Reed Smith Client Alerts

In 2012, Singapore introduced its first ever baseline law on data protection, the Personal Data Protection Act (PDPA). The PDPA came into full force in July 2014.

Six years later, Singapore has announced that mandatory reporting will be imposed on businesses affected by a data breach.

The overarching framework

The PDPA imposes obligations on all businesses that collect, use or disclose personal data in Singapore. This includes foreign-owned and foreign-controlled businesses, even if they have no physical office in Singapore.

These obligations include having to obtain consent from individuals before using their personal data, and securing the data to prevent unauthorized access.

As of 2019, it was not compulsory for businesses to report a data breach. However, that will soon change.

When the new law is passed (as early as this year), breach reporting will be mandatory for most, but not all data breaches.

This Client Alert is intended to summarise a number of frequently asked questions on Singapore’s new data breach notification law. 

What is a data breach? 

A data breach refers to any unauthorized access, collection, use, disclosure, copying, modification or disposal of personal data in an organization’s possession or under its control.

Is a data breach the same thing as a breach of the PDPA?

Not necessarily. A data breach refers to any unauthorized access, use, disclosure, copying, modification or disposal of (or other similar risk to) personal data (i.e., data that identifies individuals) that is held by an organization. A data breach may or may not be a breach of the PDPA, depending on the exact circumstances. Conversely, a breach of the PDPA could arise regardless of whether or not there is a data breach; for instance, an organization may have failed to comply with its access obligation under the PDPA despite receiving a legitimate request from an individual.