In today's digital economy, the question is not if a data breach will happen, but when. For businesses in Singapore, your response in that critical moment is not just a technical challenge—it's a strict legal obligation under the Personal Data Protection Act (PDPA).1

Since the introduction of the mandatory data breach notification requirement, organizations must notify Singapore's Personal Data Protection Commission (PDPC) and affected individuals when a significant breach occurs.2 Failure to do so can result in substantial fines and a severe loss of customer trust.3

This guide provides a clear, step-by-step framework for what to do when you suspect a data breach, helping you navigate your notification duties calmly, effectively, and compliantly.

Step 1: The First 24 Hours - Contain and Assess

The moment you suspect a breach, the clock starts ticking. Your immediate actions are critical.

1. Assemble Your Response Team: This should be a pre-designated team, including leads from your IT/security, legal/compliance, communications, and management teams.

2. Contain the Breach: Take immediate action to stop further data leakage. This could mean isolating the affected system, revoking compromised credentials, or patching a vulnerability.

3. Begin Assessment: Start a swift but thorough investigation to understand what happened, what data was affected, and who was impacted. The goal of this assessment is to determine if the breach is legally "notifiable."

Step 2: Is the Breach "Notifiable"? The PDPA's Two-Pronged Test

Under the PDPA, you must notify the authorities if the data breach meets at least one of the following two conditions. This assessment must be completed within 30 calendar days.4

• Condition A: The "Significant Harm" Test

  A breach is notifiable if it is "likely to result in significant harm" to the affected individuals.5 The PDPA considers harm to be significant if it relates to a prescribed list of data, including:

  • An individual's full name or alias, combined with financial information, medical information, or other specific identifiers (e.g., passport numbers).

  • Data that would reveal an individual's private life.

• Condition B: The "Significant Scale" Test6

  A breach is notifiable if it affects a large number of people.7 The PDPA sets this threshold at 500 or more individuals.8

If your breach meets either the harm or the scale test, you have a legal duty to notify.

Step 3: The Notification Process - Who, What, and When

Once you've determined a breach is notifiable, you must act fast.

1. Notify the PDPC (The Regulator)

   • When: As soon as practicable, and no later than 3 calendar days after you conclude the breach is notifiable.9

   • How: Through the PDPC's official data breach notification form on their website.10

   • What: Be prepared to provide a chronology of the breach, the number of individuals affected, the types of personal data involved, your containment measures, and the contact details of your data protection officer (DPO).11

2. Notify the Affected Individuals

   • When: At the same time or as soon as practicable after notifying the PDPC.12

   • What: The notification must be clear and easy to understand. It should include what happened, what data was compromised, what your organization is doing about it, and what steps individuals can take to protect themselves (e.g., changing passwords, monitoring their accounts).13

   • Exceptions: You may be exempt from notifying individuals if, for example, the compromised data was encrypted and the encryption key was not compromised.14

How Walla Form Helps You in a Breach Scenario

While no tool can prevent every possible breach, the right platform can be critical in enabling a swift and compliant response.

• Rapid Scoping and Assessment: In the chaotic first hours, knowing what data you hold is critical. Walla Form's centralized dashboard allows you to quickly identify which forms collected what specific data fields, helping you assess the potential for "significant harm" and determine if the "500-individual" threshold has been met.

• Demonstrating "Reasonable Security": During an investigation, you must prove you had "reasonable security arrangements" in place. Walla's built-in end-to-end encryption and secure architecture provide a strong, defensible security posture for the data you collect via forms.

• Providing Clear Audit Trails: Regulators and investigators will ask who had access to the data. Walla's detailed and immutable audit logs provide a clear record of every view, export, or deletion, which is invaluable for your incident investigation and your official report to the PDPC.

Conclusion: Turn Crisis into Trust

A data breach is a defining test of a company's preparedness and integrity. Having a clear response plan and the right tools in place can turn a potential disaster into a managed crisis. A transparent, compliant, and empathetic response can, over time, even reinforce customer trust.

Walla Form is more than a data collection tool; it's a partner in your data governance strategy. Build your forms on a platform designed for security and accountability, and be prepared for the challenges of the digital world.

Disclaimer: This article provides general guidance and is not a substitute for legal advice. In the event of a data breach, you must consult with a qualified legal professional and refer to the official resources provided by Singapore's PDPC.