A data breach rarely announces itself at a convenient moment. By the time most organisations realise what has happened, the question is no longer whether to act but how quickly — and under Singapore's Personal Data Protection Act, the timeline is unforgiving.
Two thresholds decide whether a breach must be reported. The first is harm: a breach is notifiable if it results in, or is likely to result in, significant harm to affected individuals — financial loss, identity theft, reputational damage and the like. The second is scale: any breach involving the personal data of 500 or more individuals is notifiable regardless of harm. The two are independent — meeting either one triggers the obligation, and a low-harm incident can still cross the line on numbers alone. A misaddressed email exposing 600 addresses is the classic example.
Where a breach is notifiable, the Personal Data Protection Commission must be told as soon as practicable, and in any event no later than three calendar days. The detail that catches organisations out is when the clock starts: not when the breach happened, and not when it was discovered, but when the organisation completes its assessment that the breach is in fact notifiable. That sounds generous. It is not. The Commission expects assessment to begin promptly, and you cannot stretch it out to delay the deadline — so in practice the three days run from a point you do not fully control.
Affected individuals are a separate question. Where a breach is likely to cause significant harm, they too must be notified — at the same time as, or after, the Commission — so they can take steps to protect themselves. There are exceptions, but they are narrower than most organisations assume.
What does this mean before anything goes wrong? Three things. First, decide now who assesses a breach and who signs off on notification; three days is no time to be hunting for a decision-maker. Second, keep records — the Commission can review whether your assessment was reasonable and timely, and contemporaneous notes are your best evidence that it was. Third, if you rely on vendors or processors, check that your contracts require them to tell you of a breach without delay; their failure to do so quickly becomes your problem.
A breach is stressful precisely because so much must happen at once — containment, investigation, notification, communication — under time pressure and incomplete facts. The organisations that come through it well are almost always the ones that decided how they would respond before they had to.
This note is general information, not legal advice; the right course always depends on the facts.