top of page
Search

Privacy Matters: 2025 Year in Review and What is Ahead for 2026

  • Jan 29
  • 3 min read

As we settle into 2026, many businesses are asking the same question: “How is the data privacy landscape actually changing for business?” Looking back, 2025 was a landmark year for the Personal Data Protection Commission (PDPC). We saw some of the highest fines in Singapore's history, but also a subtle shift in how the authorities view honest mistakes. Here is what businesses need to know to stay protected this year.


Written by Ericz Ezekiel Tay and Adriana Ho


2025 Year in Review: A Reality Check on Accountability

Last year, the PDPC sent a clear message: the scale of your data matters, and so does your technical oversight.

 

1.          The "Set and Forget" Trap (Marina Bay Sands): 

 

In the landmark MBS case, a S$315,000 fine was issued after over 600,000 patron records were left exposed for months during a software migration. This was a landmark case as it served as one of the first major tests of the revised penalty framework, which now allows for fines of up to 10% of an organization's annual turnover for large entities.

 

The Lesson: You cannot simply rely on a single employee to "check the box" on complex systems without a second layer of oversight. If your business is scaling, your security checks have to scale with it.

 

2.          A Higher Bar for Tech Providers (Ezynetic):

 

Ezynetic was fined S$17,500 after a ransomware attack exposed the data of over 190,000 individuals.

 

The Lesson: The PDPC made it clear that SaaS (Software-as-a-Service) providers are held to a higher standard of technical expertise. If you provide tech services, standard security isn't enough; you are expected to perform periodic security reviews and maintain rigorous access controls. Ezynetic was directed to obtain the CSA Cyber Trustmark for its new network.

 

3.          No Business is Too Small (MCST 4599):

 

Even smaller entities like Management Corporations (MCSTs) were under the microscope. One MCST was penalized for failing to appoint a Data Protection Officer (DPO) and having no clear policy for CCTV footage.

 

The Lesson: Every organization, no matter how small, must appoint a DPO and have written policies in place.



3 Trends We Noticed in the 2025 Cases

Based on the enforcement actions and "voluntary undertakings" (agreements to fix issues without a fine) from last year, 3 themes dominated:

 

  • The "Admin Account" Weak Link: Most breaches we saw started with an administrator’s account that didn’t have Two-Factor Authentication (2FA). Hackers are specifically targeting these weak links.

     

  • Zombie Data: Many companies were penalized for leaking data they should have deleted years ago. If you don't need it for business or legal reasons, get rid of it. Old data isn't an asset; it's a liability waiting to happen.

     

  • Outsourced, Not Out of Mind: Outsourcing your IT doesn't mean you outsource your responsibility. We saw multiple cases where a vendor's weak security brought the primary company under investigation.

 


What to Watch for in 2026

As we look into the coming year, 2 big topics will define data privacy in Singapore:

 

  • "Shadow AI" Headache: Many employees are now using ChatGPT or other AI tools to summarize meeting notes or draft emails. If they are pasting customer data into these tools, your company may be in breach of the PDPA. 2026 will be the year of AI Governance.

     

  • New "Cloud" Laws: The government is expected to table new legislation this year to hold cloud service providers to higher security standards. This is good news for businesses as it provides more protection when you use cloud-based storage.



Your 5-Minute Checklist for 2026

  1. Enable 2FA: Ensure every single staff member has 2FA turned on for their work email and CRM.

  2. The "Spring Clean": Identify one folder or database of old customer info (over 5 years old) and delete it if not legally required.

  3. AI Policy: Give your team a simple rule on what they can and cannot put into AI tools.

  4. Appoint DPO: If you have not officially registered a DPO with the PDPC, do it today.



How we can support you

At Ling Law, we specialize in helping businesses navigate these rules without the "big firm" jargon. Whether you need to review your data protection measures, appoint a DPO or a simple AI usage policy, we are here to help.

 

Get in touch with Ericz to learn more about keeping your business protected.

 


About Us
Ling Law is a boutique law firm in Singapore specialising in litigation and corporate commercial laws. Our foremost aim is to help you resolve any legal quandaries in a strategic and efficient manner. We prioritise practical and easily digestible publications tailored for busy professionals like yourself, who value concise insights amidst the demanding schedules.

Legal Notice.  The contents of these publications are for general information and may not be comprehensive in scope. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on these publications.

bottom of page