Singapore · PDPA
PDPA compliance for Singapore small businesses
Every private organisation in Singapore must comply with the Personal Data Protection Act, regardless of size. A one-person company with 50 customer emails has the same obligations as a multinational: appoint a Data Protection Officer, document your data protection policies, and report notifiable breaches to the PDPC within 3 calendar days of assessing them. From 31 December 2026, organisations must also stop using NRIC numbers for authentication. MapleNorthIT runs remote PDPA readiness audits for businesses with 5 to 100 employees and sells a self-serve Singapore compliance kit for teams that want to start on their own.
Last updated: June 2026 · MapleNorthIT
NRIC authentication ban: 31 December 2026
The PDPC announced in February 2026 that private organisations must stop using NRIC numbers for authentication by 31 December 2026. That includes NRIC as a default password, NRIC combined with a birthdate as a login check, and partial NRIC display as a security step.
What Singapore businesses need to know
- PDPA fines reach S$1 million or 10% of annual Singapore turnover, whichever is higher, for organisations above the revenue threshold.
- Every organisation must appoint a Data Protection Officer and publish their business contact details, with no exemption for small companies.
- Notifiable data breaches must be reported to the PDPC within 3 calendar days of the assessment.
- Most PDPC enforcement actions trace back to basic security failures: outdated software, weak access controls, and missing multi-factor authentication.
Two ways to get compliant
Compliance Readiness Audit
A one-hour remote call plus a review of your setup. Written report within 48 hours, with every gap ranked Critical, Important, or Recommended and a rough cost to fix each one.
Book an auditSingapore PDPA Compliance Kit
A self-serve bundle with the policies, registers, and breach response templates the PDPA expects, written in plain language your team can adopt this week.
View the kitPay in CAD by card via Stripe. Prices shown convert to roughly the same in SGD.
Common questions
Does the PDPA apply to a company with fewer than 10 employees?
Yes. The PDPA has no minimum size threshold. Any private organisation that collects, uses, or discloses personal data in Singapore must comply, including appointing a Data Protection Officer. The required controls scale with your size and risk, but the obligations themselves apply in full.
What is the NRIC authentication change in 2026?
By 31 December 2026, private organisations must stop using NRIC numbers to authenticate people. Common patterns that must go: NRIC as a default password, NRIC plus date of birth as an identity check, and showing partial NRIC as a verification step. Replace these with passwords, one-time codes, or other authentication factors.
How much does PDPA compliance cost a small business?
Local market rates for initial compliance setup run about S$3,000 to S$10,000 for companies under 50 employees, with outsourced DPO services at roughly S$500 to S$2,000 per month. A remote readiness audit from MapleNorthIT costs a fraction of that and tells you exactly which gaps to close first, so you spend on the right things.
Can a Canadian consultant audit a Singapore business remotely?
Yes. A PDPA readiness audit reviews your policies, access controls, breach response process, and security configuration. All of that happens over a one-hour call plus a review of your setup. You get a written report within 48 hours with findings ranked Critical, Important, and Recommended.