Organizations face risk of higher financial penalties for breaches of the PDPA from 1 October 2022


This article is produced by CMS Holborn Asia, a Formal Law Alliance between CMS Singapore and Holborn Law LLC.

The enhanced financial penalty for breaches of the Singapore data protection law (the Personal Data Protection Act 2012 (“PDPA”)) will take effect from 1 October 2022, as follows –

  • S$1million, or
  • a maximum of 10% of annual turnover for organizations with an annual turnover that exceeds S$10million,

whichever is higher. This is against the backdrop of the amendments to the PDPA that took place in 2020 where the enhanced financial penalty was introduced, due to take effect at a later date. To summarise, the enhancement increases the potential quantum of the financial penalty for organizations with a turnover that exceeds S$10million, by allowing the regulatory authority, the Singapore Personal Data Protection Commission (“PDPC”), to impose a penalty of up to 10% of the local annual turnover of such organization.

While the enhanced financial penalty would mostly affect organizations with a local annual turnover in excess of S$10million, it is likely that the financial penalties levied may increase across the board, regardless of whether the organization crosses the annual turnover threshold.

Therefore, organizations that are not compliant (or not fully compliant) with the PDPA, face a higher risk and should be incentivised to immediately review their compliance to minimize the risk of increased penalties.