A Beginner’s Guide to the 11 PDPA Obligations (With Simple Examples for SMEs)​

For many SMEs, the Personal Data Protection Act (PDPA) may seem like a long list of rules meant only for large corporations. In reality, every organisation that collects personal data, including small training centres, retail shops, clinics, and home-based businesses, must comply.

The good news is that understanding PDPA does not have to be complicated. This article explains the 11 PDPA obligations in simple terms, with practical SME examples to help you apply them in your daily operations.

1. Accountability Obligation

Organisations must take responsibility for the personal data they handle. This includes putting proper policies in place, assigning responsibilities, and being able to demonstrate compliance.

SMEs should appoint a Data Protection Officer, train staff on PDPA basics, create standard operating procedures for collecting, using, and disposing of personal data, and maintain simple documentation to show compliance.

Example. A training centre appoints an admin staff member as the DPO and ensures registration forms, attendance lists, and certificate processes follow PDPA guidelines.

2. Notification Obligation

Before collecting personal data, organisations must clearly inform individuals what data is being collected, why it is being collected, and how it will be used.

Example. An online course registration form includes the statement: “We collect your personal data to register you for the course, verify your identity, and issue training certificates.”

3. Consent Obligation

Organisations must obtain consent before collecting, using, or disclosing personal data, unless exceptions apply.

SMEs should ask for consent before sending marketing messages, allow individuals to withdraw consent, and avoid pre-ticked boxes or forced consent.

Example. Before adding trainees to a WhatsApp broadcast list, you ask: “Do you consent to receive course reminders and updates from us?”

4. Purpose Limitation Obligation

Personal data can only be used for the purpose that was communicated. It cannot be used for unrelated purposes without fresh consent.

Example. A trainee provides details for course enrolment. You cannot later use the same data for marketing promotions without permission.

5. Accuracy Obligation

Organisations must ensure personal data is accurate and complete, especially before using it for official purposes.

Example. Before issuing certificates, you verify the correct spelling of trainees’ names to prevent credential errors.

6. Protection Obligation

Organisations must implement reasonable security measures to protect personal data from unauthorised access, leaks, loss, or misuse.

SMEs can use strong passwords, avoid shared logins, lock cabinets containing physical forms, limit access to authorised staff only, and avoid sending unencrypted files containing sensitive data.

Example. Registration forms are stored in a secure cloud system with restricted admin-only access.

7. Retention Limitation Obligation

Personal data should not be kept longer than necessary. Once the purpose is fulfilled, the data must be securely deleted or anonymised.

Example. After audit requirements are met, a training centre deletes old attendance records instead of keeping them indefinitely.

8. Transfer Limitation Obligation

If personal data is transferred outside Singapore, such as to overseas cloud servers or vendors, organisations must ensure comparable data protection standards are in place.

Example. Before using an overseas LMS provider, you verify that their platform follows strong data protection practices.

9. Access and Correction Obligation

Individuals have the right to request access to their personal data and correct inaccurate information. Organisations must respond within a reasonable timeframe.

Example. A trainee updates their phone number or email, and your admin promptly corrects the record.

10. Data Breach Notification Obligation

If a data breach occurs that may cause harm, such as exposure of names, NRIC numbers, or contact details, organisations must notify the Personal Data Protection Commission and affected individuals, usually within three calendar days.

Example. An admin accidentally emails a full trainee list containing NRIC numbers to the wrong recipient. This must be reported as a data breach.

11. Data Portability Obligation

Individuals may request their personal data to be transferred to another organisation in a structured, machine-readable format such as CSV or Excel.

Example. A corporate client requests employees’ training records for import into their HR system. You provide the data in a standard format for easy transfer.

Conclusion. PDPA Compliance Builds Trust and Protects Your Business

Complying with PDPA is not just about avoiding penalties. It helps your organisation build customer trust, protect sensitive information, operate more professionally, reduce the risk of data breaches, and improve internal processes.

PDPA compliance becomes manageable when broken down into simple steps. For SMEs, small and consistent actions can make a significant difference.