10 Common PDPA Violations and How to Avoid Them
Singapore's Personal Data Protection Act (PDPA) violations can result in hefty penalties—up to S$1 million or 10% of annual turnover, whichever is higher. Understanding the most common compliance mistakes is your first line of defense.
Recent Enforcement Alert (2024): In May 2024 alone, the Personal Data Protection Commission (PDPC) issued three enforcement decisions imposing a total of S$102,000 in fines, while accepting compliance undertakings from six other organizations.
1. Inadequate Security Arrangements (Section 24 Breach)
The Violation:
Failing to implement reasonable security measures to protect personal data from unauthorized access, disclosure, or loss is the most common PDPA violation.
Real-World Examples:
- Storing customer data in unencrypted databases
- Using weak or default passwords for systems containing personal data
- Failing to restrict employee access to personal data on a need-to-know basis
- Not implementing multi-factor authentication for admin accounts
How to Avoid It:
- Encrypt sensitive data both in transit and at rest
- Implement strong password policies and regular password changes
- Use role-based access controls (RBAC)
- Conduct regular security audits and penetration testing
- Maintain audit logs of all access to personal data
2. Failure to Notify Data Breaches
The Violation:
Since February 2022, organizations must notify the PDPC within 3 calendar days of assessing that a notifiable data breach has occurred. A breach affecting 500+ individuals is automatically considered "significant scale."
Common Mistakes:
- Delaying assessment of whether a breach is "notifiable"
- Missing the 3-day notification deadline
- Failing to notify affected individuals
- Incomplete breach reports lacking required information
How to Avoid It:
- Establish a documented data breach response plan
- Designate a breach response team with clear responsibilities
- Train staff to recognize and report potential breaches immediately
- Prepare breach notification templates in advance
- Conduct regular breach response drills
Pro Tip: The PDPC's "Guide on Managing and Notifying Data Breaches" provides a clear assessment framework to determine if a breach is notifiable. Keep this guide readily accessible to your response team.
3. Collecting Personal Data Without Consent
The Violation:
Collecting, using, or disclosing personal data without obtaining proper consent—or exceeding the scope of consent given.
Real-World Examples:
- Pre-checked consent boxes on registration forms
- Bundling consent for multiple purposes without separate opt-ins
- Using data collected for one purpose for a completely different purpose
- Sharing customer data with third parties without explicit consent
How to Avoid It:
- Use opt-in checkboxes (not pre-checked) for consent
- Provide separate consent options for different purposes
- Clearly explain what data you're collecting and why
- Make consent withdrawal as easy as giving it
- Maintain comprehensive records of when and how consent was obtained
4. Lack of Privacy Policy or Data Protection Officer
The Violation:
Failing to have accessible privacy policies or not designating a Data Protection Officer (DPO) with appropriate authority.
Common Mistakes:
- No privacy policy published on website
- Privacy policy not easily accessible to customers
- DPO contact details not publicly available
- DPO lacking resources or authority to ensure compliance
How to Avoid It:
- Publish a clear, comprehensive privacy policy on your website
- Appoint a qualified DPO (or engage external DPO services)
- Display DPO contact information prominently
- Ensure DPO has direct access to management
- Review and update privacy policies at least annually
5. Improper Data Retention Practices
The Violation:
Retaining personal data longer than necessary for the purposes it was collected, or failing to securely dispose of data when no longer needed.
Real-World Examples:
- Keeping customer data indefinitely "just in case"
- Not having documented retention periods for different data types
- Disposing of physical documents containing personal data in regular trash
- Failing to securely delete data from decommissioned hardware
How to Avoid It:
- Document retention periods for each category of personal data
- Align retention with legal and business requirements
- Implement automated deletion processes where possible
- Shred physical documents containing personal data
- Use secure data wiping methods for digital storage
6. Non-Compliance with Do-Not-Call (DNC) Registry
The Violation:
Sending marketing messages to numbers registered on Singapore's DNC Registry. This is a criminal offense punishable by fines up to S$10,000.
Common Mistakes:
- Not checking numbers against the DNC Registry before marketing campaigns
- Assuming "business relationships" exemptions apply when they don't
- Sending marketing SMS/calls without clear identification of sender
- Not providing easy opt-out mechanisms in marketing messages
How to Avoid It:
- Check all marketing lists against the DNC Registry monthly
- Clearly identify your organization in all marketing messages
- Include unsubscribe options in every marketing communication
- Maintain a suppression list of customers who opted out
- Train sales and marketing teams on DNC requirements
7. Inadequate Third-Party Data Processing Agreements
The Violation:
Sharing personal data with vendors, partners, or data intermediaries without proper data processing agreements or due diligence.
Real-World Examples:
- Using cloud storage without verifying vendor's security measures
- Engaging marketing agencies without data protection clauses
- Offshore data processing without proper safeguards
- No vendor compliance audits or oversight
How to Avoid It:
- Maintain an inventory of all third parties receiving personal data
- Implement data processing agreements with all vendors
- Assess vendor data protection practices before engagement
- Ensure contracts include data breach notification obligations
- Conduct regular vendor compliance audits
8. Failure to Honor Access and Correction Requests
The Violation:
Not responding to individuals' requests to access or correct their personal data within 30 days, or charging unreasonable fees.
Common Mistakes:
- No documented process for handling access requests
- Missing the 30-day response deadline
- Charging excessive fees for access requests
- Not verifying identity before releasing data
How to Avoid It:
- Establish a clear process for access/correction requests
- Train staff on how to handle such requests
- Implement identity verification procedures
- Respond within 30 days (or notify of extension with reasons)
- Charge reasonable fees aligned with PDPC guidelines
9. Inaccurate or Outdated Personal Data
The Violation:
Using inaccurate or outdated personal data for decisions that significantly affect individuals, without reasonable steps to ensure accuracy.
Real-World Examples:
- Making credit decisions based on outdated employment information
- Sending medical information to wrong addresses
- Not providing mechanisms for customers to update their data
- Using purchased data lists without verification
How to Avoid It:
- Implement procedures to verify data accuracy at collection
- Provide easy ways for individuals to update their information
- Regularly prompt customers to review and update their data
- Verify data from third-party sources before use
- Document data verification processes
10. Lack of Staff Training and Awareness
The Violation:
Not providing adequate training to employees handling personal data, resulting in accidental breaches or non-compliance.
Real-World Examples:
- Employees emailing customer data to personal accounts
- Staff unaware of phishing attempts leading to credential theft
- Improper disposal of documents containing personal data
- New hires not trained on data protection obligations
How to Avoid It:
- Mandatory PDPA training for all employees upon hiring
- Annual refresher training with updated scenarios
- Role-specific training for staff handling sensitive data
- Regular security awareness campaigns (phishing tests, reminders)
- Include data protection responsibilities in job descriptions
- Maintain training records for audit purposes
Penalty Framework 2024-2025
Maximum Fine: S$1 million or 10% of annual Singapore turnover (whichever is higher)
Typical Range for Medium Violations: S$50,000 - S$100,000
Aggravating Factors: Repeated violations, intentional breaches, large number of affected individuals, sensitive data involved
Mitigating Factors: Voluntary disclosure, swift remediation, cooperation with PDPC, no prior violations
Conclusion: Proactive Compliance is Key
The common thread in most PDPA violations is a lack of proactive compliance measures. Organizations that treat data protection as an afterthought invariably face enforcement action.
The good news? Most violations are preventable with proper policies, procedures, and training. Regular compliance audits using comprehensive checklists can identify gaps before they become enforcement issues.
Need Help Ensuring PDPA Compliance?
Don't wait for an enforcement notice. Our team of data protection specialists can conduct a comprehensive compliance audit, identify gaps, and implement proven solutions for your business.
Schedule a Free ConsultationAdditional Resources
- PDPC Official Website - Latest guidelines and enforcement decisions
- PDPC Data Breach Management Guide - Official breach notification guidance
- Download Our Free PDPA Compliance Checklist - 100+ items across 12 key areas
Disclaimer: This article is for informational purposes only and does not constitute legal advice. For specific compliance concerns, consult with qualified legal counsel or data protection professionals.