Leniency for Singapore companies that admit data breach involvement

Organisations in Singapore that come clean about involvement in a data breach may receive less harsh financial penalties from the city-state’s data regulator.

The leniency would be applied only in the case of common data breaches, which include URL manipulation, weak password management or printing malfunctions coming through mistaken recipients of mail.

Singapore’s regulator, the Personal Data Protection Commission (PDPC) said this week that it conceded that even organisations that have gone through thorough preparation can fall victim to data breaches.

A full probe can now be avoided if victim companies request an undertaking option from the PDPC should a breach occur. The measure would be granted if the organisation in question were able to demonstrate they had the correct checks and measures in place prior to the breach.

Organisations must put together a comprehensive and established contingency to clean up a data breach, should one take place.

However, before this option is permitted, the PDPC has to confirm that the undertaking would achieve better enforcement outcomes than would a full investigation.

The regulator said that the steps are being taken to “bring investigations on clear-cut data breaches to a conclusion quickly”.

Currently, organisations can be hit with a fine of $1 million if they are found to be involved in a data breach. More broadly the law in Singapore stipulates that organisations must adequately protect personal data that they hold or control, and to ensure that data is not accessed by unauthorised parties or fall under risk of disclosure.

A new guide was released recently by the PDPC, stating recommendations on new data breach protocols for companies to follow should the worst happen. The document provides examples to address the most common breach-related complaints, such as policy considerations involved in a PDPC decision to launch a formal investigation.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/