Chinese (Simplified) English 

The 1st Marketing Agency in Singapore with
Data Protection Trust Mark (DPTM) Awarded By IMDA

Help Your Company Comply with the PDPA in Singapore

What is the PDPA Compliance Group?

PDPA Compliance for Singapore

The PDPA Compliance Group is an organization of independent experts in personal data protection. We are professionally trained and committed to helping organisations in Singapore comply with the PDPA.

iSmart Communications is a partner of the PDPA Compliance Group in Singapore.

PDPA Compliance
ACRA Registration No. 53394982C
10 Anson Road, #26-08, International Plaza, Singapore 079903

What services does PDPA Compliance provide?

The PDPA Compliance Group provides a comprehensive suite of PDPA services in Singapore:

  1. Data Protection Officer
  2. Prepare Data Protection Policy
  3. Prepare procedures, processes, & practices for PDPA compliance
  4. Staff training on PDPA compliance in Singapore
  5. Third-party PDPA contract review
  6. Data protection system audit
  7. PDPA Incident management etc.

What is PDPA compliance in Singapore?

Singapore Personal Data Protection Act 2012 (PDPA) is a law that governs the collection, use and disclosure of personal data by all organisations.

Organisations in Singapore which fail to comply with PDPA may be fined up to $1 million and suffer reputation damage.

The PDPA covers all electronic and non-electronic personal data, regardless of whether the personal data is true or false.

The PDPA recognises both the need to protect individuals’ personal data and the need of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.

A data protection regime is necessary to safeguard personal data from misuse and to maintain individuals’ trust in organisations that manage their data.

By regulating the flow of personal data among organisations, the PDPA also aims to strengthen Singapore’s position as a trusted hub for businesses

What is Personal Data?

Personal data is any information that identifies an individual. Different pieces of information, which are collected together can lead to the identification of a particular person, also constitute personal data.

What constitutes a breach of personal data?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.


What is the scope of the PDPA in Singapore?

The PDPA covers personal data stored in electronic and non-electronic formats. 

It generally does not apply to:

  • Any individual acting on a personal or domestic basis.
  • Any individual acting in his/her capacity as an employee with an organisation.
  • Any public agency in relation to the collection, use, or disclosure of personal data.
  • Business contact information such as an individual’s name, position or title, business telephone number, business address, business email, business fax number, and similar information.


Organisations are responsible for personal data in their possession or under their control and are required to comply with these obligations when undertaking activities relating to the collection, use, or disclosure of personal data.

Every company in Singapore must appoint a Data Protection Officer (DPO)

Is a DPO mandatory?

Under the Personal Data Protection Act 2012 (PDPA), a Data Protection Officer (DPO) is mandatory when your company/organisation is collecting personal data during its operations. A DPO of your company can be one individual or a team to ensure its compliance with the PDPA of Singapore.

The following are examples of organisations required to appoint a DPO:

  • A hospital processing large sets of sensitive data;
  • A security company responsible for monitoring shopping centres and public spaces;
  • A small headhunting company that profiles individuals.

Who can be a DPO?

A DPO must be competent in data protection, adequately resourced, and report to the highest management level. A DPO can be an existing employee or externally appointed.

What are the roles of a DPO?

The primary role of the Data Protection Officer (DPO) is to ensure that his organisation processes the personal data of its staff, customers, providers, or any other individuals in compliance with the PDPA rules.

Specifically, the responsibilities of a DPO are:

  • Developing and implementing policies and processes for the handling of personal data;
  • Ensuring that the policies and processes are adhered to throughout the organisation
  • Creating guidelines for all members of staff, and checking that they’re resolutely followed
  • Organising training courses for relevant employees, whether in-house or at external locations
  • Mentoring and monitoring the company’s Data Processors, and developing talented individuals within the team
  • Providing information when necessary to senior management, often involving highly sensitive data
  • Making sure all data is up to date, and that policies involving destruction of data are followed
  • Increasing awareness of your staff, customers, and providers of both these data protection policies and your business’ data protection obligations;
  • Handling queries and complaints regarding your business’ protection of personal data;
  • Keeping management informed of any risks to data protection that may arise; and
  • Communicating with the Personal Data Protection Commission (PDPC), where necessary.

What is the penalty for any breach of the PDPA?

From 1 October 2022, for any breach of the PDPA, an organisation that breaches the PDPA may face fines of up to: SGD 1 million; or. where the organisation's annual turnover in Singapore exceeds SGD 10 million, 10% of the organisation's Singapore turnover.

Penalties imposed under the PDPA could potentially be more stringent compared to the GPDR, which currently imposes fines of up to €20 million or 4% worldwide turnover, whichever is higher.

The new PDPA also makes it a criminal offence for individuals (including employees) to mishandle personal data or re-identify anonymised information without authorisation. The offence is punishable with an SGD 5,000 and/or imprisonment of up to two years.

Does the PDPA cover B2B databases?

The PDPA does not apply to business contact information, which may include name, business title, corporate telephone numbers, business addresses, and business email addresses.

Such contact information is made publicly available to facilitate commerce and trade. Organisations will not be required to obtain consent prior to collection, use, or disclosure.

In addition, organisations sending business-to-business (B2B) marketing messages through phone calls, SMS, or fax are not required to comply with the Do Not Call provisions.


Discover How to Stay Current on Emerging Tech in 2023

Download Your FREE eBook: How to Stay Current on Emerging Tech in 2023


Emerging technology is changing more than just the way we work. New Call-to-actionIt’s changing the way we shop. It’s changing the way we care for ourselves. It’s changing the way we travel. It’s changing the way we meet our soulmates. It’s much bigger than us and whether or not we have an obvious business need for it. 

Thanks in large part to emerging technology, it’s no longer “business as usual.” And it’s up to us to figure out exactly what that means for our strategies, our structures, and the future of our businesses.

Download our most popular eBook ’How to Stay Current on Emerging Tech in 2023’ where you will learn:

  • Why It’s Hard to Keep Up With Emerging Tech
  • 5 Tips & Systems for Keeping Up With Emerging Tech
  • Our Collection of Recommended Emerging Tech Resources
  • ...and more!

Fill in your name and business email address on the right to gain immediate access to your free eBook!


Download the Free eBook Today

By supplying your contact information, you authorise iSmart Communications Pte Ltd to contact you with further information.

* Required


Why do I need to fill out the information requested?

We will always keep your personal information safe. We ask for your information in exchange for a valuable resource in order to (a) improve your browsing experience by personalizing the iSmart Communications Pte Ltd site to your needs; (b) send information to you that we think may be of interest to you by email or other means; (c) send you marketing communications that we think may be of value to you. You can read more about our privacy policy here.

Is this really free?

Absolutely. Just sharing some free knowledge that we hope you’ll find useful. Keep us in mind next time you have marketing questions!