HomeBlogDigital Infrastructure
Digital Infrastructure

What Should Your Singapore SME Do in the First 72 Hours After a Data Breach?

What Should Your Singapore SME Do in the First 72 Hours After a Data Breach?

In the first 72 hours after a data breach, your Singapore SME must do four things: contain the incident without destroying evidence, assess whether the breach is notifiable under the Personal Data Protection Act (PDPA), notify the Personal Data Protection Commission (PDPC) within three calendar days of determining that it is, and communicate honestly with affected customers. Miss the assessment step and you risk the PDPC's most common criticism of small firms — not the breach itself, but a slow, disorganised response. With phishing and ransomware attacks on Singapore SMEs climbing through 2026 and regulators treating 'we didn't know the rules' as no defence, a written 72-hour playbook is now as essential as your backups.

What does the PDPA actually require when a breach happens?

Since the mandatory breach notification regime came into force, any organisation that suffers a data breach must assess, within a reasonable timeframe, whether the breach is notifiable. A breach is notifiable if it either results in (or is likely to result in) significant harm to affected individuals — for example, leaked NRIC numbers, financial account details, or health information — or affects 500 or more people, regardless of harm.

Once you determine a breach is notifiable, the clock starts: you must notify the PDPC as soon as practicable and no later than three calendar days after that determination. Where there is likely significant harm, you must also notify the affected individuals themselves. Note the wording — calendar days, not working days. A breach discovered on Friday evening does not pause for the weekend, which is exactly why so many SME incidents tip from manageable into messy.

Financial penalties for breaching PDPA obligations can reach 10% of annual Singapore turnover for larger organisations or up to S$1 million — but for most SMEs the bigger cost is the customer trust and contract eligibility you lose when a breach response looks chaotic.

Hour 0–24: how do you contain a breach without destroying evidence?

Your first instinct will be to delete things, reset everything and pretend it never happened. Resist it. Containment means stopping the bleed while preserving the trail:

If you have only one 'IT person' (or none), this is the moment to call your managed services provider or vendor. The PDPA does not excuse small teams from acting — it expects you to have arrangements in place.

Hour 24–48: how do you assess whether the breach is notifiable?

Assessment is the step lean teams skip, and it is the one the regulator cares about most. You need credible answers to three questions:

Document your reasoning even if you conclude the breach is not notifiable. If the PDPC later asks why you stayed silent, a written assessment dated within 48 hours of discovery is the difference between a defensible judgement call and an apparent cover-up.

Hour 48–72: when and how do you notify the PDPC and your customers?

If the breach is notifiable, file through the PDPC's online breach notification form. You will need the timeline you started on day one: what happened, what data and how many people are affected, what you have done to contain it, and what remediation is planned. It is acceptable — and far better than waiting — to submit with preliminary figures and update later as your investigation continues.

For affected customers, notify them at or around the same time where significant harm is likely. Keep the message plain: what happened, what data of theirs was involved, what you have done, and what they should do (change passwords, watch for phishing messages impersonating you). SMEs that notify customers proactively almost always fare better than those whose customers find out from a news report or a scam SMS.

If ransomware is involved, also lodge a report with the Singapore Police Force and consider reporting to SingCERT. These reports demonstrate good faith and can connect you to recovery resources.

How can lean teams prepare before a breach ever happens?

Everything above gets dramatically easier with a few low-cost preparations, most of which are subsidised in 2026:

Digital Perpetual helps Singapore SMEs build exactly this kind of resilience — breach response plans, tested backup and recovery setups, and grant-funded security tooling — sized for teams of five, not five hundred. The best time to write your 72-hour playbook is the week before you need it.

Frequently Asked Questions

Do I need to notify the PDPC for every data breach?

No. Notification is mandatory only if the breach is likely to cause significant harm to affected individuals or affects 500 or more people. But you must assess every breach and document that assessment — an undocumented decision not to notify is itself a compliance risk.

Does the 3-day deadline start when the breach happens?

No. The three calendar days run from the moment you determine the breach is notifiable, not from the breach itself. However, the assessment must be done expeditiously — the PDPC generally expects it within 30 days, and dragging it out to delay notification will count against you.

If a vendor or SaaS platform we use gets breached, is that our problem?

Often, yes. If you are the organisation that collected the personal data, you remain responsible under the PDPA even when a data intermediary (your vendor) suffers the breach. Vendors are required to inform you without undue delay — make sure your contracts say so, and that their alert triggers your own 72-hour playbook.

Ready to Transform Your Business?

Let Digital Perpetual help you automate, streamline, and grow.

Get Started with Digital Perpetual →
PDPA data breach response cyber resilience SME cybersecurity incident response