CP
Cempaka Partners
PDPA solutions
Three Service Areas

PDPA Compliance Services for Singapore Organisations

Each service is designed around a specific compliance need — whether assessing your current position, developing your documentation, or responding to a breach incident.

Return to Home
Our Methodology

How We Structure Our Work

Every Cempaka Partners engagement begins with understanding the client's actual position — not with a predetermined template or a generic framework. Data protection compliance is specific to the organisation: to the data it holds, the way it processes that data, and the sector it operates in.

This means the first step in any engagement is information gathering: understanding what personal data your organisation collects, from whom, for what purpose, and how it is handled through its lifecycle. This informs everything else.

From that baseline, we assess against the applicable PDPA requirements and PDPC advisory guidance, produce clear written findings, and recommend practical actions. Our recommendations are prioritised — distinguishing between issues that require prompt attention and those that form part of a longer-term improvement path.

01

Information Gathering & Data Mapping

Understanding what data your organisation holds, how it flows, and the context of each processing activity.

02

Assessment Against Requirements

Evaluating current practices against PDPA provisions, PDPC guidelines, and sector-specific expectations where applicable.

03

Written Findings & Recommendations

A structured report with prioritised findings, referenced to specific PDPA requirements and organised by urgency.

04

Implementation Support

Documentation delivery, staff walkthrough sessions, or ongoing advisory support as required by the service scope.

Service 01

PDPA Compliance Assessment

S$180

A structured review of your organisation's data protection practices against the requirements of the Personal Data Protection Act 2012 and its amendments. The assessment examines how personal data is collected, used, disclosed, and retained — and identifies where current practices align with, or fall short of, what the PDPA requires.

The service is suitable for organisations at any stage of their compliance journey: those implementing PDPA compliance for the first time, those conducting a periodic review, or those that have experienced regulatory changes that require reassessment of their position.

What the Assessment Covers

Review of data collection and consent mechanisms
Evaluation of data use and disclosure practices
Assessment of data protection policies and notices
Review of access and correction request procedures
Identification of compliance gaps with prioritised recommendations
Written report with detailed findings and action items
Enquire About This Service
PDPA Compliance Assessment
Data Protection Policy Drafting
Service 02

Data Protection Policy Drafting

S$390

Development of comprehensive data protection policies, notices, and internal procedures aligned with the PDPA and PDPC advisory guidelines. Each document is drafted to reflect your organisation's specific industry, data processing activities, and operational structure — not adapted from a generic template.

The service includes a walkthrough session with relevant staff to explain the purpose and application of each document. This helps ensure that policies are understood and can be applied consistently in day-to-day operations.

Documents Included

Privacy notice (external)
Data breach management plan
Data retention & disposal schedule
Access and correction request procedure
Employee data handling protocols
Staff walkthrough session included
Enquire About This Service
Service 03

Breach Response & Notification Advisory

S$670

Advisory support for organisations that have experienced, or suspect, a personal data breach. The service covers assessment of the incident's scope, containment recommendations, determination of whether mandatory notification obligations are triggered, and preparation of notifications to the PDPC and to affected individuals.

Singapore's mandatory breach notification framework requires notification to the PDPC within three calendar days of completing the assessment of a notifiable breach. This timeline places significant pressure on organisations to act promptly and correctly. Our advisory support is structured to help organisations navigate this process clearly and within the required timeframe.

What the Service Covers

Initial incident scope assessment
Containment and remediation recommendations
Notification threshold determination
PDPC notification document preparation
Affected individual notification preparation
Post-incident review and safeguard recommendations
Enquire About This Service
Breach Response Advisory
Choosing the Right Service

Service Comparison

Each service addresses a different compliance need. The table below can help you identify which service is most relevant to your organisation's current situation.

Feature / Situation Assessment
S$180		 Policy Drafting
S$390		 Breach Response
S$670
Starting PDPA compliance from scratch
Periodic reassessment of compliance position
No data protection policy documentation yet
Experienced or suspected data breach
New business operations adding data collection
Staff training material needed

Key: = Directly relevant   = Not the primary use case

Professional Standards

Shared Standards Across All Services

Client Confidentiality

All information shared during an engagement is handled under strict confidentiality. Client data, documents, and incident details are not shared with third parties.

Regulatory Accuracy

All findings and recommendations are referenced to the current PDPA, amendments, and applicable PDPC advisory guidelines — not to outdated or inaccurate interpretations.

Written Deliverables

Every engagement produces documented output that your organisation can retain, reference, and build upon — not verbal guidance without written record.

Defined Timelines

Delivery timelines are discussed and agreed at the start of each engagement. For breach response, we structure our work to support organisations within the mandatory notification window.

Sector-Specific Guidance

Where PDPC has issued sector-specific advisory guidelines — including for financial services, healthcare, and retail — we apply those expectations to your engagement.

Transparent Pricing

Published fixed fees with no variable billing. The cost and scope of each service are clearly defined before work begins, with no additions without your prior agreement.

Pricing

Fixed Fees for Each Service

All fees are in Singapore Dollars. Each service is offered at a fixed fee with a clearly defined scope. There are no hourly billing rates or variable additions.

Compliance Assessment

S$180

Per engagement

  • Full data protection review
  • Consent mechanism assessment
  • Gap analysis report
  • Prioritised action list
Enquire
MOST COMPREHENSIVE

Policy Drafting

S$390

Per engagement

  • Privacy notice & policies
  • Data breach management plan
  • Retention & disposal schedule
  • Staff walkthrough session
Enquire

Breach Response

S$670

Per incident engagement

  • Incident scope assessment
  • PDPC notification preparation
  • Individual notification drafting
  • Post-incident review
Enquire

All fees in Singapore Dollars (SGD). Fees are fixed and inclusive of the scope described above. Any additional work outside scope is agreed before it proceeds.

Ready to Proceed?

Discuss Which Service Applies to Your Situation

If you are unsure which service best fits your organisation's needs, we are glad to answer questions before you make any commitment.

Contact Cempaka Partners