--- title: "Singapore PDPA Data Breach Notification Thresholds" canonical_url: "https://www.sorena.io/artifacts/apac/singapore-pdpa/breach-notification-thresholds" source_url: "https://www.sorena.io/artifacts/apac/singapore-pdpa/breach-notification-thresholds" author: "Sorena AI" description: "Grounded Singapore PDPA breach notification thresholds covering significant harm, the 500-individual significant-scale test, assessment records, and notification timing." published_at: "2026-05-09" updated_at: "2026-05-17" keywords: - "Singapore PDPA breach notification" - "PDPC data breach" - "significant harm" - "significant scale" - "500 individuals" - "Singapore PDPA" - "Data breach notification" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Singapore PDPA Data Breach Notification Thresholds Grounded Singapore PDPA breach notification thresholds covering significant harm, the 500-individual significant-scale test, assessment records, and notification timing. *Artifact Guide* *Singapore* *PDPA breach thresholds* ## Singapore PDPA Breach Notification Thresholds A Singapore PDPA data breach becomes notifiable when it meets the significant harm test or the significant scale test. Significant scale is set at 500 or more affected individuals. Use this page to structure the threshold assessment, evidence record, PDPC notification content, and affected-individual notification decision. This guidance is practical, source-linked, and should be validated against current legal and policy requirements before implementation. Use this page when an incident response team needs to decide whether a Singapore PDPA personal data breach is notifiable to the Personal Data Protection Commission, affected individuals, or both. The key tests are significant harm and significant scale, supported by documented assessment steps and timing evidence. ## What are the Singapore PDPA breach notification thresholds? The Singapore PDPA breach notification threshold is not a single headcount rule. A breach can be notifiable because it is likely to result in significant harm to affected individuals, or because it is of significant scale. Significant scale is the clearer numeric threshold: the Personal Data Protection (Notification of Data Breaches) Regulations 2021 prescribe 500 affected individuals. PDPC guidance states that an organisation should notify the Commission when it has reason to believe the affected count is at least 500, even if the actual count is still being established. The 500-individual test does not supersede the significant harm test. A smaller breach can still be notifiable if the compromised personal data falls within the prescribed significant-harm categories or otherwise presents significant harm. - Use significant harm to decide whether both the Commission and affected individuals may need notification. - Use significant scale to decide whether the Commission must be notified when 500 or more individuals are affected. - Do not close a breach as non-notifiable only because the affected count is below 500; check the data classes and harm analysis first. - When the count is uncertain, document the estimate, the source of the estimate, and why it is or is not reasonable to believe the count reaches 500. Sources for this answer: - [Personal Data Protection (Notification of Data Breaches) Regulations 2021](https://sso.agc.gov.sg/SL/PDPA2012-S64-2021?ref=sorena.io) - Regulations 3 and 4 define the prescribed significant-harm trigger and set significant scale at 500 affected individuals. - [Guide on Managing and Notifying Data Breaches Under the PDPA](https://www.pdpc.gov.sg/help-and-resources/2021/01/data-breach-management-guide?ref=sorena.io) - PDPC guidance explains that significant-scale breaches require Commission notification even without prescribed significant-harm data. ## How should teams assess significant harm? Start with the data involved, not the incident label. The Regulations deem significant harm where the breach involves an individual's full name, alias, or identification number together with prescribed personal data classes in the Schedule, subject to the Schedule's limits. The Regulations also deem significant harm where the breach involves all required account-access elements: an account identifier, such as an account name or number, and a password, security code, access code, response to a security question, biometric data, or other data required to access or use the account. PDPC guidance describes significant harm broadly, including physical, psychological, emotional, economic, financial, reputational, and other harms that a reasonable person would identify as possible outcomes of the breach. - Record each personal data class affected and whether it maps to a prescribed significant-harm category. - Check whether account identifiers were exposed together with credentials, security responses, biometric access data, or equivalent account-access data. - Assess likely harm in concrete terms: identity misuse, financial loss, account takeover, reputational damage, physical safety risk, or harm to vulnerable individuals. - If the prescribed category analysis is incomplete, keep the breach open for escalation rather than treating it as non-notifiable. Sources for this answer: - [Personal Data Protection (Notification of Data Breaches) Regulations 2021](https://sso.agc.gov.sg/SL/PDPA2012-S64-2021?ref=sorena.io) - Regulation 3 identifies the prescribed data combinations that are deemed to result in significant harm. - [Guide on Managing and Notifying Data Breaches Under the PDPA](https://www.pdpc.gov.sg/help-and-resources/2021/01/data-breach-management-guide?ref=sorena.io) - PDPC guidance describes the kinds of harm teams should consider when assessing a breach. - [PDPC Data Breach Self-Assessment](https://www.pdpc.gov.sg/report-data-breach/self-assessment?ref=sorena.io) - PDPC's self-assessment page states that organisations do not need to report every breach, but should first assess whether the incident is notifiable. ## What assessment record should prove the threshold decision? PDPC guidance expects organisations with credible grounds to believe a breach occurred to take reasonable and expeditious steps to assess whether it is notifiable, generally within 30 calendar days. The organisation must document all steps taken in the assessment. The assessment record should be complete enough to support the final notification or non-notification decision. For a notifiable breach, the Regulations require a chronological account of steps taken after awareness of the breach, including the organisation's assessment that the breach is notifiable. If a data intermediary discovers a breach while processing personal data for another organisation or public agency, the intermediary should be treated as a source of the incident alert and the controller organisation still needs the threshold assessment record. - Capture the date and circumstances when the organisation first became aware of the breach. - Record the affected systems, affected individuals or estimate, personal data classes, and whether the breach meets significant harm or significant scale. - Document containment, remediation, mitigation of harm, and the reasoning for notifying or not notifying affected individuals. - Keep evidence explaining any assessment that takes longer than 30 calendar days and any Commission notification made after the three-calendar-day notification period. Sources for this answer: - [Guide on Managing and Notifying Data Breaches Under the PDPA](https://www.pdpc.gov.sg/help-and-resources/2021/01/data-breach-management-guide?ref=sorena.io) - PDPC guidance supports the 30-calendar-day assessment expectation and the need to document assessment steps. - [Personal Data Protection (Notification of Data Breaches) Regulations 2021](https://sso.agc.gov.sg/SL/PDPA2012-S64-2021?ref=sorena.io) - Regulation 5 lists the information required in a Commission notification, including the assessment and chronology. - [PDPC Data Breach Self-Assessment](https://www.pdpc.gov.sg/report-data-breach/self-assessment?ref=sorena.io) - PDPC's self-assessment page supports using a structured assessment before deciding whether to report a breach. ## When does the notification clock start? The Commission notification clock starts after the organisation determines that the breach is notifiable. PDPC guidance states that the Commission must be notified as soon as practicable and no later than three calendar days after that determination. The first day of the three-day period starts on the day after the organisation makes the notifiable-breach determination. PDPC's example says a breach determined notifiable on 1 January must be notified to the Commission by 4 January. Affected individuals, where notification is required, must be notified as soon as practicable, at the same time as or after notifying the Commission. PDPC also says that breaches likely to attract widespread public attention or interest should be notified to the Commission before affected individuals or public/media statements. - Record the timestamp for credible grounds to believe a breach occurred, the assessment start, the notifiable-breach determination, and each notification sent. - Notify the Commission within three calendar days after the notifiable-breach determination, not three days after initial discovery. - Sequence affected-individual notices at the same time as or after Commission notification when affected-individual notification is required. - If Commission notification is late, include the reasons for late notification and supporting evidence. Sources for this answer: - [Guide on Managing and Notifying Data Breaches Under the PDPA](https://www.pdpc.gov.sg/help-and-resources/2021/01/data-breach-management-guide?ref=sorena.io) - PDPC guidance supports the three-calendar-day Commission notification clock and explains when the first day begins. - [PDPC Required to Notify the PDPC](https://www.pdpc.gov.sg/report-data-breach/before-you-report-a-data-breach-3/info?ref=sorena.io) - PDPC's reporting page confirms notification to the PDPC should be as soon as practicable and no later than three calendar days. - [PDPC Guidance on Notification to Affected Individuals](https://www.pdpc.gov.sg/report-data-breach/before-you-report-a-data-breach-4/info-2?ref=sorena.io) - PDPC's affected-individual guidance supports sequencing notices to individuals at the same time as or after PDPC notification. *Recommended next step* *Placement: after the practical guidance* ## Turn Singapore PDPA breach thresholds into incident records Use this Singapore PDPA threshold guide to convert breach facts into significant-harm analysis, significant-scale counts, notification clocks, and reviewer-ready evidence. - [Open Assessment Autopilot for Singapore PDPA](/solutions/assessment.md): Turn breach threshold questions into scoped incident intake, evidence fields, and reviewer tasks. - [Review Singapore PDPA source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up PDPA breach questions with cited source material. - [Talk through Singapore PDPA breach thresholds](/contact.md): Review significant harm, significant scale, notification timing, and the next compliance actions with Sorena. ## Primary sources - [Personal Data Protection (Notification of Data Breaches) Regulations 2021](https://sso.agc.gov.sg/SL/PDPA2012-S64-2021?ref=sorena.io) - Primary Singapore legislation source for the significant-harm data breach trigger, the 500-individual significant-scale threshold, and required notification contents. - Quote: "the prescribed number of affected individuals is 500" - [Guide on Managing and Notifying Data Breaches Under the PDPA](https://www.pdpc.gov.sg/help-and-resources/2021/01/data-breach-management-guide?ref=sorena.io) - PDPC guidance source for the breach assessment process, 30-calendar-day assessment expectation, notification timing, and practical notification records. - Quote: "must document all steps taken in assessing the data breach" - [PDPC Data Breach Self-Assessment](https://www.pdpc.gov.sg/report-data-breach/self-assessment?ref=sorena.io) - PDPC self-assessment source for determining whether an incident is notifiable before reporting. - Quote: "assess whether the data breach is notifiable under the PDPA" - [PDPC Required to Notify the PDPC](https://www.pdpc.gov.sg/report-data-breach/before-you-report-a-data-breach-3/info?ref=sorena.io) - PDPC web source confirming the three-calendar-day notification deadline after a breach is notifiable. - Quote: "no later than three (3) calendar days" - [PDPC Guidance on Notification to Affected Individuals](https://www.pdpc.gov.sg/report-data-breach/before-you-report-a-data-breach-4/info-2?ref=sorena.io) - PDPC web source for sequencing affected-individual notifications with PDPC notification. - Quote: "at the same time or after notifying the PDPC" ## Related Topic Guides - [Singapore PDPA Anonymisation and DPIA Records](/artifacts/apac/singapore-pdpa/anonymisation-and-dpias.md): Build Singapore PDPA anonymisation and DPIA records around PDPC guidance: release model, re-identification risk, data flows, action plans, safeguards, and monitoring. - [Singapore PDPA anonymisation FAQ](/artifacts/apac/singapore-pdpa/faq/anonymisation.md): FAQ on anonymisation under the Singapore PDPA: de-identification, pseudonymisation, re-identification risk, when PDPA may no longer apply, and evidence records. - [Singapore PDPA Applicability Test](/artifacts/apac/singapore-pdpa/applicability-test.md): Test whether Singapore PDPA obligations apply by checking personal data, organisation role, data intermediary status, public agency and individual boundaries, and business contact information. - [Singapore PDPA Breach Notification Playbook](/artifacts/apac/singapore-pdpa/breach-notification-playbook.md): A grounded Singapore PDPA breach-notification playbook covering assessment, notifiable-breach thresholds, PDPC and affected-individual notification steps, roles, records, and citations. - [Singapore PDPA breach notification thresholds FAQ](/artifacts/apac/singapore-pdpa/faq/breach-thresholds.md): FAQ on Singapore PDPA notifiable data breach tests: significant harm, significant scale, 500 affected individuals, assessment timing, PDPC notices, and affected-individual notices. - [Singapore PDPA Breach Notification Workflow](/artifacts/apac/singapore-pdpa/breach-notification-workflow.md): A grounded Singapore PDPA workflow for containing a personal data breach, assessing notifiability, notifying PDPC or affected individuals, and retaining evidence. - [Singapore PDPA Compliance Checklist](/artifacts/apac/singapore-pdpa/checklist.md): A grounded Singapore PDPA checklist for scope, DPO accountability, consent, data intermediaries, breach notification, DNC checks, transfers, and evidence records. - [Singapore PDPA Compliance Guide](/artifacts/apac/singapore-pdpa/compliance.md): Build a Singapore PDPA compliance plan covering DPO accountability, consent and notification, protection, retention, access and correction, transfers, breach notification, and DNC checks. - [Singapore PDPA Consent and Deemed Consent Workflow](/artifacts/apac/singapore-pdpa/consent-and-deemed-consent-selection-workflow.md): Choose express consent, deemed consent by conduct, contractual necessity, notification, or the legitimate interests exception under Singapore PDPA with grounded intake fields and evidence records. - [Singapore PDPA Consent, Notification and Purpose Rules](/artifacts/apac/singapore-pdpa/consent-notification-and-purposes.md): How Singapore PDPA consent, notification, purpose limitation, deemed consent, withdrawal, and consent exceptions should be handled in product and privacy workflows. - [Singapore PDPA Cross-Border Transfers](/artifacts/apac/singapore-pdpa/cross-border-transfers.md): Grounded Singapore PDPA guidance for overseas personal data transfers, comparable protection, ASEAN MCCs, APEC certifications, vendor roles, and evidence records. - [Singapore PDPA Data Intermediaries FAQ](/artifacts/apac/singapore-pdpa/faq/data-intermediaries.md): FAQ guidance on Singapore PDPA data intermediary roles, direct obligations, organisation accountability, contracts, retention, protection, and breach escalation. - [Singapore PDPA Data Intermediary Responsibilities](/artifacts/apac/singapore-pdpa/data-intermediary-responsibilities.md): Practical Singapore PDPA guide to data intermediary role boundaries, organisation accountability, protection, retention, breach escalation, and contract evidence. - [Singapore PDPA Deadlines and Compliance Calendar](/artifacts/apac/singapore-pdpa/deadlines-and-compliance-calendar.md): A grounded Singapore PDPA compliance calendar for breach notification, DNC checks, access and correction requests, retention reviews, and DPMP maintenance. - [Singapore PDPA Deemed Consent and Legitimate Interests](/artifacts/apac/singapore-pdpa/deemed-consent-and-legitimate-interests.md): How to apply Singapore PDPA deemed consent by conduct, contractual necessity, notification, and legitimate interests with opt-out, adverse-effect, disclosure, and assessment records. - [Singapore PDPA Deemed Consent FAQ](/artifacts/apac/singapore-pdpa/faq/deemed-consent.md): FAQ on Singapore PDPA deemed consent by conduct, contractual necessity, notification, opt-out periods, adverse-effect assessment, withdrawal, and direct-marketing limits. - [Singapore PDPA DNC and Marketing Messages Guide](/artifacts/apac/singapore-pdpa/dnc-and-marketing-messages.md): A grounded Singapore PDPA guide to DNC checks, specified marketing messages, Singapore telephone numbers, consent evidence, opt-outs, sender duties, and excluded messages. - [Singapore PDPA DNC checking FAQ: when to check the DNC Registry](/artifacts/apac/singapore-pdpa/faq/dnc-checking.md): FAQ guidance on Singapore PDPA DNC checking: when to check the DNC Registry, which registers apply, 8-digit numbers, 21-day result validity, consent evidence, on-behalf checks, opt-outs, and supported exclusions. - [Singapore PDPA DNC Marketing Checks](/artifacts/apac/singapore-pdpa/dnc-marketing-checks.md): Operational checklist for Singapore PDPA DNC marketing checks: account evidence, register status, 21-day result validity, consent evidence, and campaign owner records. - [Singapore PDPA DNC Marketing Workflow](/artifacts/apac/singapore-pdpa/dnc-marketing-workflow.md): Workflow for Singapore PDPA DNC marketing campaigns: classify specified messages, check Singapore telephone numbers, document consent, suppress opt-outs, and approve sends. - [Singapore PDPA DPIAs: when to run and what to document](/artifacts/apac/singapore-pdpa/faq/dpias.md): FAQ-style implementation guidance on Singapore PDPA DPIAs, including when PDPC guidance recommends them, data-flow mapping, risk treatment, DPO review, and evidence records. - [Singapore PDPA DPMP Accountability FAQ | DPO, Policies, Evidence](/artifacts/apac/singapore-pdpa/faq/dpmp-accountability.md): FAQ for implementing Singapore PDPA accountability through a DPMP: DPO designation, policies, evidence, training, monitoring, incident logs, and review records. - [Singapore PDPA DPMP Accountability Guide](/artifacts/apac/singapore-pdpa/dpmp-accountability.md): Build a Singapore PDPA Data Protection Management Programme with DPO ownership, policies, data inventories, DPIAs, training, monitoring, breach logs, and review records. - [Singapore PDPA FAQ: scope, DPO, consent, breaches and DNC](/artifacts/apac/singapore-pdpa/faq.md): FAQ answers for Singapore PDPA implementation, covering scope, accountability, consent, access and correction, security, retention, transfers, data intermediaries, breach notification, and DNC checks. - [Singapore PDPA legitimate interests FAQ](/artifacts/apac/singapore-pdpa/faq/legitimate-interests.md): FAQ guidance on Singapore PDPA legitimate interests: assessment fields, adverse effects, mitigation, balancing, disclosure, records, and marketing limits. - [Singapore PDPA NRIC Handling FAQ](/artifacts/apac/singapore-pdpa/faq/nric-handling.md): FAQ guidance on when Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC and other national identification numbers under PDPC guidance. - [Singapore PDPA NRIC Handling Rules](/artifacts/apac/singapore-pdpa/nric-handling.md): When Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC numbers under PDPC guidance. - [Singapore PDPA Penalties and Enforcement Cases](/artifacts/apac/singapore-pdpa/pdpa-penalties-and-enforcement-cases.md): How PDPC enforcement under Singapore's PDPA works: directions, voluntary undertakings, published decisions, financial penalty caps, and implementation lessons from cases. - [Singapore PDPA Penalties and Fines](/artifacts/apac/singapore-pdpa/penalties-and-fines.md): Singapore PDPA penalty ceilings, PDPC directions, undertakings, breach notification context, and practical controls grounded in official PDPC and Singapore Statutes sources. - [Singapore PDPA Privacy Policy Template](/artifacts/apac/singapore-pdpa/pdpa-privacy-policy-template.md): A Singapore PDPA privacy policy template for writing notices, DPO contact details, access and correction routes, retention, transfers, protection, withdrawal, and complaint handling without overclaiming compliance. - [Singapore PDPA Requirements: Core Obligations](/artifacts/apac/singapore-pdpa/requirements.md): Map Singapore PDPA obligations across consent, notification, access, security, retention, transfers, accountability, breaches, DNC checks, and data intermediaries. - [Singapore PDPA Scope, Exclusions, and Data Intermediaries](/artifacts/apac/singapore-pdpa/scope-exclusions-and-data-intermediaries.md): Classify Singapore PDPA coverage, business contact information, personal or domestic activity, employee acts, and data intermediary obligations with grounded implementation records. - [Singapore PDPA Transfer Assessment Workflow](/artifacts/apac/singapore-pdpa/transfer-assessment-workflow.md): A Singapore PDPA workflow for assessing overseas personal data transfers, comparable protection, ASEAN MCCs, APEC CBPR/PRP certifications, vendor due diligence, onward transfers, and evidence records. - [Singapore PDPA Transfer Clauses](/artifacts/apac/singapore-pdpa/transfer-clauses.md): Draft Singapore PDPA transfer clauses for overseas vendors, affiliates, data intermediaries, onward transfers, breach support, ASEAN MCCs, and APEC CBPR or PRP evidence. - [Singapore PDPA transfer clauses FAQ](/artifacts/apac/singapore-pdpa/faq/transfer-clauses.md): FAQ guidance on Singapore PDPA transfer clauses, comparable protection, ASEAN MCCs, APEC CBPR and PRP certifications, onward transfers, and evidence records. - [Singapore PDPA Vendor Outsourcing and Contracts](/artifacts/apac/singapore-pdpa/vendor-outsourcing-and-contracts.md): Contract and operating checklist for Singapore PDPA vendor outsourcing: data intermediary status, written terms, security, retention, breach, transfers, sub-contracting, and exit evidence. - [Singapore PDPA vs GDPR Comparison](/artifacts/apac/singapore-pdpa/singapore-pdpa-vs-gdpr.md): Compare Singapore PDPA and GDPR implementation work across consent, DPO accountability, processors, transfers, breach notification, DNC marketing, rights, retention, and penalties. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/apac/singapore-pdpa/breach-notification-thresholds