Data Breach Management, Response and Notification

Singapore’s Personal Data Protection Act 2012 (PDPA) requires organisations to implement reasonable security arrangements to protect personal data and notify the Personal Data Protection Commission (PDPC) in the event of a notifiable data breach. Organisations that fail to notify the PDPC within the stipulated time frame or comply with other requirements under the PDPA (and any other applicable law) may face regulatory enforcement action and financial penalties.

Drew & Napier’s Data Protection, Privacy & Cybersecurity Practice has advised many clients on implementing security arrangements and data breach management plans in order to comply with the requirements of the PDPA and address their legal risks. We have also advised clients on data breach response and notification, as well as related issues such as obtaining forensic evidence, preservation of legal privilege, legal adequacy of remediation measures and potential legal proceedings (for example, where a data breach involves a data intermediary or other parties).

For data breaches involving multiple jurisdictions, we have assisted clients to engage law firms in the other jurisdictions to ensure that the applicable laws are complied with in a consistent manner (as far as possible).

Data Breach First Responder

With organisations (both large and small) facing more frequent and increasingly sophisticated cyberattacks, data breach response has become a key issue for companies to address in order to limit their legal risks and the resulting impact to their business, especially if a data breach becomes publicly known.

To assist our clients in quickly and effectively responding to a data breach, we have developed a Data Breach First Responder service. As part of this service, we aim to:

  • Guide our clients on the immediate steps to be taken when a data breach occurs, including assisting with the appointment of the necessary cybersecurity / forensic consultant (if required),
  • Provide an assessment of whether the data breach is notifiable to the relevant authorities and the affected individuals under the law;
  • Assist with preparation and submission of the necessary notifications to the relevant authorities (if required); and
  • Advise on legal risks and potential legal liabilities relating to the data breach including, for example, communications with the affected individuals and other regulators.

Please contact us for more information about signing up for our Data Breach First Responder service, or should you have any queries about data breach management, response and notification.

For urgent assistance or to activate our Data Breach First Responder service, please contact:


Get in touch

Lim Chong Kin

Managing Director,
Corporate & Finance

Co-Head, Data Protection,
Privacy & Cybersecurity

Co-Head, Drew Data
Protection &
Cybersecurity Academy

David N. Alfred

Director, Corporate &

Co-Head, Data Protection,
Privacy & Cybersecurity

Co-Head and Programme
Director, Drew Data
Protection &
Cybersecurity Academy

Albert Pichlmaier

Senior Cybersecurity and
Privacy Engineer

Course Leader, Drew Data
Protection & Cybersecurity