What Should Your Singapore SME Do in the First 72 Hours After a Data Breach?
In the first 72 hours after a data breach, your Singapore SME must do four things: contain the incident without destroying evidence, assess whether the breach is notifiable under the Personal Data Protection Act (PDPA), notify the Personal Data Protection Commission (PDPC) within three calendar days of determining that it is, and communicate honestly with affected customers. Miss the assessment step and you risk the PDPC's most common criticism of small firms — not the breach itself, but a slow, disorganised response. With phishing and ransomware attacks on Singapore SMEs climbing through 2026 and regulators treating 'we didn't know the rules' as no defence, a written 72-hour playbook is now as essential as your backups.
What does the PDPA actually require when a breach happens?
Since the mandatory breach notification regime came into force, any organisation that suffers a data breach must assess, within a reasonable timeframe, whether the breach is notifiable. A breach is notifiable if it either results in (or is likely to result in) significant harm to affected individuals — for example, leaked NRIC numbers, financial account details, or health information — or affects 500 or more people, regardless of harm.
Once you determine a breach is notifiable, the clock starts: you must notify the PDPC as soon as practicable and no later than three calendar days after that determination. Where there is likely significant harm, you must also notify the affected individuals themselves. Note the wording — calendar days, not working days. A breach discovered on Friday evening does not pause for the weekend, which is exactly why so many SME incidents tip from manageable into messy.
Financial penalties for breaching PDPA obligations can reach 10% of annual Singapore turnover for larger organisations or up to S$1 million — but for most SMEs the bigger cost is the customer trust and contract eligibility you lose when a breach response looks chaotic.
Hour 0–24: how do you contain a breach without destroying evidence?
Your first instinct will be to delete things, reset everything and pretend it never happened. Resist it. Containment means stopping the bleed while preserving the trail:
- Isolate, don't wipe. Disconnect compromised machines from the network and Wi-Fi, but do not reformat them. Logs, malware samples and access timestamps are what your IT support — and potentially the PDPC — will need to reconstruct what happened.
- Revoke access fast. Force password resets on affected accounts, invalidate active sessions, and rotate API keys and tokens for any connected SaaS tools — accounting, CRM, e-commerce platforms.
- Stop the leak channel. If a phishing email triggered the breach, warn all staff immediately with a screenshot of the lure so nobody else clicks it. If a misconfigured cloud folder or web form exposed data, take it offline.
- Start a timeline document. One shared note: what you found, when, and what you did. The PDPC explicitly looks at whether your response was prompt and reasonable, and a timestamped log is your best evidence.
If you have only one 'IT person' (or none), this is the moment to call your managed services provider or vendor. The PDPA does not excuse small teams from acting — it expects you to have arrangements in place.
Hour 24–48: how do you assess whether the breach is notifiable?
Assessment is the step lean teams skip, and it is the one the regulator cares about most. You need credible answers to three questions:
- What data was actually exposed? Pull the affected database tables, mailbox contents or folder listings. 'Probably just emails' is not an assessment. Names and emails alone may not constitute significant harm; NRIC numbers, payment details, passwords or health data almost certainly do.
- How many individuals are affected? Count distinct people, not records. Cross the 500-person threshold and notification is mandatory even if the data seems low-risk.
- Is harm likely? Consider whether the data was encrypted, whether the attacker exfiltrated it or merely had access, and whether it is already circulating (ransomware groups often publish proof on leak sites).
Document your reasoning even if you conclude the breach is not notifiable. If the PDPC later asks why you stayed silent, a written assessment dated within 48 hours of discovery is the difference between a defensible judgement call and an apparent cover-up.
Hour 48–72: when and how do you notify the PDPC and your customers?
If the breach is notifiable, file through the PDPC's online breach notification form. You will need the timeline you started on day one: what happened, what data and how many people are affected, what you have done to contain it, and what remediation is planned. It is acceptable — and far better than waiting — to submit with preliminary figures and update later as your investigation continues.
For affected customers, notify them at or around the same time where significant harm is likely. Keep the message plain: what happened, what data of theirs was involved, what you have done, and what they should do (change passwords, watch for phishing messages impersonating you). SMEs that notify customers proactively almost always fare better than those whose customers find out from a news report or a scam SMS.
If ransomware is involved, also lodge a report with the Singapore Police Force and consider reporting to SingCERT. These reports demonstrate good faith and can connect you to recovery resources.
How can lean teams prepare before a breach ever happens?
Everything above gets dramatically easier with a few low-cost preparations, most of which are subsidised in 2026:
- Run phishing simulations. IMDA's Cyber2SME resources include phishing simulation support, and the Singtel–IMDA–ESG Cyber Protect Programme bundles employee training with monitoring — because most SME breaches still start with one clicked link.
- Get certified against a baseline. The CSA Cyber Essentials mark forces you through exactly the controls — asset inventory, access control, backups — that make a 72-hour response possible.
- Test your backups quarterly. A backup you have never restored is a hope, not a plan. Keep at least one copy offline or immutable so ransomware cannot encrypt it too.
- Write the one-page plan now. Who isolates machines, who calls the IT vendor, who drafts the PDPC notification, who talks to customers. Names, not roles. Print it — if your systems are encrypted, you won't be opening the SOP from a shared drive.
- Fund it with grants. PSG's 2026 expansion covers AI-enabled and cybersecurity solutions, and the Digital Enterprise Blueprint expansion announced in May 2026 puts cyber resilience support in reach of 12,000 more SMEs.
Digital Perpetual helps Singapore SMEs build exactly this kind of resilience — breach response plans, tested backup and recovery setups, and grant-funded security tooling — sized for teams of five, not five hundred. The best time to write your 72-hour playbook is the week before you need it.
Frequently Asked Questions
Do I need to notify the PDPC for every data breach?
No. Notification is mandatory only if the breach is likely to cause significant harm to affected individuals or affects 500 or more people. But you must assess every breach and document that assessment — an undocumented decision not to notify is itself a compliance risk.
Does the 3-day deadline start when the breach happens?
No. The three calendar days run from the moment you determine the breach is notifiable, not from the breach itself. However, the assessment must be done expeditiously — the PDPC generally expects it within 30 days, and dragging it out to delay notification will count against you.
If a vendor or SaaS platform we use gets breached, is that our problem?
Often, yes. If you are the organisation that collected the personal data, you remain responsible under the PDPA even when a data intermediary (your vendor) suffers the breach. Vendors are required to inform you without undue delay — make sure your contracts say so, and that their alert triggers your own 72-hour playbook.
Ready to Transform Your Business?
Let Digital Perpetual help you automate, streamline, and grow.
Get Started with Digital Perpetual →