Readable outline — open in a web browser (Safari/Chrome) for the interactive map.
Eight topic clusters drawn from your notes. Compliance is treated as a continuous cycle — not a one-time checklist.
Tap a branch below to start, or explore from the map.
Singapore's data-protection regime is primarily governed by the Personal Data Protection Act (PDPA), which sets a baseline standard of protection across the economy.
Its core aim is to balance individuals' right to protect their data with organisations' need to use data for legitimate, reasonable purposes. Explore the five facets below.
The PDPA balances individuals' right to protect their data against organisations' need to use data for legitimate, reasonable purposes.
Applies broadly to any individual, company, association or body (formed in Singapore or not) handling personal data. Covers electronic and physical data, whether true or false.
The bulk of the regime — the 11 Key Obligations (POPCON ExTRAS ADD) governing collection, care of data, and individual autonomy. Accountability underpins them: a proactive, risk-based approach, not a checklist.
Apply to marketing messages (voice, SMS, fax) to Singapore numbers. Organisations must check the DNC Registry before sending, identify the sender, and are barred from dictionary attacks / address-harvesting software.
Enforced by the Personal Data Protection Commission (PDPC). Options range from advisory notices to accepting voluntary undertakings for remediation.
For egregious or high-impact breaches, the PDPC can investigate and impose financial penalties of up to S$1 million or 10% of annual turnover in Singapore, whichever is higher.
Every organisation must appoint at least one Data Protection Officer (DPO).
To demonstrate accountability, organisations are encouraged to use frameworks & tools:
Notify an affected individual only if the breach results, or is likely to result, in significant harm to them.
If required, notify the individual as soon as practicable — at the same time as, or after, notifying the PDPC.
Generally met when a full name / alias / full NRIC is compromised together with sensitive data:
Even if the harm threshold is met, individual notification is not required if:
The mandatory steps a data-breach management team should take.
Act swiftly to prevent further compromise and implement mitigating actions to limit damage.
Evaluate the circumstances, the ease of identifying individuals from compromised data, and whether the breach is legally notifiable.
Fulfil obligations to notify the PDPC and/or affected individuals if thresholds are met.
Review the overall response so recovery and future prevention strategies can be improved.
A process & tool to identify, assess and address personal-data risks based on an organisation's functions, needs and processes. (CN: 数据保护影响评估)
On new IT systems / processes, or when existing ones undergo major changes.
Determine if a new/changed system or process involves personal data. Check for new data collection, disclosure to new third parties, or a new/unconsented purpose.
Form the DPIA project team (PM, DPO, steering committee, departmental reps). Define scope, the risk framework & methodology, stakeholders, and timeline.
Map how data moves via a Data Inventory Map or Data Flow Diagram. Review documents, contracts, specs; consult departments / on-site inspection.
Check compliance against obligations (consent, notification, purpose limitation) using a checklist. Rate & rank risks by impact and likelihood.
Propose technical & organisational measures to treat risks. Assign action owners and set an implementation timeline.
Document into a DPIA report (DPO reviews, senior management approves). Owners execute; the DPO monitors results to ensure risks are managed.
A framework to build a robust data-protection infrastructure and demonstrate accountability. A continuous 4-step cycle — plan, implement, review.
Establish a governance structure with leadership to define values and identify data-protection risks.
Develop data-protection policies and clearly designate roles and responsibilities.
Design SOPs that operationalise policies into daily business functions.
Regularly review and update policies & processes; conduct audits to stay current.
Mapped as a continuous lifecycle. Accountability sits at the top as the overarching principle.
An organisation can rely on four valid types of consent to collect, use or disclose personal data — explore each below.
The most straightforward and safest form of consent.
The individual actively agrees to the collection, use or disclosure of their data — e.g. physically signing a form or ticking a checkbox online.
Inferred from the individual's actions rather than explicitly given. Applies when someone voluntarily provides their data, fully knowing and understanding the purpose.
Example: giving your home address to a restaurant specifically so they can deliver your food order.
Also inferred, but specifically in the context of a contract. Applies when an individual provides data to enter a contract and processing/sharing it is reasonably necessary to perform or fulfil that contract.
The organisation clearly notifies the individual of a new purpose for using their data and gives a reasonable period to opt out. If they don't opt out in time, they are deemed to have consented.
The organisation must first conduct a risk assessment to ensure the new purpose is low risk and won't negatively impact the customer.
The obligation only applies to data categories that have been 'white-listed' by regulations.
To provide certainty, it is limited to specific white-listed data categories prescribed by regulations — not to all personal data.
The fundamental principle sitting above the whole cycle.
A risk-based approach to identifying, monitoring, and responding to personal-data risks in order to demonstrate compliance.
It is about being proactive and systematic in managing data risks — showing that the organisation takes responsibility, rather than reacting only after something goes wrong.
Appointing a Data Protection Officer (DPO) is a requirement — but the accountability for adherence to the Act rests with the organisation as a whole, not the DPO alone.
A mnemonic for the scenarios where an organisation may collect, use or disclose personal data without consent. Three groups of three: 3 P's · 3 I's · 3 E's.
Pair it with POPCON ExTRAS ADD (the 11 obligations) when revising.
Business Contact Information (BCI) is usually grouped with the P's — the PDPA data-protection rules don't apply to it.
Plus BCI — Business Contact Information (PDPA rules don't apply).
To rely on this exception, an organisation must conduct an assessment to determine whether its legitimate interests outweigh any adverse effect on the individual.
This is a balancing test and risk assessment — it ensures the organisation's interests do not unfairly harm the individual.
In short, the framework requires balancing the business need against the potential impact on individuals.
The Evaluation exception applies to activities like determining suitability for employment, promotion, or awarding scholarships.
Loyalty programs do not qualify — they usually operate under express consent and count as marketing / business activities, not 'evaluation' in the legal sense.
Self-assessment, accountability and data-mapping instruments referenced across your notes.
A digital self-assessment tool by the PDPC.
Documents how data flows through a process — from collection to secure destruction. Usually the first step in building a DPMP.