How big is a PDPA fine for an SME data breach now?

The Answer in 60 Seconds Since 1 October 2022, the maximum financial penalty under the Personal Data Protection Act for a data-protection breach is the higher of S$1 million or 10% of the organisation's annual turnover in Singapore, where that local turnover exceeds S$10 million. The change was confirmed by the PDPC on 30 September 2022. Mandatory breach notification, in force since 1 February 2021, requires notifying the PDPC within 3 calendar days when a breach affects 500+ individuals or is likely to cause significant harm.

The Sourced Detail

The PDPA was amended in 2020 (the Personal Data Protection (Amendment) Act 2020) and the changes commenced in two phases. The breach-notification regime took effect on 1 February 2021. The increased financial penalties took effect on 1 October 2022. Both are now firmly in force, and the PDPC has been actively enforcing.

The penalty: how it actually works

Per section 48J of the PDPA:

  • For organisations with annual local turnover of S$10 million or less, the penalty cap is S$1 million.
  • For organisations with annual local turnover above S$10 million, the penalty cap is 10% of annual local turnover, with a floor of S$1 million.
  • Annual turnover is determined from the most recent audited accounts available at the time the penalty is imposed.

For context: an SME with S$50 million in Singapore turnover faces a theoretical maximum penalty of S$5 million; one with S$200 million in turnover faces S$20 million.

Mandatory breach notification

Per the Personal Data Protection (Notification of Data Breaches) Regulations 2021 and the PDPC's Guide on Managing and Notifying Data Breaches, an organisation must notify the PDPC of a breach if either threshold is met:

  • the breach is likely to result in significant harm to affected individuals; or
  • the breach involves the personal data of 500 or more individuals.

The notification window is as soon as practicable, in any case no later than 3 calendar days from the time the organisation determines the breach is notifiable.

What "significant harm" means

The PDPA's Second Schedule and the PDPC guide define prescribed personal data whose disclosure is likely to cause significant harm — including NRIC numbers, financial account numbers, health and medical information, and credentials such as passwords. A breach involving any of these typically triggers the notification obligation regardless of scale.

NRIC authentication deadline — separate but related

Per the PDPC media release of 2 February 2026, private organisations have until 31 December 2026 to phase out using NRIC numbers (full or partial) as authentication credentials. From 1 January 2027, the PDPC will step up enforcement and may impose financial penalties under section 48J for failure to implement reasonable security arrangements. SMEs using NRIC as a default password or login ID are now on notice.

What the penalty actually looks like in practice

Recent PDPC enforcement against SMEs has shown wide variability calibrated to organisation size and breach severity. Two SME examples published in 2023: Century Evergreen Private Limited (manpower contracting) was fined S$9,000 under [2023] SGPDPCS 5 and Autobahn Rent A Car Pte. Ltd. was fined S$3,000 under [2023] SGPDPCS 4 — both for inadequate security arrangements that exposed personal data. Per RPC Legal's analysis: "much lower fines of S$9,000 and S$3,000 were imposed on smaller businesses Century Evergreen Private Limited and Autobahn Rent A Car Pte. Ltd. despite similar breaches having been found in all three cases." Larger organisations face materially higher penalties — pre-2022 the largest single PDPA penalty was S$750,000 (an IT vendor); post-2022, six-and seven-figure penalties are within reach for big-turnover organisations under the 10% cap. The PDPC publishes enforcement decisions on its enforcement page.

Cyber insurance market response

Singapore's cyber insurance market is growing rapidly: per Mordor Intelligence's Cyber Liability Insurance Market in Singapore report, the market is forecast to grow from USD 56.72 million in 2025 to USD 94.73 million by 2031 (8.93% CAGR), with standalone covers holding 53.65% market share in 2025 (growing 9.84% CAGR) versus packaged add-ons at 46.35% — reflecting bifurcation between sophisticated buyers and first-time purchasers.

Standard policy wordings typically cover:

  • Breach response costs (legal, forensics, notification);
  • Regulatory defence costs;
  • Third-party liability for affected individuals;
  • Business interruption from cyber events.

Whether the financial penalty itself is insurable is a wording-dependent question. Some insurers exclude regulatory fines outright; others cover them where insurable by law. Singapore law does not have a clear statutory bar on insuring PDPA penalties, but public-policy considerations may apply. This is exactly the kind of question to put to a licensed IFA before assuming "I have cyber, I'm covered."

What This Means for Your Business

Three practical points.

Your DPO is not optional. Every PDPA-covered organisation must appoint a Data Protection Officer and publish their business-contact details. SMEs commonly outsource the DPO function. The DPO is the named contact for PDPC enquiries — and is typically the person who must triage a breach within hours.

Your incident-response plan must hit the 3-day window. That means pre-drafted notification templates, a named decision-maker, current legal counsel contact details, and a forensics provider on retainer.

Your cyber insurance wording matters more than the brand. Whether your policy responds to a regulatory penalty, breach notification cost, or third-party class action depends on the specific wording. An IFA on the COVA platform can match the wording to your data footprint, sectoral exposure and regulatory profile.

Questions to Ask Your Adviser

  1. Does my cyber insurance wording cover PDPA financial penalties, regulatory defence costs, or both — and is the penalty itself insurable under Singapore law?
  2. What is my notification cost coverage limit (forensics, legal, communications) and is it inside or outside the policy aggregate?
  3. Does my policy require notification to insurers within a window that aligns with the PDPA's 3-day window?
  4. Are my data-processor contracts with vendors structured so I can recover from them if a breach originates with a vendor?
  5. How does my coverage respond to NRIC-related claims if I am still using NRIC as authentication beyond 31 December 2026?

Related Information

Published 3 May 2026. Source verified 3 May 2026. COVA is an introducer under MAS Notice FAA-N02. We do not recommend insurance products. We provide factual information sourced from primary regulators and route you to a licensed IFA who can match a policy to your specific situation.