Digital Compliance: PDPA Audit Checklist for SMEs

When was the last time you audited your PDPA compliance? If the answer is never — or if you are not sure what a PDPA audit involves — you are not alone. Many Singapore SMEs know they should be compliant with the Personal Data Protection Act but lack a clear framework for assessing where they stand. This checklist provides a practical, step-by-step approach to evaluating your data protection practices.

What Should a PDPA Audit Cover?

A thorough PDPA audit examines seven areas: data inventory (what personal data you hold), consent management (how you obtain and record consent), purpose limitation (whether you use data only for stated purposes), access and correction (how individuals can access or correct their data), retention and disposal (how long you keep data and how you destroy it), security (how you protect data from unauthorised access), and transfer (how you handle cross-border data transfers).

For each area, assess three things: do you have a policy, is the policy being followed in practice, and can you demonstrate compliance through documentation? The gap between policy and practice is where most compliance risks hide. Having a privacy policy on your website means nothing if your staff routinely emails unencrypted customer data or stores personal information on unprotected USB drives.

How Do You Conduct the Audit Practically?

Begin with the data inventory. Map every place personal data is collected (website forms, emails, phone calls, walk-ins), processed (CRM, accounting system, spreadsheets, WhatsApp), and stored (cloud services, servers, paper files, employee devices). This map is the foundation of your compliance programme because you cannot protect data you do not know you have.

Next, review your consent mechanisms. For each data collection point, verify that you inform individuals of the purpose, obtain clear consent, and record the consent for future reference. Check that your consent language is specific rather than broad — consent for invoicing does not automatically cover marketing. Review your marketing opt-in and opt-out processes to ensure they work as expected.

Then examine your security controls. At minimum, verify that access to personal data is restricted to authorised personnel, passwords are strong and unique, software is updated regularly, data is encrypted in transit and at rest, and backups are performed and tested. Document any gaps for remediation.

What Are the Most Common Compliance Gaps for SMEs?

The five most common gaps we see in Singapore SMEs are: no formal data protection policy document, consent collected but not recorded or timestamped, personal data retained indefinitely without review, staff without data handling training, and no documented incident response plan. Each of these is relatively straightforward to fix but creates significant risk if left unaddressed.

Another common issue is shadow IT — staff using personal email accounts, messaging apps, or cloud storage for business data without the company's knowledge. This data exists outside your security controls and compliance framework, creating blind spots that could result in breaches or regulatory action.

Frequently Asked Questions

How often should I conduct a PDPA audit?

Conduct a comprehensive audit at least annually, with lighter quarterly checks on key areas like consent records, access logs, and security controls. Additionally, conduct an audit whenever you make significant changes to how you collect, process, or store personal data — launching a new website, implementing a new CRM, or expanding to a new market are all triggers for a compliance review.

What are the penalties for PDPA non-compliance?

The PDPC can impose financial penalties of up to $1 million for non-compliance. Beyond fines, organisations may face directions to stop collecting or using data, mandatory remediation requirements, and reputational damage from published enforcement decisions. The PDPC has been increasingly active in enforcement, with multiple SME-related decisions published in recent years. Prevention is far cheaper than cure.

Can I do the audit myself or do I need a consultant?

You can conduct the initial audit yourself using freely available resources from the PDPC, including their Data Protection Self-Assessment toolkit. For a basic assessment, this is sufficient. However, if you handle large volumes of sensitive data, operate in regulated industries, or find significant gaps in your initial assessment, engaging a data protection consultant provides expert guidance and may identify risks that a self-assessment would miss.