--- title: "Singapore PDPA breach notification thresholds FAQ" canonical_url: "https://www.sorena.io/artifacts/apac/singapore-pdpa/faq/breach-thresholds" source_url: "https://www.sorena.io/artifacts/apac/singapore-pdpa/faq/breach-thresholds" author: "Sorena AI" description: "FAQ on Singapore PDPA notifiable data breach tests: significant harm, significant scale, 500 affected individuals, assessment timing, PDPC notices, and affected-individual notices." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "Singapore PDPA breach notification" - "notifiable data breach" - "significant harm" - "significant scale" - "PDPC notification" - "Singapore PDPA" - "Data breach notification" - "PDPC" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Singapore PDPA breach notification thresholds FAQ FAQ on Singapore PDPA notifiable data breach tests: significant harm, significant scale, 500 affected individuals, assessment timing, PDPC notices, and affected-individual notices. *FAQ* *Singapore PDPA* *Breach notification* ## Singapore PDPA Breach thresholds A Singapore PDPA data breach is notifiable when it is likely to result in significant harm to affected individuals or affects a significant scale of individuals. Use this FAQ to apply the PDPC assessment clock, the 500-individual significant-scale threshold, PDPC notice timing, affected-individual notice timing, and evidence records supported by official sources. This FAQ explains how implementation teams should assess Singapore PDPA breach notification thresholds after a personal data breach, using official PDPC guidance and the Personal Data Protection (Notification of Data Breaches) Regulations 2021. Timings in this page are source-linked; verify current legal source language before implementation decisions. ## When is a Singapore PDPA data breach notifiable? A Singapore PDPA data breach is notifiable if either threshold is met: the breach is likely to result in significant harm to affected individuals, or it affects a significant scale of individuals. PDPC guidance states that organisations do not need to report every breach, but they must assess whether the breach is notifiable. In implementation terms, start every incident record with four facts: what personal data was affected, how the breach occurred, how many individuals are affected or likely affected, and whether the data type or circumstances create likely significant harm. - Treat significant harm and significant scale as separate tests; either one can make the breach notifiable to the PDPC. - Do not wait for a final root-cause report before starting the notifiability assessment once credible grounds exist. - If the answer is uncertain, PDPC's self-assessment guidance encourages organisations to err on the side of caution. Sources for this answer: - [PDPC self-assessment for organisations experiencing data breaches](https://www.pdpc.gov.sg/report-data-breach/self-assessment?ref=sorena.io) - Supports the point that organisations should assess notifiability and that not every breach must be reported. - [PDPC report your organisation's data breach](https://www.pdpc.gov.sg/report-data-breach?ref=sorena.io) - Supports the two notifiable breach triggers: likely significant harm or significant scale. ## What counts as significant harm under Singapore PDPA breach notification rules? The Notification of Data Breaches Regulations deem a breach to result in significant harm when it involves specified combinations of personal data. The core statutory examples are a full name, alias, or identification number together with prescribed personal data in the Schedule, or account access data such as an account identifier together with a password, security code, access code, security-question response, biometric data, or other account-access credential. For a working incident triage, classify the affected fields before deciding the notice path. If account access credentials or prescribed identity-linked data are involved, escalate the incident as a likely significant-harm case unless counsel or the DPO documents a supported reason otherwise. - Record whether the incident involves full name, alias, identification number, account identifier, password, security code, access code, security-question response, biometric data, or comparable account-access data. - Separate the data-type analysis from the number-of-individuals analysis so a small breach involving high-risk data is not missed. - Use the affected-individual notice draft to identify concrete harms and protective steps such as password changes, card cancellation, account monitoring, or misuse prevention. Sources for this answer: - [Personal Data Protection (Notification of Data Breaches) Regulations 2021](https://sso.agc.gov.sg/SL/PDPA2012-S64-2021?ref=sorena.io) - Defines when a data breach is deemed to result in significant harm for PDPA breach notification. - [PDPC Guide on Managing and Notifying Data Breaches under the PDPA](https://www.pdpc.gov.sg/help-and-resources/2021/01/data-breach-management-guide?ref=sorena.io) - Explains that prescribed personal data in the DBN Regulations makes affected-individual and PDPC notification required. ## What counts as significant scale, and why does the 500-person threshold matter? A data breach is of significant scale when it involves the personal data of 500 or more affected individuals. PDPC guidance says the organisation must notify the Commission when a breach affects 500 or more individuals even if the breach does not involve prescribed personal data that would otherwise trigger the significant-harm test. If the exact count is unknown, use a reasonable initial estimate. PDPC guidance says organisations should notify the Commission when they have reason to believe the affected number is at least 500 and may later update the Commission with the actual number. - Use 500 affected individuals as the operational escalation threshold for significant scale. - Count people, not records, rows, accounts, or files; preserve the method used to estimate the affected population. - Do not treat the absence of prescribed high-risk data as the end of the assessment when the affected population may be 500 or more. Sources for this answer: - [Personal Data Protection (Notification of Data Breaches) Regulations 2021](https://sso.agc.gov.sg/SL/PDPA2012-S64-2021?ref=sorena.io) - Sets the prescribed number for a significant-scale data breach at 500 affected individuals. - [PDPC Guide on Managing and Notifying Data Breaches under the PDPA](https://www.pdpc.gov.sg/help-and-resources/2021/01/data-breach-management-guide?ref=sorena.io) - Explains that 500 or more affected individuals requires Commission notification even without prescribed personal data. ## How quickly must the organisation assess and notify the PDPC? Once the organisation has credible grounds to believe a data breach occurred, PDPC guidance says it must take reasonable and expeditious steps to assess whether the breach is notifiable within 30 calendar days. If the assessment cannot be completed within 30 days, the organisation should be ready to explain the time taken or required. After the organisation determines that the breach is notifiable, it must notify the PDPC as soon as practicable and no later than three calendar days. PDPC guidance states that the three-day period starts on the day after the determination that the breach is notifiable. - Open the 30-calendar-day assessment tracker from the point credible grounds exist, including discovery by monitoring, public alert, or data intermediary notification. - Open the three-calendar-day PDPC notification tracker from the notifiability determination, not from the first incident alert. - If PDPC notification is late, keep the reasons and supporting evidence because the Regulations require those details in the notice. Sources for this answer: - [PDPC Guide on Managing and Notifying Data Breaches under the PDPA](https://www.pdpc.gov.sg/help-and-resources/2021/01/data-breach-management-guide?ref=sorena.io) - Supports the 30-calendar-day assessment expectation and the three-calendar-day PDPC notification timeframe. - [PDPC required to notify the PDPC](https://www.pdpc.gov.sg/report-data-breach/before-you-report-a-data-breach-3/info?ref=sorena.io) - States that notifiable breaches should be notified to the PDPC as soon as practicable and no later than three calendar days. ## When must affected individuals be notified? PDPC guidance says organisations must notify affected individuals as soon as practicable, at the same time as or after notifying the PDPC. For breaches likely to attract widespread public attention or interest, the PDPC affected-individual guidance says to notify the PDPC first before notifying individuals or issuing a public or media statement. The affected-individual notice should be practical rather than merely formal. The Regulations require information about how the organisation became aware of the breach, the affected personal data, potential harm, actions taken or planned, steps the individual may take to reduce harm, and business contact information for an authorised representative. - Prepare affected-individual notices in parallel with PDPC notification, but send them at the same time as or after notifying the PDPC. - Notify the PDPC first before public statements where the breach is likely to attract widespread public attention or interest. - Make the notice clear enough for the individual to act: what happened, what data was affected, what harm is possible, what the organisation is doing, and what the individual should do. Sources for this answer: - [PDPC guidance on notification to affected individuals](https://www.pdpc.gov.sg/report-data-breach/before-you-report-a-data-breach-4/info-2?ref=sorena.io) - Supports affected-individual timing and the PDPC-first approach for high-public-interest breaches. - [Personal Data Protection (Notification of Data Breaches) Regulations 2021](https://sso.agc.gov.sg/SL/PDPA2012-S64-2021?ref=sorena.io) - Lists the information that must be included in notification to affected individuals. ## What evidence records should support a Singapore PDPA breach-threshold decision? Keep evidence that proves the assessment was timely, source-linked, and based on the data actually affected. PDPC guidance says organisations must document all steps taken in assessing whether a breach is notifiable, and the Regulations require the PDPC notice to include a chronological account of steps taken after awareness of the breach. The minimum useful record is an incident chronology, data-field inventory, affected-individual count or estimate, significant-harm analysis, significant-scale analysis, notifiability determination time, PDPC notification time, affected-individual notification plan, mitigation actions, and any late-notification explanation with supporting evidence. - Preserve the moment credible grounds existed, the assessment start time, and the notifiability determination time. - Keep the affected data categories and count methodology with links to logs, exports, vendor notices, or forensic findings used in the assessment. - Record the grounds for not notifying affected individuals when the organisation decides not to do so despite a notifiable breach that would otherwise involve affected-individual notification. Sources for this answer: - [PDPC Guide on Managing and Notifying Data Breaches under the PDPA](https://www.pdpc.gov.sg/help-and-resources/2021/01/data-breach-management-guide?ref=sorena.io) - Supports documenting assessment steps and keeping evidence for late notification explanations. - [Personal Data Protection (Notification of Data Breaches) Regulations 2021](https://sso.agc.gov.sg/SL/PDPA2012-S64-2021?ref=sorena.io) - Requires the PDPC notice to include a chronological account of post-awareness steps and late-notification evidence where applicable. ## Primary sources - [PDPC Guide on Managing and Notifying Data Breaches under the PDPA](https://www.pdpc.gov.sg/help-and-resources/2021/01/data-breach-management-guide?ref=sorena.io) - Primary PDPC implementation guide for assessment timing, significant-harm and significant-scale criteria, PDPC notification timing, affected-individual notification timing, and evidence records. - Quote: "reasonable and expeditious steps to assess whether the data breach is notifiable" - [Personal Data Protection (Notification of Data Breaches) Regulations 2021](https://sso.agc.gov.sg/SL/PDPA2012-S64-2021?ref=sorena.io) - Legal source for significant-harm categories, the 500-individual significant-scale threshold, and required contents of PDPC and affected-individual notifications. - Quote: "the prescribed number of affected individuals is 500" - [PDPC self-assessment for organisations experiencing data breaches](https://www.pdpc.gov.sg/report-data-breach/self-assessment?ref=sorena.io) - Supports using PDPC's self-assessment tool as a guide while recognising that organisations must still assess notifiability. - Quote: "the result is not definitive" - [PDPC required to notify the PDPC](https://www.pdpc.gov.sg/report-data-breach/before-you-report-a-data-breach-3/info?ref=sorena.io) - PDPC page confirming notifiable breaches should be reported as soon as practicable and no later than three calendar days. - Quote: "no later than three (3) calendar days" - [PDPC guidance on notification to affected individuals](https://www.pdpc.gov.sg/report-data-breach/before-you-report-a-data-breach-4/info-2?ref=sorena.io) - PDPC page confirming affected-individual notices should be sent at the same time as or after PDPC notification, with PDPC-first handling for high-public-interest breaches. - Quote: "at the same time or after notifying the PDPC" - [PDPC report your organisation's data breach](https://www.pdpc.gov.sg/report-data-breach?ref=sorena.io) - PDPC reporting page describing when organisations are legally required to notify the PDPC and affected persons. - Quote: "likely to cause significant harm" ## Topic Guides - [Singapore PDPA Anonymisation and DPIA Records](/artifacts/apac/singapore-pdpa/anonymisation-and-dpias.md): Build Singapore PDPA anonymisation and DPIA records around PDPC guidance: release model, re-identification risk, data flows, action plans, safeguards, and monitoring. - [Singapore PDPA anonymisation FAQ](/artifacts/apac/singapore-pdpa/faq/anonymisation.md): FAQ on anonymisation under the Singapore PDPA: de-identification, pseudonymisation, re-identification risk, when PDPA may no longer apply, and evidence records. - [Singapore PDPA Applicability Test](/artifacts/apac/singapore-pdpa/applicability-test.md): Test whether Singapore PDPA obligations apply by checking personal data, organisation role, data intermediary status, public agency and individual boundaries, and business contact information. - [Singapore PDPA Breach Notification Playbook](/artifacts/apac/singapore-pdpa/breach-notification-playbook.md): A grounded Singapore PDPA breach-notification playbook covering assessment, notifiable-breach thresholds, PDPC and affected-individual notification steps, roles, records, and citations. - [Singapore PDPA Breach Notification Workflow](/artifacts/apac/singapore-pdpa/breach-notification-workflow.md): A grounded Singapore PDPA workflow for containing a personal data breach, assessing notifiability, notifying PDPC or affected individuals, and retaining evidence. - [Singapore PDPA Compliance Checklist](/artifacts/apac/singapore-pdpa/checklist.md): A grounded Singapore PDPA checklist for scope, DPO accountability, consent, data intermediaries, breach notification, DNC checks, transfers, and evidence records. - [Singapore PDPA Compliance Guide](/artifacts/apac/singapore-pdpa/compliance.md): Build a Singapore PDPA compliance plan covering DPO accountability, consent and notification, protection, retention, access and correction, transfers, breach notification, and DNC checks. - [Singapore PDPA Consent and Deemed Consent Workflow](/artifacts/apac/singapore-pdpa/consent-and-deemed-consent-selection-workflow.md): Choose express consent, deemed consent by conduct, contractual necessity, notification, or the legitimate interests exception under Singapore PDPA with grounded intake fields and evidence records. - [Singapore PDPA Consent, Notification and Purpose Rules](/artifacts/apac/singapore-pdpa/consent-notification-and-purposes.md): How Singapore PDPA consent, notification, purpose limitation, deemed consent, withdrawal, and consent exceptions should be handled in product and privacy workflows. - [Singapore PDPA Cross-Border Transfers](/artifacts/apac/singapore-pdpa/cross-border-transfers.md): Grounded Singapore PDPA guidance for overseas personal data transfers, comparable protection, ASEAN MCCs, APEC certifications, vendor roles, and evidence records. - [Singapore PDPA Data Breach Notification Thresholds](/artifacts/apac/singapore-pdpa/breach-notification-thresholds.md): Grounded Singapore PDPA breach notification thresholds covering significant harm, the 500-individual significant-scale test, assessment records, and notification timing. - [Singapore PDPA Data Intermediaries FAQ](/artifacts/apac/singapore-pdpa/faq/data-intermediaries.md): FAQ guidance on Singapore PDPA data intermediary roles, direct obligations, organisation accountability, contracts, retention, protection, and breach escalation. - [Singapore PDPA Data Intermediary Responsibilities](/artifacts/apac/singapore-pdpa/data-intermediary-responsibilities.md): Practical Singapore PDPA guide to data intermediary role boundaries, organisation accountability, protection, retention, breach escalation, and contract evidence. - [Singapore PDPA Deadlines and Compliance Calendar](/artifacts/apac/singapore-pdpa/deadlines-and-compliance-calendar.md): A grounded Singapore PDPA compliance calendar for breach notification, DNC checks, access and correction requests, retention reviews, and DPMP maintenance. - [Singapore PDPA Deemed Consent and Legitimate Interests](/artifacts/apac/singapore-pdpa/deemed-consent-and-legitimate-interests.md): How to apply Singapore PDPA deemed consent by conduct, contractual necessity, notification, and legitimate interests with opt-out, adverse-effect, disclosure, and assessment records. - [Singapore PDPA Deemed Consent FAQ](/artifacts/apac/singapore-pdpa/faq/deemed-consent.md): FAQ on Singapore PDPA deemed consent by conduct, contractual necessity, notification, opt-out periods, adverse-effect assessment, withdrawal, and direct-marketing limits. - [Singapore PDPA DNC and Marketing Messages Guide](/artifacts/apac/singapore-pdpa/dnc-and-marketing-messages.md): A grounded Singapore PDPA guide to DNC checks, specified marketing messages, Singapore telephone numbers, consent evidence, opt-outs, sender duties, and excluded messages. - [Singapore PDPA DNC checking FAQ: when to check the DNC Registry](/artifacts/apac/singapore-pdpa/faq/dnc-checking.md): FAQ guidance on Singapore PDPA DNC checking: when to check the DNC Registry, which registers apply, 8-digit numbers, 21-day result validity, consent evidence, on-behalf checks, opt-outs, and supported exclusions. - [Singapore PDPA DNC Marketing Checks](/artifacts/apac/singapore-pdpa/dnc-marketing-checks.md): Operational checklist for Singapore PDPA DNC marketing checks: account evidence, register status, 21-day result validity, consent evidence, and campaign owner records. - [Singapore PDPA DNC Marketing Workflow](/artifacts/apac/singapore-pdpa/dnc-marketing-workflow.md): Workflow for Singapore PDPA DNC marketing campaigns: classify specified messages, check Singapore telephone numbers, document consent, suppress opt-outs, and approve sends. - [Singapore PDPA DPIAs: when to run and what to document](/artifacts/apac/singapore-pdpa/faq/dpias.md): FAQ-style implementation guidance on Singapore PDPA DPIAs, including when PDPC guidance recommends them, data-flow mapping, risk treatment, DPO review, and evidence records. - [Singapore PDPA DPMP Accountability FAQ | DPO, Policies, Evidence](/artifacts/apac/singapore-pdpa/faq/dpmp-accountability.md): FAQ for implementing Singapore PDPA accountability through a DPMP: DPO designation, policies, evidence, training, monitoring, incident logs, and review records. - [Singapore PDPA DPMP Accountability Guide](/artifacts/apac/singapore-pdpa/dpmp-accountability.md): Build a Singapore PDPA Data Protection Management Programme with DPO ownership, policies, data inventories, DPIAs, training, monitoring, breach logs, and review records. - [Singapore PDPA FAQ: scope, DPO, consent, breaches and DNC](/artifacts/apac/singapore-pdpa/faq.md): FAQ answers for Singapore PDPA implementation, covering scope, accountability, consent, access and correction, security, retention, transfers, data intermediaries, breach notification, and DNC checks. - [Singapore PDPA legitimate interests FAQ](/artifacts/apac/singapore-pdpa/faq/legitimate-interests.md): FAQ guidance on Singapore PDPA legitimate interests: assessment fields, adverse effects, mitigation, balancing, disclosure, records, and marketing limits. - [Singapore PDPA NRIC Handling FAQ](/artifacts/apac/singapore-pdpa/faq/nric-handling.md): FAQ guidance on when Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC and other national identification numbers under PDPC guidance. - [Singapore PDPA NRIC Handling Rules](/artifacts/apac/singapore-pdpa/nric-handling.md): When Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC numbers under PDPC guidance. - [Singapore PDPA Penalties and Enforcement Cases](/artifacts/apac/singapore-pdpa/pdpa-penalties-and-enforcement-cases.md): How PDPC enforcement under Singapore's PDPA works: directions, voluntary undertakings, published decisions, financial penalty caps, and implementation lessons from cases. - [Singapore PDPA Penalties and Fines](/artifacts/apac/singapore-pdpa/penalties-and-fines.md): Singapore PDPA penalty ceilings, PDPC directions, undertakings, breach notification context, and practical controls grounded in official PDPC and Singapore Statutes sources. - [Singapore PDPA Privacy Policy Template](/artifacts/apac/singapore-pdpa/pdpa-privacy-policy-template.md): A Singapore PDPA privacy policy template for writing notices, DPO contact details, access and correction routes, retention, transfers, protection, withdrawal, and complaint handling without overclaiming compliance. - [Singapore PDPA Requirements: Core Obligations](/artifacts/apac/singapore-pdpa/requirements.md): Map Singapore PDPA obligations across consent, notification, access, security, retention, transfers, accountability, breaches, DNC checks, and data intermediaries. - [Singapore PDPA Scope, Exclusions, and Data Intermediaries](/artifacts/apac/singapore-pdpa/scope-exclusions-and-data-intermediaries.md): Classify Singapore PDPA coverage, business contact information, personal or domestic activity, employee acts, and data intermediary obligations with grounded implementation records. - [Singapore PDPA Transfer Assessment Workflow](/artifacts/apac/singapore-pdpa/transfer-assessment-workflow.md): A Singapore PDPA workflow for assessing overseas personal data transfers, comparable protection, ASEAN MCCs, APEC CBPR/PRP certifications, vendor due diligence, onward transfers, and evidence records. - [Singapore PDPA Transfer Clauses](/artifacts/apac/singapore-pdpa/transfer-clauses.md): Draft Singapore PDPA transfer clauses for overseas vendors, affiliates, data intermediaries, onward transfers, breach support, ASEAN MCCs, and APEC CBPR or PRP evidence. - [Singapore PDPA transfer clauses FAQ](/artifacts/apac/singapore-pdpa/faq/transfer-clauses.md): FAQ guidance on Singapore PDPA transfer clauses, comparable protection, ASEAN MCCs, APEC CBPR and PRP certifications, onward transfers, and evidence records. - [Singapore PDPA Vendor Outsourcing and Contracts](/artifacts/apac/singapore-pdpa/vendor-outsourcing-and-contracts.md): Contract and operating checklist for Singapore PDPA vendor outsourcing: data intermediary status, written terms, security, retention, breach, transfers, sub-contracting, and exit evidence. - [Singapore PDPA vs GDPR Comparison](/artifacts/apac/singapore-pdpa/singapore-pdpa-vs-gdpr.md): Compare Singapore PDPA and GDPR implementation work across consent, DPO accountability, processors, transfers, breach notification, DNC marketing, rights, retention, and penalties. *Recommended next step* *Placement: after the threshold FAQ* ## Turn Singapore PDPA breach thresholds into an incident record Use this FAQ to capture the affected data, affected-individual count, significant-harm analysis, significant-scale analysis, notification clocks, and evidence needed for PDPA breach handling. - [Open Assessment Autopilot for Singapore PDPA](/solutions/assessment.md): Turn the notifiable-breach tests into scoped questions, evidence fields, and review tasks. - [Review Singapore PDPA source evidence](/solutions/research-copilot.md): Use Research Copilot to answer breach-threshold follow-ups with cited PDPC and SSO source material. - [Talk through implementation](/contact.md): Review breach assessment scope, notification timing, evidence records, and next compliance actions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/apac/singapore-pdpa/faq/breach-thresholds