PDPA Section 26D Mandatory Data Breach Notification: The 3-Day Clock Explained

The Answer in 60 Seconds

Section 26D of the Personal Data Protection Act 2012 (Singapore) requires organisations to notify the Personal Data Protection Commission (PDPC) of a notifiable data breach as soon as practicable, but in any case no later than 3 calendar days after determining that the breach is notifiable. A breach is notifiable if it (a) results in or is likely to result in significant harm to affected individuals, or (b) affects 500 or more individuals. Penalties for breach of PDPA obligations are up to 10% of annual Singapore turnover (for organisations with turnover above S$10 million) or S$1 million, whichever is higher — effective 1 October 2022. Affected individuals must also be notified where significant harm is likely.

The Sourced Detail

The mandatory data breach notification regime is one of the highest-stakes ongoing compliance obligations for any Singapore SME handling personal data. The 3-day clock is short, the penalty exposure is high, and the trigger criteria require interpretation. Understanding exactly what the law requires — not what a vendor's marketing email summarises — is essential.

What Section 26D actually says

Per Section 26D(1) of the PDPA:

"Where an organisation assesses, in accordance with section 26C, that a data breach is a notifiable data breach, the organisation must notify the Commission as soon as is practicable, but in any case no later than 3 calendar days after the day the organisation makes that assessment."

Per Section 26D(2): the organisation must also notify each affected individual in any manner that is reasonable in the circumstances, unless the breach is unlikely to result in significant harm to that individual or remedial action makes significant harm unlikely.

Section 26B — what counts as a "notifiable data breach"

Per Section 26B of the PDPA, a data breach is notifiable if it:

(a) results in, or is likely to result in, significant harm to an affected individual; or (b) is, or is likely to be, of a significant scale (defined under the regulations as affecting 500 or more individuals).

Significant harm is further defined by reference to the Personal Data Protection (Notification of Data Breaches) Regulations 2021, which list categories of personal data where significant harm is presumed, including:

• Full name in combination with NRIC/FIN/passport
• Account identifier (with password / security code / access code) of any account
• Account identifier (with biometric data) of any account
• Health/medical information
• Specified financial information (credit card number with security code, account balances, transaction history)
• Information about adoption matters
• Information about legal proceedings
• Specified information about minors

If a breach involves any of these data categories for even one individual, it is presumed to cause significant harm and is notifiable on the "harm" limb regardless of the number affected.

The 3-day clock — when it starts

The clock starts on the day the organisation makes the assessment that the breach is notifiable, not on the day the breach is discovered.

Per the PDPC's Advisory Guidelines on Key Concepts in the PDPA, the assessment under Section 26C must be conducted "in a reasonable and expeditious manner" — typically within 30 days of becoming aware of the breach.

So the timeline is:

1. Day 0 — Discovery. Breach is discovered.
2. Day 0 to ~Day 30 — Assessment under Section 26C. Organisation investigates whether the breach meets either notifiable threshold. Assessment must be expeditious.
3. Day X — Determination. Organisation determines breach is notifiable.
4. Day X+3 — PDPC notification deadline. Must be filed within 3 calendar days of the determination.

The PDPC's Guide on Managing and Notifying Data Breaches provides illustrative examples. From the Guide footnotes: "if an organisation determines on 1st January that a data breach is notifiable, it must notify the Commission by 4th January." The first day of the 3-day period starts the day after the determination.

Critical: the assessment cannot be deliberately stretched to delay notification. PDPC has made clear that "expeditious" means promptly, with available facts. Organisations that drag the assessment to game the clock face additional penalty risk.

What must be in the notification

The PDPC's data breach notification form requires:

• Organisation details (name, address, contact)
• Description of the breach and how it occurred
• Date and duration of the breach
• Date the breach was discovered
• Date the assessment was completed
• Number of affected individuals (or estimate)
• Categories of personal data involved
• Cause of the breach (technical, human error, malicious act)
• Containment and remediation steps already taken
• Steps planned to prevent recurrence
• Risk of harm assessment
• Whether and how affected individuals have been notified

Notifying affected individuals — the second clock

Per Section 26D(2), affected individuals must be notified "as soon as is practicable, at the same time or after notifying the Commission" — unless:

• The breach is unlikely to result in significant harm to that individual, or
• The PDPC has directed the organisation not to notify, or
• Remedial action has been taken that makes significant harm to that individual unlikely.

There is no fixed calendar deadline for individual notification — but "as soon as is practicable" implies prompt action. Many organisations notify on the same day or within 1–7 days of PDPC notification.

The notification to individuals must contain:

• A description of the breach
• The personal data affected
• Steps taken or to be taken to address the breach
• Steps individuals can take to mitigate potential harm
• Contact details for further enquiries

Penalties for breach

Per Section 48J of the PDPA, the maximum financial penalty the PDPC may impose is:

• For organisations with annual turnover in Singapore exceeding S$10 million: up to 10% of annual turnover in Singapore
• For other organisations: up to S$1 million

Whichever is higher applies. The 10% turnover penalty is significantly higher than the previous S$1 million ceiling and was introduced effective 1 October 2022.

The PDPC has imposed substantial financial penalties for breaches involving inadequate protection, late notification, or both. Recent enforcement decisions are published at pdpc.gov.sg/enforcement-decisions.

Section 26C — the assessment obligation

Section 26C requires organisations to "conduct, in a reasonable and expeditious manner, an assessment of whether a data breach is a notifiable data breach." The assessment must consider:

• The nature of the personal data affected
• The harm likely to result
• The steps that can be taken to reduce harm
• The number of affected individuals

This is not a check-the-box exercise. Organisations should document the assessment process, the facts considered, and the reasoning leading to the notifiable/non-notifiable determination. PDPC may request the assessment record in any subsequent enforcement.

Cyber insurance interaction

A cyber insurance policy typically covers:

• Breach response costs (forensics, legal, PR)
• Regulatory investigation defence costs (sometimes including PDPC investigation)
• Notification and credit monitoring costs
• Third-party liability for affected individuals
• Business interruption from cyber events
• Sometimes: regulatory fines and penalties (subject to insurability under Singapore law and policy wording)

Cyber policies typically have panel forensics, panel legal, panel breach counsel — meaning the insurer will direct you to specific service providers when an incident occurs. Engaging your own forensics or lawyers without insurer authorisation often means the insurer will not reimburse.

The PDPC notification itself is the organisation's obligation, not the insurer's — but the breach counsel typically helps draft the notification.

Common Mistakes / What Goes Wrong

1. Thinking the 3-day clock starts from breach discovery. It starts from the day of the determination that the breach is notifiable. But the assessment must be expeditious — you cannot delay determining to delay notifying.
2. Treating the 500-individual threshold as the only trigger. Even a breach affecting one individual is notifiable if that one individual's personal data falls within the "significant harm" categories (NRIC, account credentials, health, financial).
3. Notifying PDPC without notifying affected individuals. Section 26D(2) is a separate obligation. Failing to notify individuals is a separate breach.
4. Relying on the cyber insurer to file the notification. The legal obligation is on the organisation, not the insurer.
5. Not documenting the Section 26C assessment. PDPC may request the record in any subsequent investigation. An undocumented assessment is hard to defend.
6. Notifying late "to be sure" of the scope. Late is worse than provisional. PDPC accepts initial notifications with available information; updates are normal.

What This Means for Your Business

The PDPA breach notification regime is binary at the moment of breach. Either you have an incident response plan that works, or you don't. The plan needs to address:

1. Detection — how do you know a breach has occurred? Logging, monitoring, vendor reporting requirements, employee reporting channels.

2. Assessment — who runs the Section 26C analysis, and to what timeline? Assign accountability. The Data Protection Officer (DPO) — if appointed — or senior management.

3. Notification — who files with PDPC, and who notifies individuals? Pre-draft templates. Pre-identify affected-individual contact channels.

4. Cyber insurance integration — is the insurer's incident hotline saved offline (not on systems that may be encrypted)? Engage panel forensics within the insurer's notification window.

5. Tabletop exercise — has the team rehearsed? PDPC explicitly recommends tabletop exercises in the Guide on Managing and Notifying Data Breaches. For SMEs, an annual 2-hour exercise covering a representative scenario is the minimum.

The 3-day clock means the response cannot be invented during a crisis. It has to be drawn down from a plan that already exists, supported by an insurance policy that is already in force, with vendors already on retainer.

Questions to Ask Your Adviser

1. Does my Cyber policy cover PDPC notification costs and regulatory investigation defence costs?
2. Who is on the insurer's panel for forensics, legal, and breach counsel — and is the panel acceptable to me before I have an incident?
3. Are regulatory fines and penalties (subject to insurability) covered or excluded?
4. What is the policy notification window for incidents — 24, 48, or 72 hours?
5. Does the policy cover third-party claims from affected individuals, and what are the sub-limits?

Related Information

• How to File a Cyber Insurance Claim After a Ransomware Attack
• /document-legal/cybersecurity-act-2024-changes
• How to Dispute a Denied SME Insurance Claim with FIDReC: 2026 Procedure

Published 4 May 2026. Source verified 4 May 2026. COVA is an introducer under MAS Notice FAA-N02. We do not recommend insurance products. We provide factual information sourced from primary regulators and route you to a licensed IFA who can match a policy to your specific situation.