Companies to face stiffer penalties for data breaches under changes to PDPA

Staff Writer, Singapore
·Editorial Team
·2-min read
close up asian working man use credit card for payment on laptop at home office with virtual interface of GDPR (General Data Protection Regulation ) , privacy personal data concept
(Getty Images file photo)

SINGAPORE — Companies will be penalised more heavily for data breaches as part of proposed changes to the Personal Data Protection Act (PDPA), said Minister for Communications and Information S Iswaran on Monday (2 November).

“Our digital economy must be built on a solid foundation of trust. Consumers must have the confidence that their personal data will be secure and used responsibly...,” Iswaran said in Parliament during the debate on the Bill to amend the PDPA.

“Organisations need certainty to harness personal data for legitimate business purposes, with the requisite safeguards and accountability.”

One major change to the Bill is the stiffer penalty for a company in the event of a data breach – the fine it faces would be 10 per cent of its annual turnover in Singapore or $1 million, whichever is higher. Currently, the maximum a company can be fined for a data breach is $1 million.

This revised penalty framework is similar to that in the Competition Act and the Telecommunications Act, said Iswaran.

Last year, the Personal Data Protection Commission (PDPC) investigated 185 cases, issued 58 decisions and ordered 39 organisations to pay a total of $1.7 million in financial penalties including the record $750,000 and $250,000 imposed against IHiS and SingHealth respectively.

The cyberattack on SingHealth’s database in 2018 resulted in the theft of personal particulars of almost 1.5 million unique patients – including that of Prime Minister Lee Hsien Loong. The data comprised the patients’ demographic records and the dispensed medication records of about 159,000 of them.

While there are concerns about the higher financial penalties highlighted during public consultations ahead of the Bill’s introduction, Iswaran said, “I would like to assure Members that the PDPC will ensure that financial penalties imposed are proportionate to the severity of the data breach.”

He added that the Bill provides for ministerial discretion to review the effective date, and that the raised cap will take effect no earlier than one year after the Act comes into force.

Organisations must also notify both the PDPC and affected individuals of data breaches when they result, or are likely to result, in significant harm to individuals.

A “numerical threshold of 500 individuals” will constitute a data breach of a significant scale. A breach is categorised as serious if it is likely to result in significant harm to individuals through identity theft or fraud, including the leaking of their full names and other confidential financial information, said Iswaran.


Stay in the know on-the-go: Join Yahoo Singapore's Telegram channel at

More Singapore stories:

1 new COVID case in Singapore, lowest since 25 Feb

StanChart Singapore Marathon to be in hybrid format with virtual race, augmented reality

COVID-19: Singapore to allow travellers from China, Australia's Victoria from 6 Nov

2 women arrested over China officials impersonation scam, victim handed over $1m