IT Security: PDPA Compliance Checklist for SMEs

PDPA compliance for SMEs requires implementing reasonable security measures to protect personal data you collect, obtaining proper consent for data collection and use, providing access and correction rights to individuals, and establishing policies for data retention and disposal. The practical reality for most SMEs is that compliance is achievable with straightforward measures — you do not need an enterprise data governance programme, but you do need to demonstrate that you take personal data protection seriously.

What Personal Data Does Your Business Actually Hold?

Before addressing compliance, audit what personal data you collect and where it is stored. Customer databases contain names, phone numbers, email addresses, and potentially NRIC numbers or payment information. Employee records contain even more sensitive data — salary details, medical information, bank account numbers, and emergency contact details. Supplier records, visitor logs, and CCTV footage also contain personal data subject to PDPA.

Map where this data lives. Is it in your CRM, accounting software, spreadsheets on employee desktops, email inboxes, paper files, or cloud storage? Data you do not know about cannot be protected. The mapping exercise often reveals personal data in unexpected locations — customer details in personal email accounts, employee information on unencrypted USB drives, or client data in shared folders accessible to all staff.

Determine the legal basis for each data collection. For most SME data processing, consent is the basis — customers consent when they provide their details for a transaction, employees consent through employment agreements. Ensure your consent mechanisms are clear, specific, and documented. A vague statement buried in terms and conditions does not constitute valid consent under PDPA.

What Technical Measures Should You Implement?

Access controls: limit personal data access to employees who need it for their role. Not everyone in the company needs access to the full customer database or employee salary records. Configure your systems with role-based permissions and review access lists quarterly to remove access for departed employees and changed roles.

Encryption: ensure personal data is encrypted in transit (HTTPS for websites, TLS for email) and at rest (encrypted storage for databases and files containing personal data). Modern cloud services typically provide encryption by default — verify this is enabled and not inadvertently disabled.

Multi-factor authentication on all systems containing personal data. This single measure prevents the majority of unauthorised access incidents. Enable MFA on email, CRM, accounting software, cloud storage, and any system where personal data is accessed.

Regular software updates: keep all systems patched and current. Known vulnerabilities in unpatched software are the most common technical attack vector. Enable automatic updates where possible and schedule monthly manual checks for systems that require manual patching.

Data backup: maintain encrypted backups of all personal data, stored separately from production systems, tested regularly for restorability. Backups protect against both data loss and ransomware — if your data is encrypted by an attacker, a clean backup enables recovery without paying a ransom.

What Policies and Procedures Do You Need?

A Data Protection Policy: a written document explaining what personal data you collect, why you collect it, how it is used, who it is shared with, how it is protected, and how long it is retained. This does not need to be a lengthy legal document — a clear, two-to-three-page policy written in plain language satisfies the requirement and is more likely to be read and understood by your team.

A Data Breach Response Plan: documented procedures for what to do if a data breach occurs. Who is notified internally, how the breach is contained, when and how affected individuals are notified, and when PDPC is notified (mandatory for significant breaches affecting 500 or more individuals or causing significant harm). Having a plan prevents the chaotic, delayed response that often worsens breach outcomes.

Data retention and disposal schedules: define how long you keep different categories of personal data and how it is disposed of when the retention period ends. Customer transaction data might be retained for seven years for tax purposes. Job applicant data should be disposed of within a reasonable period after the hiring decision. Data kept without purpose or beyond its retention period creates unnecessary risk.

Employee training: ensure all staff who handle personal data understand their PDPA obligations. Annual training covering data handling, recognising phishing attempts, incident reporting, and proper disposal of documents containing personal data. Training does not need to be elaborate — a 30-minute annual session with practical examples is sufficient for most SMEs.

Frequently Asked Questions

Do I need to appoint a Data Protection Officer?

PDPA requires every organisation to designate at least one individual as a Data Protection Officer, but this does not need to be a dedicated role. In an SME, the DPO function can be assigned to an existing manager — typically the HR manager, operations manager, or business owner. The DPO is the contact point for data protection matters and oversees compliance. You must make the DPO's contact information available to the public.

What are the penalties for PDPA non-compliance?

The PDPC can impose financial penalties of up to SGD 1 million or 10% of annual Singapore turnover (whichever is higher) for organisations with annual turnover exceeding SGD 10 million. For smaller SMEs, fines are proportionate to the severity of the breach and the organisation's size. Beyond fines, enforcement actions are published publicly, creating reputational consequences. Enforcement activity has increased year over year, making compliance increasingly important.

Is PDPA compliance a one-time exercise or ongoing?

Ongoing. PDPA compliance requires continuous maintenance — updating policies when business practices change, reviewing access controls when staff change, maintaining training programmes, and monitoring for new requirements as PDPA regulations evolve. However, once the foundational measures are in place, maintenance is lightweight — quarterly access reviews, annual policy updates, and ongoing awareness rather than constant heavy effort.