The Personal Data Protection Commission (“PDPC”) published the revised Guides on Managing and Notifying Data Breaches and Active Enforcement on 15 March 2021.


PDPC Releases Revised Guides on Managing Data Breaches and Active Enforcement

March 19, 2021

On 15 March 2021, the Personal Data Protection Commission (PDPC) released the revised Guide on Managing and Notifying Data Breaches (Data Breach Guide) and revised Guide on Active Enforcement (Enforcement Guide) in view of recent amendments to the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA) which took effect on 1 February 2021.

Guide on Managing and Notifying Data Breaches

The Data Breach Guide provides guidance on compliance with the new data breach notification (DBN) obligation introduced in the PDPA and the Personal Data Protection (Notification of Data Breaches) Regulations 2021 (DBN Regulations) and recommends practices to prepare for and manage data breaches.

Data Breach Notification Obligation

Under the PDPA and the DBN Regulations, a data breach is notifiable if, after assessing the data breach, the organisation determines that:

  • the breach results in, or is likely to result in, significant harm to an affected individual – e.g., where the breach relates to an individual’s full name or identification number and any prescribed data under the DBN Regulations (including certain financial information and medical information); or
  • the breach is, or is likely to be, of a significant scale – i.e., where the breach involves at least 500 affected individuals.

The PDPC should be notified of the data breach as soon as practicable and no later than 3 calendar days after it is assessed to be notifiable.  The affected individual(s) should also be notified of the data breach as soon as practicable, at the same time or after notifying the PDPC, unless notification is excepted or prohibited.

Preparing for and Managing Data Breaches

The Data Breach Guide gives practical tips on how to prepare for and manage data breaches, including:

  • implementing measures to identify vulnerabilities, improve early detection and prevent and remediate data breaches;
  • developing an appropriate data breach management plan that sets out how to report a data breach internally and what the composition and responsibilities of the data breach management team are; and
  • taking the following actions in response to a data breach (dubbed by PDPC as C.A.R.E.):
  • Contain the breach and implement mitigating actions to lessen any potential harm it might cause;
  • Assess the cause and impact of the breach and the effectiveness of interim mitigating actions;
  • Report the data breach (if notifiable, as discussed above); and
  • Evaluate the organisation’s response to the breach and improve data handling practices to prevent future breaches.

Guide on Active Enforcement 

The Enforcement Guide explains the PDPC’s approach to enforcing the PDPA, including in respect of the amended PDPA provisions on alternative dispute resolution, erring organisations’ written voluntary undertakings and financial penalties.

Alternative Dispute Resolution

Due to their private nature, some data protection complaints are better resolved through alternative dispute resolution methods. Accordingly, the PDPA was amended to grant the PDPC additional powers to promote resolution of complaints through facilitation of communication and (if the dispute remains unsolved) mediation between the complainant and the relevant organisation.  Referral to mediation does not require the consent of any party.  On the other hand, resort to alternative dispute resolution is not a pre-requisite to the PDPC conducting a full investigation into the complaint.  In other words, the PDPC may directly proceed to exercising its other enforcement powers where it determines that alternative dispute resolution is inappropriate in the circumstances.

Voluntary Undertaking by an Organisation

Under the new Section 48L of the PDPA, an erring organisation may now provide a written voluntary undertaking to the PDPC in lieu of the PDPC conducting a thorough investigation in relation to a specific incident.  

In providing a voluntary undertaking, an erring organisation:

  • must, at or about the start of the PDPC’s investigation, make a written request to the PDPC to apply the voluntary undertaking process;
  • must have developed policies and practices to demonstrate accountability in PDPA compliance; and
  • must attach a remediation plan which addresses the cause of the incident by a target completion date, and ensure compliance with that plan.

The voluntary undertaking is effective upon its acceptance by the PDPC; however, the PDPC has full discretion whether or not to accept it.  The PDPC is more likely to do so where PDPA enforcement through such undertaking will be more efficient and/or effective than through an investigation.  On the other hand, the PDPC is unlikely to accept a voluntary undertaking where, among others, the organisation denies responsibility, the incident is a repeat of a previous breach with a similar cause, there is no remediation plan (or the plan does not show how the organisation can comply with the PDPA) or the incident was willful or flagrant.  

If the PDPC determines that an organisation has violated any term(s) of the voluntary undertaking, it may take enforcement measures against the organisation, including issuing directions to comply with the undertaking.

Financial Penalties

The amended PDPA increases the financial penalty that the PDPC may impose on breaching organisations.  Previously, the maximum financial penalty was S$1million. Once the amendment takes effect (on a date no earlier than 1 February 2022), the maximum amount will be the higher of S$1 million and 10% of the organisation’s annual turnover in Singapore.

In determining the financial penalty amount to impose, the PDPC will consider several factors, including:

  • the nature, gravity and duration of non-compliance;
  • the type and nature of personal data affected;
  • whether the non-compliance resulted in a financial gain or prevented financial loss to the erring organisation;
  • the timeliness and effectiveness of any mitigating actions taken by the erring organisation;
  • any previous non-compliance by the erring organisation;
  • whether the erring organisation complied with directions previously issued by the PDPC;
  • whether the financial penalty amount is proportionate and effective in achieving compliance and discouraging non-compliance with the PDPA; and
  • the impact on the financial penalty on the erring organisation.

Key Takeaway

Among the PDPC’s key aims in enforcing the PDPA is to instill a compliance and an accountability culture in organisations. In this regard, the PDPC will look not only to an erring organisation’s acts which led to a data breach, but also to how that organisation conducted itself after the breach occurred. Accordingly, while organisations should take appropriate steps to comply with the PDPA and to prevent data breaches, they should also take responsibility for and promptly implement suitable measures to remedy any breach that may occur.  

For More Information

OrionW regularly advises clients on data protection matters. For more information about the Personal Data Protection Act, or if you have questions about this article, please contact us at

Disclaimer: This article is for general information only and does not constitute legal advice.


Subscribe to
our newsletters

To subscribe, select the newsletter options that interest you (TMT, FinTech or DPC - Data Protection and Cybersecurity) and provide your details.

  • TMT - Technology, Media and Telecommunications
  • FinTech
  • DPC - Data Protection & Cybersecurity
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.