Why your Singapore startup should be concerned about the Personal Data Protection Act (“PDPA”)

personal data protection act singapore startup

In Singapore, the Personal Data Protection Act came into effect in 2014 in response to the increased use of collecting, using and storing of personal data as part of business operations. Today, Singapore companies are required to obtain the consent of an individual before they can collect, use or disclose any personal information related to that person, and it is mandatory for all businesses to designate a Data Protection Officer (“DPO”) to ensure their companies comply with the PDPA.

Startups will also have to check against the Do Not Call (“DNC”) Registry before engaging in any marketing activities. The DNC Registry is one where individuals can register their Singapore phone numbers to opt out of receiving marketing messages through phone calls and text messages from businesses. If a phone number is registered with the DNC, your startup cannot send marketing messages to the number unless it has received explicit consent to do so.

When you start a company in Singapore, it is necessary to understand the workings of the Act and to ensure your startup is compliant with the regulations from the start. While many startups seem to blatantly disregard the act – a recent concern is that up to 90% of mobile apps in Singapore could be in breach of the PDPA – doing so could land your startup in hot soup if the Personal Data Protection Commission (“PDPC”) starts to clamp down harder on breaches of the PDPA.

The PDPC has various powers to enforce compliance with the PDPA. It can:

1). enter company premises to collect information for investigations;

2). stop companies from continuing with acts that breach the PDPA; and

3). impose fines on companies that breach the PDPA.

In early 2016, the PDPC took action against eleven companies for breaches of data privacy, imposing fines of up to S$50,000 on four of the companies. To ensure your startup doesn’t end up in the same situation, you should ensure legal compliance from the very beginning.


For a comprehensive guide on how to comply with the PDPA, click here.

To ensure your website's Privacy Policy is compliant with the PDPA, click here.