Singapore’s Personal Data Protection Act (PDPA) applies to virtually every business that collects, uses, or discloses personal data in Singapore. For small and medium enterprises (SMEs), understanding your PDPA obligations is not optional — non-compliance can result in financial penalties of up to S$1 million per breach (and higher under the 2021 amendments), as well as reputational damage that can be fatal for a growing business. This guide sets out what Singapore SMEs need to know about PDPA compliance in 2026.

What Is the PDPA and Who Does It Apply To?

The Personal Data Protection Act 2012 (PDPA) is Singapore’s primary data protection legislation. It governs the collection, use, disclosure, and care of personal data by organisations operating in Singapore. The PDPA applies to all private sector organisations — including sole proprietorships, partnerships, and companies of all sizes.

Key exemptions include: public agencies (which are governed by separate legislation), data processed purely for personal or domestic purposes, and business contact information (such as names, business email addresses, and telephone numbers used for business communications).

The PDPA is administered by the Personal Data Protection Commission (PDPC), which has the power to investigate complaints, conduct audits, and impose financial penalties on organisations that breach the Act.

The 2021 Amendments — What Changed

The PDPA was significantly amended in 2021. The key changes that continue to affect SMEs in 2026 include:

Mandatory data breach notification: Organisations must notify the PDPC and affected individuals of data breaches that are likely to result in significant harm or are of a significant scale. Notification to the PDPC must occur within 3 calendar days of assessing the breach. This is a strict timeline that requires SMEs to have a data breach response plan in place before an incident occurs.

Increased financial penalties: The maximum financial penalty was increased to S$1 million or 10% of an organisation’s annual turnover in Singapore — whichever is higher — for organisations with annual local turnover exceeding S$10 million. For smaller organisations, the S$1 million cap applies. This makes PDPA enforcement materially more significant than before the 2021 amendments.

Deemed consent by contractual necessity: The amendments introduced a new basis for processing personal data — “deemed consent by contractual necessity” — which allows organisations to rely on implicit consent in limited circumstances. This is relevant for SMEs that collect personal data as part of service delivery where explicit opt-in consent is not always obtained.

Right to data portability (not yet in force): The 2021 amendments included a data portability obligation allowing individuals to request that their data be transferred to another organisation. This obligation is being implemented in phases and may affect certain sectors of Singapore businesses.

Key PDPA Obligations for Singapore SMEs

The PDPA imposes nine main data protection obligations on organisations. For SMEs, the most practically significant are:

1. Consent Obligation: You must obtain consent before collecting, using, or disclosing personal data, unless an exception applies. Consent must be voluntary, informed, and given for a specific purpose. Pre-ticked checkboxes and bundled consent are generally not acceptable.

2. Purpose Limitation Obligation: Personal data may only be collected, used, or disclosed for purposes the individual was notified of and consented to. You cannot use data collected for one purpose (e.g., processing a purchase) for a different purpose (e.g., marketing) without obtaining fresh consent.

3. Notification Obligation: Before collecting personal data, individuals must be informed of the purposes for collection. This is typically done via a privacy notice or policy on your website and at your point of data collection.

4. Access and Correction Obligation: Individuals have the right to request access to their personal data held by your organisation, and to request corrections. You must respond within 30 days.

5. Accuracy Obligation: Take reasonable steps to ensure personal data is accurate and complete, particularly where it will be used to make decisions that affect the individual.

6. Protection Obligation: Implement reasonable security arrangements to protect personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks. This includes both technical measures (e.g., encryption, access controls) and organisational measures (e.g., staff training, data handling policies).

7. Retention Limitation Obligation: Do not retain personal data beyond the time it is needed for its original purpose. Have a clear data retention policy and delete or anonymise data when it is no longer required.

8. Transfer Limitation Obligation: When transferring personal data overseas, ensure the recipient country provides a comparable standard of protection, or obtain contractual assurances from the recipient.

Practical PDPA Compliance Steps for SMEs

For most Singapore SMEs, achieving baseline PDPA compliance involves the following steps:

Step 1 — Data mapping: Identify what personal data your business collects, where it is stored, who has access to it, and how long it is retained. This data inventory forms the foundation of your compliance programme.

Step 2 — Privacy notice: Publish a clear, accessible privacy notice on your website and at your points of data collection. The notice should explain what data you collect, why you collect it, how you use it, and who you share it with.

Step 3 — Consent mechanisms: Review your data collection forms and processes to ensure valid consent is obtained. Remove pre-ticked boxes and ensure opt-in checkboxes are specific and clearly worded.

Step 4 — Data Protection Officer (DPO): Designate a Data Protection Officer — a person or team responsible for PDPA compliance. For SMEs, this can be an internal employee with additional responsibilities. The DPO’s business contact information must be made publicly available.

Step 5 — Data breach response plan: Establish a documented process for detecting, assessing, and reporting data breaches. Given the 3-day mandatory notification requirement, having a plan ready before an incident is essential.

Step 6 — Staff training: Ensure all staff who handle personal data understand their PDPA obligations. The PDPC offers free e-learning resources on its website.

For a comprehensive overview of obligations and guidance, the PDPC’s PDPA Advisory Guidelines are the authoritative starting point.

PDPA and Your Business Operations

PDPA compliance touches many aspects of daily business operations. Consider these common scenarios for Singapore SMEs:

Customer databases: If you maintain a customer mailing list or CRM, ensure each contact has given valid consent to receive marketing communications. The PDPA’s Do Not Call (DNC) Registry provisions also apply — check numbers against the DNC Registry before sending unsolicited marketing messages via phone or SMS.

Employee personal data: Personal data collected during employment (e.g., CPF records, medical certificates, payroll data) is subject to the PDPA. Employees should be informed of how their data is used, and access should be restricted to authorised personnel only.

Third-party vendors: When engaging vendors (e.g., payroll processors, HR software providers, IT support) who will access or process personal data on your behalf, ensure your contracts include data protection clauses consistent with the Transfer Limitation Obligation.

For SMEs managing corporate compliance, HR records, and accounting data, Raffles Corporate Services can assist with structuring your data handling processes. We also provide corporate secretarial services, accounting and bookkeeping, and payroll services that are designed to help SMEs maintain proper records while staying compliant.

Contact Us

If you need help reviewing your organisation’s data protection practices or implementing PDPA compliance measures, contact Raffles Corporate Services at [email protected] or call +65 8501 7133. Our office is at 10 Anson Road, #10-11 International Plaza, Singapore 079903.

The Editorial Team, Raffles Corporate Services