Singapore

What security measures must companies take to protect data?

s. 24
PDPA section
Reasonable
Standard required
All data
Scope of protection
2012
Enactment year
The Short Answer

Companies in Singapore must implement reasonable security arrangements to protect personal data from unauthorized access, collection, use, disclosure, copying, modification, or disposal, as required by the Personal Data Protection Act 2012.

What the Law Says

The Personal Data Protection Act 2012 (PDPA) sets a legal duty on organisations to safeguard personal data in their possession or under their control.

Section 24 of the PDPA requires organisations to make reasonable security arrangements to protect personal data. This means taking appropriate technical and organisational measures — such as encryption, access controls, staff training, and regular system reviews — based on the sensitivity of the data, volume handled, and potential harm from a breach.

The law does not prescribe a one-size-fits-all checklist. Instead, it uses a 'reasonableness' standard: what is reasonable depends on the context — for example, a small business handling basic contact details may need fewer safeguards than a bank holding financial records.

Organisations must protect against unauthorised or accidental access, collection, use, disclosure, copying, modification, or disposal of personal data. This applies whether the data is stored electronically, on paper, or in any other form.

Statutory Text

An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

Personal Data Protection Act 2012, s. 24 — Protection of personal data

What to Do

1

Conduct a data inventory to identify what personal data your company holds and where it is stored.

2

Assess risks based on data sensitivity, volume, and potential impact of a breach.

3

Implement technical safeguards (e.g., encryption, firewalls, multi-factor authentication) and organisational measures (e.g., staff training, access policies, incident response plan).

4

Review and update security practices regularly — especially after system changes or incidents.

5

Appoint a Data Protection Officer (DPO) to oversee compliance and serve as a point of contact for PDPC inquiries.

Sources

statutePersonal Data Protection Act 2012, s. 24 — Protection of personal data

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.