PDPA Compliance Checklist for Singapore Businesses – Data Privacy Manager

A Practical Blueprint for PDPA Compliance

The Personal Data Protection Act (PDPA) is not just a legal formality — it’s a core requirement for doing business in Singapore.

Whether you’re a startup, a SME, or a large organization, your customers expect you to take their data seriously.

However, figuring out how to comply with PDPA can feel like trying to hit a moving target.

That’s why we’ve created this practical compliance checklist to help you break it down, step by step. No legal jargon — just what you actually need to do.

Important note: This checklist is a starting point, not a one-size-fits-all solution. Every industry, business model, and operation has its own specifics. Financial services, healthcare, SaaS startups — each faces different obligations, risks, and expectations. Treat this as your blueprint, but adapt it to your unique context, and read entire blog for clarifications.

What is the PDPA?

Singapore’s Personal Data Protection Act (PDPA) sets out a baseline framework for safeguarding personal data across the country.

The PDPA outlines key obligations around how personal data is collected, used, disclosed, and managed. It places accountability on organizations to handle data responsibly and transparently.

It works alongside sector-specific laws to ensure a consistent standard of data protection.

The Act also introduced Singapore’s Do Not Call (DNC) Registry, allowing individuals to register their phone numbers and opt out of receiving unsolicited telemarketing messages.

1. Designate an Individual Responsible for PDPA Compliance (DPO)

Under the PDPA, every organization must designate at least one individual to be responsible for data protection, regardless of size, industry, or structure.

This applies to startups, freelancers, and non-profits too. However, the Personal Data Protection Commission (PDPC) is pragmatic.

If you’re a small business or resource-limited, you’re allowed to assign the role to an existing staff member — they don’t need to be a full-time DPO. In some cases, you can even outsource the DPO function.

Minimum requirement:

• Have someone responsible for PDPA compliance.
• Make their contact info available to the public (website, contact form, etc.).
• They must be reachable by both the public and the PDPC.

Pro Tip: You don’t need a legal background to be a DPO, but you should understand your business processes and have PDPA awareness.

How Data Privacy Manager helps: DPM gives your DPO a central platform to manage privacy workflows, track compliance efforts, and maintain visibility across departments. DPM makes the role structured and sustainable.

2. Map Your Data Inventory

Know what personal data you have — and where it lives.

Before you can protect data, you need to know exactly where your data is.

This is where most businesses make a mistake — they underestimate how many systems, emails, apps, and spreadsheets hold personal data.

Personal data = means data, whether true or not, about an individual who can be identified — (a) from that data, or (b) from that data and other information to which the organization has or is likely to have access.

Minimum requirement:

• List all the types of personal data you collect, use, or share.
• Identify where the data is stored (cloud apps, servers, shared drives, printed forms, etc.).
• Map how it flows through your organization — from collection to storage to deletion.

Pro Tip: Start small. Pick one key process (like employee onboarding) and trace all the data it touches. You’ll be amazed how many hidden corners it spreads into — HR software, Slack chats, or random folders.

Why this matters: If you don’t know what you have, you can’t assess risk, apply security, respond to access requests, or fulfill your legal obligations.

Bonus: Most companies are sitting on data they don’t need — and that’s a liability under PDPA.

How Data Privacy Manager helps: Our Data Discovery helps you discover, categorize, and track personal data across systems, departments, and vendors. With DPM, you don’t just build a data inventory — you maintain it.

3. Get Proper Consent

No more ambiguous checkboxes or silent assumptions.

Under the PDPA, consent is only valid if the individual has been notified of the purpose and voluntarily provides it.

That means no auto-filled boxes, no “by using this site, you agree…”, and definitely no collecting more than you need.

There are two main types of consent under the PDPA:

• Express Consent: Clear, explicit agreement — e.g., someone ticks a box or signs a form.
• Deemed Consent: Applies when someone voluntarily provides info for a purpose they’re aware of — e.g., giving their details to sign up for a workshop.
• Deemed consent by notification (requires safeguards)
• Legitimate interests exception (not technically consent but an alternative legal basis)

Here’s the catch: You can’t just rely on vague disclaimers or lump 10 uses into one “I agree” statement. The consent must match the specific purpose for which the data is being collected.

Minimum requirement:

• Clearly explain what data you’re collecting and why.
• Make it easy for users to give (and withdraw) consent.
• Don’t bundle unrelated purposes into a single checkbox (e.g., marketing + service delivery).
• Don’t use pre-ticked boxes or silence as consent.

Pro Tip: Keep a record of when and how each individual gave consent. It’s your best defense in case of a complaint.

What if someone says “no”?
You must respect it. PDPA is very clear: consent is not forever.

You can only continue using data after consent is withdrawn if an exception under the PDPA applies (e.g. legal obligation, or if consent isn’t required due to another lawful basis like deemed consent or legitimate interests).

How Data Privacy Manager helps: Track consent in real time. DPM helps you log, manage, and respond to changes in consent across multiple channels — all from one place.

4. Set Clear Retention and Disposal Policies

Data has a shelf life — respect it.

Under the PDPA, organizations must not keep personal data longer than necessary.

Keeping data “just in case” is risky. Every piece of personal data sitting in your systems is a liability, especially in a breach.

This means you need to:

• Know why you’re keeping the data
• Decide how long you actually need it
• Delete it or anonymize it once it’s no longer needed

Minimum requirement:

• Define how long to retain each category of personal data
• Have a documented policy or schedule for data deletion
• Use secure disposal methods (e.g., data wiping, shredding)
• Regularly review and clean up your data repositories

What counts as “no longer necessary”?

The PDPC expects organizations to make reasonable judgments based on business and legal needs.

Bonus Example – Retention Policy:
“Personal data collected for newsletter subscriptions will be retained for the duration of the subscription and removed within 30 days of opt-out. Billing records are retained for 7 years in line with financial reporting obligations.”

How DPM helps: Data Privacy Manager enables you to automate retention schedules, enforce deletion rules, and manage secure disposal across all systems — ensuring no personal data (or backups) stays longer than it should.

5. Prepare for Data Breaches

You’re not judged for having a breach — you’re judged by how you respond.

PDPA now requires mandatory notification of certain data breaches. If a breach occurs that’s likely to result in significant harm or involves 500 or more individuals, you must notify:

• The PDPC as soon as practicable, but no later than 3 calendar days after the organization makes the assessment
• You must notify affected individuals as soon as practicable after completing the assessment, unless an exception applies (e.g. risk of harm is minimal or prohibited by law).

That’s not a “nice-to-have.” That’s the law.

Minimum requirement:

• Have a written Data Breach Response Plan
• Set up an internal breach response team (can be small but must be clear)
• Establish procedures to detect, assess, and contain breaches
• Keep a Data Breach Register for all incidents — even near misses

Pro Tip: You don’t need a hacker moment for something to count as a breach. An email sent to the wrong client with another client’s invoice? That could trigger a PDPC report.

What your response plan should include:

• How you’ll detect and assess potential breaches
• Who’s responsible for what (e.g., DPO notifies PDPC, IT investigates, Communication team drafts message)
• What systems to isolate
• How to notify affected individuals (and what to say)

How DPM helps: Data Privacy Manager streamlines breach management by helping you log incidents, assess severity, assign tasks, track notification deadlines, and maintain a breach register — keeping you fully aligned with PDPA’s mandatory breach notification requirements.

6. Enable Access and Correction Requests

Everyone has the right to know what you know about them — and to correct it.
Under PDPA, individuals can request:

• A copy of their personal data that your business holds
• Information about how and why you’re using it
• Corrections if their data is inaccurate or incomplete

And you must respond within 30 calendar days.

Minimum requirement:

• Set up a formal process to receive and log requests
• Verify the identity of the requester
• You must respond as soon as reasonably possible, and within 30 days is the standard — even if to explain why you need more time (you can apply for a short extension)
• Update the data if the correction is valid — and send the corrected info to third parties if you’ve shared it with them

Pro Tip: Keep a standard request form ready. Better yet, make it downloadable on your website — it shows transparency and readiness.

You can reject a request — but only in specific cases.
For example:

• If revealing the info could harm someone’s safety or expose confidential business data
• If the request is clearly frivolous or vexatious
• If the data is opinion-based (like internal performance appraisals)

This is where having your data inventory and retention policies pays off.
If you’re organized, it’s a simple lookup and response. If not, it’s a scramble through chaos.

How DPM helps: Data Privacy Manager automates the entire data subject request process  — from receiving requests, verifying identities, tracking deadlines, coordinating team responses, to delivering complete, compliant answers on time.

7. Manage Third-Party Sharing and Vendor Risk

If you disclose personal data to another organization — even if it’s a trusted partner, cloud provider, or contractor — you’re still accountable for what happens to the data.

Minimum requirement:

• Identify all third parties that handle your customers’ or employees’ personal data
• Ensure contracts include clear data protection clauses
• Limit access to only what’s necessary for the service provided
• Conduct due diligence before onboarding new vendors
• Review third-party access regularly (don’t let old vendors linger with open access)

Pro Tip: Use written contracts that define roles, responsibilities, and data protection obligations. If your vendor is outside Singapore, make sure your agreement includes cross-border data protection safeguards.

How DPM helps: Data Privacy Manager centralizes vendor management by tracking all third parties handling personal data, managing written contracts, monitoring access, and ensuring your vendors meet PDPA’s accountability and cross-border protection standards.

8. Document Your Data Protection Policy

If you can’t explain how you handle personal data — that’s a problem.

Under the PDPA’s Accountability Obligation, every organization must implement and maintain internal policies that support compliance. This includes a documented Data Protection Policy that outlines how personal data is collected, used, disclosed, stored, and protected.

It doesn’t have to be lengthy — but it does have to exist.

Minimum requirement:

• Create a clear policy that reflects your actual data practices

• Cover key areas: data handling, security measures, retention, and breach response

• Share it internally (all employees should be aware of it)

• Make a version available to the public (e.g., a simplified version on your website)

Pro Tip: Your Data Protection Policy is often the first thing the PDPC asks for during an investigation — make sure it’s current, accurate, and reflects how your business really operates.

How DPM helps: Data Privacy Manager helps you build and manage your data protection documentation in one place — from policies to procedures — making internal audits and external reviews much easier to handle.

Bonus tip

9. Train Your Team

Your weakest link is an untrained employee.

PDPA expects organizations to promote internal awareness.

While the PDPA doesn’t mandate training by name, it requires organizations to implement internal policies and practices — and the PDPC expects staff handling personal data to be adequately trained.

Minimum requirement:

• Conduct onboarding PDPA training for all new hires
• Provide regular refreshers (at least once a year)
• Train staff on specific risks relevant to their roles (e.g., marketing, IT, sales)
• Keep records of completed training sessions

Where to Start?

How SOPA can help: If you’re looking for a place to start and want expert guidance with a clear, actionable plan, our State of Privacy Assessment (SOPA) is designed for you.

SOPA helps you quickly understand where you stand with PDPA compliance, highlights the gaps you need to close, and provides a practical roadmap to strengthen your privacy program — all at a cost that’s accessible for businesses of all sizes.