account identifier, such as an account name or number, and a password, security code, access code, response to a security question, biometric data, or other data required to access or use the account.

PDPC guidance describes significant harm broadly, including physical, psychological, emotional, economic, financial, reputational, and other harms that a reasonable person would identify as possible outcomes of the breach.

  • Record each personal data class affected and whether it maps to a prescribed significant-harm category.
  • Check whether account identifiers were exposed together with credentials, security responses, biometric access data, or equivalent account-access data.
  • Assess likely harm in concrete terms: identity misuse, financial loss, account takeover, reputational damage, physical safety risk, or harm to vulnerable individuals.
  • If the prescribed category analysis is incomplete, keep the breach open for escalation rather than treating it as non-notifiable.
Sources for this answer
Personal Data Protection (Notification of Data Breaches) Regulations 2021
Regulation 3 identifies the prescribed data combinations that are deemed to result in significant harm.
Guide on Managing and Notifying Data Breaches Under the PDPA
PDPC guidance describes the kinds of harm teams should consider when assessing a breach.
PDPC Data Breach Self-Assessment
PDPC's self-assessment page states that organisations do not need to report every breach, but should first assess whether the incident is notifiable.
Section 3

What assessment record should prove the threshold decision?

PDPC guidance expects organisations with credible grounds to believe a breach occurred to take reasonable and expeditious steps to assess whether it is notifiable, generally within 30 calendar days. The organisation must document all steps taken in the assessment.

The assessment record should be complete enough to support the final notification or non-notification decision. For a notifiable breach, the Regulations require a chronological account of steps taken after awareness of the breach, including the organisation's assessment that the breach is notifiable.

If a data intermediary discovers a breach while processing personal data for another organisation or public agency, the intermediary should be treated as a source of the incident alert and the controller organisation still needs the threshold assessment record.

  • Capture the date and circumstances when the organisation first became aware of the breach.
  • Record the affected systems, affected individuals or estimate, personal data classes, and whether the breach meets significant harm or significant scale.
  • Document containment, remediation, mitigation of harm, and the reasoning for notifying or not notifying affected individuals.
  • Keep evidence explaining any assessment that takes longer than 30 calendar days and any Commission notification made after the three-calendar-day notification period.
Sources for this answer
Guide on Managing and Notifying Data Breaches Under the PDPA
PDPC guidance supports the 30-calendar-day assessment expectation and the need to document assessment steps.
Personal Data Protection (Notification of Data Breaches) Regulations 2021
Regulation 5 lists the information required in a Commission notification, including the assessment and chronology.
PDPC Data Breach Self-Assessment
PDPC's self-assessment page supports using a structured assessment before deciding whether to report a breach.
Section 4

When does the notification clock start?

The Commission notification clock starts after the organisation determines that the breach is notifiable. PDPC guidance states that the Commission must be notified as soon as practicable and no later than three calendar days after that determination.

The first day of the three-day period starts on the day after the organisation makes the notifiable-breach determination. PDPC's example says a breach determined notifiable on 1 January must be notified to the Commission by 4 January.

Affected individuals, where notification is required, must be notified as soon as practicable, at the same time as or after notifying the Commission. PDPC also says that breaches likely to attract widespread public attention or interest should be notified to the Commission before affected individuals or public/media statements.

  • Record the timestamp for credible grounds to believe a breach occurred, the assessment start, the notifiable-breach determination, and each notification sent.
  • Notify the Commission within three calendar days after the notifiable-breach determination, not three days after initial discovery.
  • Sequence affected-individual notices at the same time as or after Commission notification when affected-individual notification is required.
  • If Commission notification is late, include the reasons for late notification and supporting evidence.
Sources for this answer
Guide on Managing and Notifying Data Breaches Under the PDPA
PDPC guidance supports the three-calendar-day Commission notification clock and explains when the first day begins.
PDPC Required to Notify the PDPC
PDPC's reporting page confirms notification to the PDPC should be as soon as practicable and no later than three calendar days.
PDPC Guidance on Notification to Affected Individuals
PDPC's affected-individual guidance supports sequencing notices to individuals at the same time as or after PDPC notification.
Recommended next step

Turn Singapore PDPA breach thresholds into incident records

Use this Singapore PDPA threshold guide to convert breach facts into significant-harm analysis, significant-scale counts, notification clocks, and reviewer-ready evidence.

Assessment workflow
Open Assessment Autopilot for Singapore PDPA

Turn breach threshold questions into scoped incident intake, evidence fields, and reviewer tasks.

Explore next step
Research workflow
Review Singapore PDPA source evidence

Use Research Copilot to answer follow-up PDPA breach questions with cited source material.

Explore next step
Talk to Sorena
Talk through Singapore PDPA breach thresholds

Review significant harm, significant scale, notification timing, and the next compliance actions with Sorena.

Explore next step
Primary sources

References and citations

PDPC Data Breach Self-Assessment
pdpc.gov.sg
Referenced sections
  • PDPC's self-assessment page supports using a structured assessment before deciding whether to report a breach.
"assist with the determination of whether a data breach incident is notifiable"
PDPC Required to Notify the PDPC
pdpc.gov.sg
Referenced sections
  • PDPC's reporting page confirms notification to the PDPC should be as soon as practicable and no later than three calendar days.
"no later than three (3) calendar days"
Related guides

Explore more topics

Singapore PDPA Anonymisation and DPIA Records
Build Singapore PDPA anonymisation and DPIA records around PDPC guidance: release model, re-identification risk, data flows, action plans, safeguards, and monitoring.
Singapore PDPA anonymisation FAQ
FAQ on anonymisation under the Singapore PDPA: de-identification, pseudonymisation, re-identification risk, when PDPA may no longer apply, and evidence records.
Singapore PDPA Applicability Test
Test whether Singapore PDPA obligations apply by checking personal data, organisation role, data intermediary status, public agency and individual boundaries, and business contact information.
Singapore PDPA Breach Notification Playbook
A grounded Singapore PDPA breach-notification playbook covering assessment, notifiable-breach thresholds, PDPC and affected-individual notification steps, roles, records, and citations.
Singapore PDPA breach notification thresholds FAQ
FAQ on Singapore PDPA notifiable data breach tests: significant harm, significant scale, 500 affected individuals, assessment timing, PDPC notices, and affected-individual notices.
Singapore PDPA Breach Notification Workflow
A grounded Singapore PDPA workflow for containing a personal data breach, assessing notifiability, notifying PDPC or affected individuals, and retaining evidence.
Singapore PDPA Compliance Checklist
A grounded Singapore PDPA checklist for scope, DPO accountability, consent, data intermediaries, breach notification, DNC checks, transfers, and evidence records.
Singapore PDPA Compliance Guide
Build a Singapore PDPA compliance plan covering DPO accountability, consent and notification, protection, retention, access and correction, transfers, breach notification, and DNC checks.
Singapore PDPA Consent and Deemed Consent Workflow
Choose express consent, deemed consent by conduct, contractual necessity, notification, or the legitimate interests exception under Singapore PDPA with grounded intake fields and evidence records.
Singapore PDPA Consent, Notification and Purpose Rules
How Singapore PDPA consent, notification, purpose limitation, deemed consent, withdrawal, and consent exceptions should be handled in product and privacy workflows.
Singapore PDPA Cross-Border Transfers
Grounded Singapore PDPA guidance for overseas personal data transfers, comparable protection, ASEAN MCCs, APEC certifications, vendor roles, and evidence records.
Singapore PDPA Data Intermediaries FAQ
FAQ guidance on Singapore PDPA data intermediary roles, direct obligations, organisation accountability, contracts, retention, protection, and breach escalation.
Singapore PDPA Data Intermediary Responsibilities
Practical Singapore PDPA guide to data intermediary role boundaries, organisation accountability, protection, retention, breach escalation, and contract evidence.
Singapore PDPA Deadlines and Compliance Calendar
A grounded Singapore PDPA compliance calendar for breach notification, DNC checks, access and correction requests, retention reviews, and DPMP maintenance.
Singapore PDPA Deemed Consent and Legitimate Interests
How to apply Singapore PDPA deemed consent by conduct, contractual necessity, notification, and legitimate interests with opt-out, adverse-effect, disclosure, and assessment records.
Singapore PDPA Deemed Consent FAQ
FAQ on Singapore PDPA deemed consent by conduct, contractual necessity, notification, opt-out periods, adverse-effect assessment, withdrawal, and direct-marketing limits.
Singapore PDPA DNC and Marketing Messages Guide
A grounded Singapore PDPA guide to DNC checks, specified marketing messages, Singapore telephone numbers, consent evidence, opt-outs, sender duties, and excluded messages.
Singapore PDPA DNC checking FAQ: when to check the DNC Registry
FAQ guidance on Singapore PDPA DNC checking: when to check the DNC Registry, which registers apply, 8-digit numbers, 21-day result validity, consent evidence, on-behalf checks, opt-outs, and supported exclusions.
Singapore PDPA DNC Marketing Checks
Operational checklist for Singapore PDPA DNC marketing checks: account evidence, register status, 21-day result validity, consent evidence, and campaign owner records.
Singapore PDPA DNC Marketing Workflow
Workflow for Singapore PDPA DNC marketing campaigns: classify specified messages, check Singapore telephone numbers, document consent, suppress opt-outs, and approve sends.
Singapore PDPA DPIAs: when to run and what to document
FAQ-style implementation guidance on Singapore PDPA DPIAs, including when PDPC guidance recommends them, data-flow mapping, risk treatment, DPO review, and evidence records.
Singapore PDPA DPMP Accountability FAQ | DPO, Policies, Evidence
FAQ for implementing Singapore PDPA accountability through a DPMP: DPO designation, policies, evidence, training, monitoring, incident logs, and review records.
Singapore PDPA DPMP Accountability Guide
Build a Singapore PDPA Data Protection Management Programme with DPO ownership, policies, data inventories, DPIAs, training, monitoring, breach logs, and review records.
Singapore PDPA FAQ: scope, DPO, consent, breaches and DNC
FAQ answers for Singapore PDPA implementation, covering scope, accountability, consent, access and correction, security, retention, transfers, data intermediaries, breach notification, and DNC checks.
Singapore PDPA legitimate interests FAQ
FAQ guidance on Singapore PDPA legitimate interests: assessment fields, adverse effects, mitigation, balancing, disclosure, records, and marketing limits.
Singapore PDPA NRIC Handling FAQ
FAQ guidance on when Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC and other national identification numbers under PDPC guidance.
Singapore PDPA NRIC Handling Rules
When Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC numbers under PDPC guidance.
Singapore PDPA Penalties and Enforcement Cases
How PDPC enforcement under Singapore's PDPA works: directions, voluntary undertakings, published decisions, financial penalty caps, and implementation lessons from cases.
Singapore PDPA Penalties and Fines
Singapore PDPA penalty ceilings, PDPC directions, undertakings, breach notification context, and practical controls grounded in official PDPC and Singapore Statutes sources.
Singapore PDPA Privacy Policy Template
A Singapore PDPA privacy policy template for writing notices, DPO contact details, access and correction routes, retention, transfers, protection, withdrawal, and complaint handling without overclaiming compliance.
Singapore PDPA Requirements: Core Obligations
Map Singapore PDPA obligations across consent, notification, access, security, retention, transfers, accountability, breaches, DNC checks, and data intermediaries.
Singapore PDPA Scope, Exclusions, and Data Intermediaries
Classify Singapore PDPA coverage, business contact information, personal or domestic activity, employee acts, and data intermediary obligations with grounded implementation records.
Singapore PDPA Transfer Assessment Workflow
A Singapore PDPA workflow for assessing overseas personal data transfers, comparable protection, ASEAN MCCs, APEC CBPR/PRP certifications, vendor due diligence, onward transfers, and evidence records.
Singapore PDPA Transfer Clauses
Draft Singapore PDPA transfer clauses for overseas vendors, affiliates, data intermediaries, onward transfers, breach support, ASEAN MCCs, and APEC CBPR or PRP evidence.
Singapore PDPA transfer clauses FAQ
FAQ guidance on Singapore PDPA transfer clauses, comparable protection, ASEAN MCCs, APEC CBPR and PRP certifications, onward transfers, and evidence records.
Singapore PDPA Vendor Outsourcing and Contracts
Contract and operating checklist for Singapore PDPA vendor outsourcing: data intermediary status, written terms, security, retention, breach, transfers, sub-contracting, and exit evidence.
Singapore PDPA vs GDPR Comparison
Compare Singapore PDPA and GDPR implementation work across consent, DPO accountability, processors, transfers, breach notification, DNC marketing, rights, retention, and penalties.