ChecklistSingaporePDPA

Singapore PDPA Compliance checklist

Review Singapore PDPA readiness across scope, accountability, notices, consent, vendors, security, retention, breach notification, DNC marketing, overseas transfers, and evidence records.

This checklist is implementation support grounded in PDPC guidance and official Singapore sources; it does not supersede legal interpretation guidance.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
9

Structured answer sets in this page tree.

Primary sources
9

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Use this Singapore PDPA checklist before launching or reviewing a product, campaign, vendor integration, data-sharing arrangement, or breach workflow that handles individuals' personal data in Singapore.

Section 1

1. Confirm PDPA scope and processing purpose

Start with the fact pattern. The PDPA governs organisations' collection, use, and disclosure of individuals' personal data, and PDPC guidance frames the data protection provisions around reasonable purposes, notification, consent, individual rights, accuracy, protection, retention, transfers, breaches, and accountability.

  • Identify the organisation, product or service, Singapore touchpoint, system, data categories, individual groups, and whether any data is business contact information rather than personal data used for personal purposes.
  • Write the collection, use, or disclosure purpose in plain language and check that a reasonable person would consider it appropriate in the circumstances.
  • Mark whether the activity relies on consent, deemed consent, a PDPA exception, contractual necessity, legitimate interests, publicly available data, or another supported basis before collecting or using the data.
  • Record any sector-specific law, customer contract, public-agency involvement, or overseas recipient that may change the PDPA analysis.
Sources for this answer
PDPC Advisory Guidelines on Key Concepts in the PDPA
Supports the scope checklist because the guidance explains the PDPA's purpose, data protection provisions, DNC provisions, and reasonableness requirement.
Section 2

2. Assign DPO accountability and operating controls

The checklist should not stop at a named owner. PDPC guidance says organisations must designate one or more individuals responsible for PDPA compliance, while legal responsibility remains with the organisation. The operating record should therefore show who owns the control, who can answer questions, and how the policy is implemented.

  • Confirm a DPO or equivalent designated individual, their business contact information, and whether the contact route is readily accessible from Singapore.
  • Verify that policies and practices cover the relevant activity, are available to the intended readers, and are backed by monitoring mechanisms and process controls.
  • Check that the complaint process, staff training, and internal communications cover the product, vendor, campaign, or incident workflow being reviewed.
  • Keep DPO review evidence for material launches, new data uses, high-risk datasets, vendor onboarding, transfer approvals, and breach assessments.
Sources for this answer
PDPC Advisory Guidelines on Key Concepts in the PDPA
Supports DPO and accountability checks because it explains designation of DPOs, accessible business contact information, policies, complaints, training, and policy availability.
PDPC Guide to Developing a Data Protection Management Programme
Supports operational checklist records because the DPMP guide recommends governance, data inventories, risk reviews, staff training, monitoring, incident logs, and remediation tracking.
Section 4

4. Review data intermediary and vendor controls

When a vendor processes personal data on behalf of and for the purposes of another organisation under a written or evidenced contract, PDPC guidance treats that vendor as a data intermediary for those processing activities. The organisation still needs the contract, supervision, and escalation evidence that show the outsourced processing is controlled.

  • Classify each vendor as data intermediary, independent organisation, joint arrangement, sub-contractor, or non-PDPA support service for the specific processing activity.
  • Verify that the written contract or written evidence defines processing scope, permitted data, security requirements, retention or deletion duties, sub-contracting approval, audit or review rights, and breach escalation.
  • Check onboarding evidence: data-flow diagram, system access, personal data categories, location of processing, transfer route, service owner, and DPO or privacy review.
  • Require incident reporting without undue delay where the data intermediary becomes aware of a data incident or breach.
Sources for this answer
PDPC Guide to Managing Data Intermediaries
Supports vendor checklist controls because the guide covers data controller and data intermediary roles, contracts, risk assessment, service management, and exit management.
PDPC Advisory Guidelines on Key Concepts in the PDPA
Supports data intermediary scope because it explains that data intermediaries are subject to protection, retention, and breach notification obligations for contracted processing.
Section 5

5. Test protection, accuracy, and retention controls

The checklist should tie each dataset to a control owner and deletion rule. PDPC guidance describes care of personal data as including accuracy, protection, retention, and transfer, and the data intermediary guide cites the retention limitation requirement to cease retaining documents or remove identifiability when the original purpose is no longer served and retention is no longer legally or commercially necessary.

  • List the personal data categories, sensitivity, storage location, access groups, privileged users, encryption or access-control measures, logging, backup treatment, and incident monitoring.
  • Check accuracy controls where the data is likely to be used to make a decision affecting an individual or disclosed to another organisation.
  • Document the retention trigger: purpose served, legal or business need, deletion action, anonymisation or de-identification action, system owner, and exception approval.
  • Confirm that disposal applies to source systems, exports, support tickets, data lakes, analytics workspaces, backups where operationally feasible, and vendor-held copies.
Sources for this answer
PDPC Advisory Guidelines on Key Concepts in the PDPA
Supports protection, accuracy, retention, and transfer checklist items because the key concepts guidance groups these duties under care of personal data.
PDPC Guide to Managing Data Intermediaries
Supports retention controls because the guide cites section 25's requirement to stop retaining documents or remove identifiability when the purpose and legal or business need no longer support retention.
Section 6

6. Prepare breach assessment and notification evidence

A breach checklist must include assessment evidence, not just an escalation address. PDPC guidance requires organisations with credible grounds to believe a breach occurred to take reasonable and expeditious steps to assess whether it is notifiable. The guide states that organisations should generally complete that assessment within 30 calendar days, notify PDPC no later than three calendar days after determining a breach is notifiable, and notify affected individuals where required.

  • Record discovery time, reporter, impacted systems, containment steps, data categories, estimated affected individuals, evidence preservation, and whether a data intermediary or sector regulator is involved.
  • Assess notifiability for significant harm and significant scale; PDPC guidance states that significant scale means personal data of 500 or more individuals.
  • If notifiable, prepare the PDPC notification with facts, affected data, number of individuals, potential harm, remediation steps, and a chronological account of assessment and response.
  • If affected individuals must be notified, prepare clear guidance on what happened, what data was affected, potential harm, actions taken, and protective steps individuals can take.
Sources for this answer
PDPC Guide on Managing and Notifying Data Breaches under the PDPA
Supports breach assessment and notification controls because the guide covers assessment, significant harm, significant scale, PDPC notification timing, affected-individual notification, and notification content.
PDPC Required to Notify The PDPC
Supports the PDPC notification timing check because PDPC states that a notifiable breach should be reported as soon as practicable and no later than three calendar days.
Section 7

7. Check DNC marketing messages separately

Marketing campaigns need both PDPA personal-data checks and DNC checks when specified messages are sent to Singapore telephone numbers. PDPC DNC guidance says senders must check the relevant DNC Register unless they have clear and unambiguous consent in evidential form, and DNC results are valid for 21 days from receipt.

  • Classify each channel: voice call, SMS, fax, messaging app using a Singapore telephone number, email, in-app message, or another route.
  • For specified messages to Singapore telephone numbers, record the relevant DNC register checked, check date, result receipt date, number list version, checker identity, and expiry of the 21-day result window.
  • If relying on consent instead of a DNC check, retain the exact wording, positive action, timestamp, source form, telephone number, withdrawal channel, and evidence that consent was clear and unambiguous.
  • Block campaigns that use dictionary attacks or address-harvesting software to obtain recipient telephone numbers, even if a DNC check was performed.
Sources for this answer
PDPC Advisory Guidelines on the DNC Provisions
Supports DNC checklist items because the guidance covers specified messages, duty to check the DNC Register, clear and unambiguous consent, the 21-day validity period, third-party checkers, and dictionary-attack and address-harvesting prohibitions.
Do Not Call Registry Business Rules
Supports operational DNC evidence because the DNC Registry business-rules page explains main accounts and sub-accounts for organisations or individuals checking the DNC Registry.
Section 8

8. Validate overseas transfers and data-sharing contracts

For overseas transfers, the checklist should show how the transferring organisation ensured comparable protection. PDPC guidance says the transfer limitation obligation requires an organisation to ensure personal data transferred overseas is protected to a standard comparable with the data protection provisions, and PDPC recognises ASEAN Model Contractual Clauses as one available contractual tool.

  • Identify the exporter, recipient, country or territory, purpose, data categories, transfer method, onward transfer path, and whether the recipient is an organisation or data intermediary.
  • Record the transfer mechanism: contract clauses, binding corporate rules, specified certification, consent with written summary of comparable protection, contractual necessity, vital interests, national interest, data in transit, or publicly available data.
  • Where using contracts, include purpose limits, protection, retention, access and correction where relevant, breach notification, sub-processing, and audit or review evidence.
  • For ASEAN MCC use, check whether modifications are needed for PDPA terms such as living or deceased persons, breach notification timing, and responsibility for contacting affected individuals.
Sources for this answer
PDPC Advisory Guidelines on Key Concepts in the PDPA
Supports transfer checks because the guidance explains comparable protection, due diligence, legally enforceable obligations, certifications, and transfer scenarios.
Singapore Guidance for Use of ASEAN Model Contractual Clauses
Supports cross-border contract checks because PDPC recognises ASEAN MCCs for the transfer limitation obligation and recommends PDPA-specific clarifications for breach timing and affected-individual responsibility.
Section 9

9. Keep the evidence record audit-ready

Close the checklist with an evidence index that a DPO, incident responder, marketing owner, or vendor manager can inspect later. The record should prove what was reviewed, which source supported it, who approved it, what changed, and which follow-up actions remain open.

  • Keep data inventory rows for each system, purpose, data category, individual group, source, disclosure recipient, overseas transfer, retention rule, and owner.
  • Attach notice copies, consent logs, withdrawal tickets, legitimate interests or deemed consent assessments, DNC check exports, vendor contracts, transfer clauses, breach assessment logs, and individual notification drafts where relevant.
  • For each exception or risk acceptance, record the factual trigger, PDPC source relied on, mitigations, approver, expiry or review date, and reason the activity may proceed.
  • Review the checklist after material product changes, new vendors, new marketing channels, breach exercises, complaints, PDPC guidance changes, or changes to data retention and transfer arrangements.
Sources for this answer
PDPC Guide to Developing a Data Protection Management Programme
Supports evidence-record checks because the DPMP guide recommends inventories, monitoring, incident logs, remediation plans, audits, regular reviews, and communication of policy changes.
PDPC Guide on Managing and Notifying Data Breaches under the PDPA
Supports breach evidence records because PDPC guidance says organisations must document all steps taken when assessing whether a breach is notifiable.
Recommended next step

Turn the Singapore PDPA checklist into assigned work

Use this checklist to turn Singapore PDPA gaps into accountable owners, evidence requests, breach exercises, DNC checks, vendor reviews, and transfer records inside Sorena.

Assessment workflow
Open Assessment Autopilot for Singapore PDPA

Convert checklist items into scoped questions, owners, evidence fields, and review tasks.

Explore next step
Research workflow
Review Singapore PDPA source evidence

Use Research Copilot to answer follow-up PDPA questions with cited source material.

Explore next step
Talk to Sorena
Talk through Singapore PDPA implementation

Review scope, DPO ownership, breach readiness, DNC marketing, transfers, and vendor evidence with Sorena.

Explore next step
Primary sources

References and citations

Assessment Checklist for Legitimate Interests Exception
pdpc.gov.sg
Referenced sections
  • Supports evidence for legitimate interests decisions because PDPC provides an assessment structure for documenting the purpose, benefit, adverse effect, and safeguards.
"organisations may wish to conduct their own"
Do Not Call Registry Business Rules
dnc.gov.sg
Referenced sections
  • Supports operational DNC evidence because the DNC Registry business-rules page explains main accounts and sub-accounts for organisations or individuals checking the DNC Registry.
"perform telephone number checks against the DNC Registry"
PDPC Advisory Guidelines on Key Concepts in the PDPA
pdpc.gov.sg
Referenced sections
  • Supports transfer checks because the guidance explains comparable protection, due diligence, legally enforceable obligations, certifications, and transfer scenarios.
"protected to a standard comparable with the Data Protection Provisions"
PDPC Advisory Guidelines on the DNC Provisions
pdpc.gov.sg
Referenced sections
  • Supports DNC checklist items because the guidance covers specified messages, duty to check the DNC Register, clear and unambiguous consent, the 21-day validity period, third-party checkers, and dictionary-attack and address-harvesting prohibitions.
"before a person sends a specified message"
PDPC Guide to Developing a Data Protection Management Programme
pdpc.gov.sg
Referenced sections
  • Supports evidence-record checks because the DPMP guide recommends inventories, monitoring, incident logs, remediation plans, audits, regular reviews, and communication of policy changes.
"document data incidents and data breaches in an incident record log"
PDPC Guide to Managing Data Intermediaries
pdpc.gov.sg
Referenced sections
  • Supports retention controls because the guide cites section 25's requirement to stop retaining documents or remove identifiability when the purpose and legal or business need no longer support retention.
"cease to retain its documents containing personal data"
PDPC Required to Notify The PDPC
pdpc.gov.sg
Referenced sections
  • Supports the PDPC notification timing check because PDPC states that a notifiable breach should be reported as soon as practicable and no later than three calendar days.
"no later than three (3) calendar days"
Singapore Guidance for Use of ASEAN Model Contractual Clauses
pdpc.gov.sg
Referenced sections
  • Supports cross-border contract checks because PDPC recognises ASEAN MCCs for the transfer limitation obligation and recommends PDPA-specific clarifications for breach timing and affected-individual responsibility.
"recognises and encourages the use of the ASEAN MCCs"
Related guides

Explore more topics

Singapore PDPA Anonymisation and DPIA Records
Build Singapore PDPA anonymisation and DPIA records around PDPC guidance: release model, re-identification risk, data flows, action plans, safeguards, and monitoring.
Singapore PDPA anonymisation FAQ
FAQ on anonymisation under the Singapore PDPA: de-identification, pseudonymisation, re-identification risk, when PDPA may no longer apply, and evidence records.
Singapore PDPA Applicability Test
Test whether Singapore PDPA obligations apply by checking personal data, organisation role, data intermediary status, public agency and individual boundaries, and business contact information.
Singapore PDPA Breach Notification Playbook
A grounded Singapore PDPA breach-notification playbook covering assessment, notifiable-breach thresholds, PDPC and affected-individual notification steps, roles, records, and citations.
Singapore PDPA breach notification thresholds FAQ
FAQ on Singapore PDPA notifiable data breach tests: significant harm, significant scale, 500 affected individuals, assessment timing, PDPC notices, and affected-individual notices.
Singapore PDPA Breach Notification Workflow
A grounded Singapore PDPA workflow for containing a personal data breach, assessing notifiability, notifying PDPC or affected individuals, and retaining evidence.
Singapore PDPA Compliance Guide
Build a Singapore PDPA compliance plan covering DPO accountability, consent and notification, protection, retention, access and correction, transfers, breach notification, and DNC checks.
Singapore PDPA Consent and Deemed Consent Workflow
Choose express consent, deemed consent by conduct, contractual necessity, notification, or the legitimate interests exception under Singapore PDPA with grounded intake fields and evidence records.
Singapore PDPA Consent, Notification and Purpose Rules
How Singapore PDPA consent, notification, purpose limitation, deemed consent, withdrawal, and consent exceptions should be handled in product and privacy workflows.
Singapore PDPA Cross-Border Transfers
Grounded Singapore PDPA guidance for overseas personal data transfers, comparable protection, ASEAN MCCs, APEC certifications, vendor roles, and evidence records.
Singapore PDPA Data Breach Notification Thresholds
Grounded Singapore PDPA breach notification thresholds covering significant harm, the 500-individual significant-scale test, assessment records, and notification timing.
Singapore PDPA Data Intermediaries FAQ
FAQ guidance on Singapore PDPA data intermediary roles, direct obligations, organisation accountability, contracts, retention, protection, and breach escalation.
Singapore PDPA Data Intermediary Responsibilities
Practical Singapore PDPA guide to data intermediary role boundaries, organisation accountability, protection, retention, breach escalation, and contract evidence.
Singapore PDPA Deadlines and Compliance Calendar
A grounded Singapore PDPA compliance calendar for breach notification, DNC checks, access and correction requests, retention reviews, and DPMP maintenance.
Singapore PDPA Deemed Consent and Legitimate Interests
How to apply Singapore PDPA deemed consent by conduct, contractual necessity, notification, and legitimate interests with opt-out, adverse-effect, disclosure, and assessment records.
Singapore PDPA Deemed Consent FAQ
FAQ on Singapore PDPA deemed consent by conduct, contractual necessity, notification, opt-out periods, adverse-effect assessment, withdrawal, and direct-marketing limits.
Singapore PDPA DNC and Marketing Messages Guide
A grounded Singapore PDPA guide to DNC checks, specified marketing messages, Singapore telephone numbers, consent evidence, opt-outs, sender duties, and excluded messages.
Singapore PDPA DNC checking FAQ: when to check the DNC Registry
FAQ guidance on Singapore PDPA DNC checking: when to check the DNC Registry, which registers apply, 8-digit numbers, 21-day result validity, consent evidence, on-behalf checks, opt-outs, and supported exclusions.
Singapore PDPA DNC Marketing Checks
Operational checklist for Singapore PDPA DNC marketing checks: account evidence, register status, 21-day result validity, consent evidence, and campaign owner records.
Singapore PDPA DNC Marketing Workflow
Workflow for Singapore PDPA DNC marketing campaigns: classify specified messages, check Singapore telephone numbers, document consent, suppress opt-outs, and approve sends.
Singapore PDPA DPIAs: when to run and what to document
FAQ-style implementation guidance on Singapore PDPA DPIAs, including when PDPC guidance recommends them, data-flow mapping, risk treatment, DPO review, and evidence records.
Singapore PDPA DPMP Accountability FAQ | DPO, Policies, Evidence
FAQ for implementing Singapore PDPA accountability through a DPMP: DPO designation, policies, evidence, training, monitoring, incident logs, and review records.
Singapore PDPA DPMP Accountability Guide
Build a Singapore PDPA Data Protection Management Programme with DPO ownership, policies, data inventories, DPIAs, training, monitoring, breach logs, and review records.
Singapore PDPA FAQ: scope, DPO, consent, breaches and DNC
FAQ answers for Singapore PDPA implementation, covering scope, accountability, consent, access and correction, security, retention, transfers, data intermediaries, breach notification, and DNC checks.
Singapore PDPA legitimate interests FAQ
FAQ guidance on Singapore PDPA legitimate interests: assessment fields, adverse effects, mitigation, balancing, disclosure, records, and marketing limits.
Singapore PDPA NRIC Handling FAQ
FAQ guidance on when Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC and other national identification numbers under PDPC guidance.
Singapore PDPA NRIC Handling Rules
When Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC numbers under PDPC guidance.
Singapore PDPA Penalties and Enforcement Cases
How PDPC enforcement under Singapore's PDPA works: directions, voluntary undertakings, published decisions, financial penalty caps, and implementation lessons from cases.
Singapore PDPA Penalties and Fines
Singapore PDPA penalty ceilings, PDPC directions, undertakings, breach notification context, and practical controls grounded in official PDPC and Singapore Statutes sources.
Singapore PDPA Privacy Policy Template
A Singapore PDPA privacy policy template for writing notices, DPO contact details, access and correction routes, retention, transfers, protection, withdrawal, and complaint handling without overclaiming compliance.
Singapore PDPA Requirements: Core Obligations
Map Singapore PDPA obligations across consent, notification, access, security, retention, transfers, accountability, breaches, DNC checks, and data intermediaries.
Singapore PDPA Scope, Exclusions, and Data Intermediaries
Classify Singapore PDPA coverage, business contact information, personal or domestic activity, employee acts, and data intermediary obligations with grounded implementation records.
Singapore PDPA Transfer Assessment Workflow
A Singapore PDPA workflow for assessing overseas personal data transfers, comparable protection, ASEAN MCCs, APEC CBPR/PRP certifications, vendor due diligence, onward transfers, and evidence records.
Singapore PDPA Transfer Clauses
Draft Singapore PDPA transfer clauses for overseas vendors, affiliates, data intermediaries, onward transfers, breach support, ASEAN MCCs, and APEC CBPR or PRP evidence.
Singapore PDPA transfer clauses FAQ
FAQ guidance on Singapore PDPA transfer clauses, comparable protection, ASEAN MCCs, APEC CBPR and PRP certifications, onward transfers, and evidence records.
Singapore PDPA Vendor Outsourcing and Contracts
Contract and operating checklist for Singapore PDPA vendor outsourcing: data intermediary status, written terms, security, retention, breach, transfers, sub-contracting, and exit evidence.
Singapore PDPA vs GDPR Comparison
Compare Singapore PDPA and GDPR implementation work across consent, DPO accountability, processors, transfers, breach notification, DNC marketing, rights, retention, and penalties.