Prompt Library8 min read

PDPA Prompting Checklist: 8 Rules Before You Hit Send

A practical 8-point checklist any Singapore team can use to keep prompts PDPA-safe. Includes redaction patterns and a free template.

Haojun See

Founder & Director, On The Ground

Updated 1 May 2026

Why a checklist beats principles

Most teams know they should be careful with PDPA. They don't always know what "careful" looks like at the prompt level — the moment when someone is about to paste client data into Claude. A principles-based approach ("be careful with personal data") is fine for the policy document. At the moment of action, you need a checklist: 8 things, in order, that take 30 seconds to run through. Read this once. Then put it on the wall.

The 8 rules

1. Use enterprise-tier accounts only. Free tiers of any AI tool may train on your input. Switch your firm's accounts to Pro / Team / Enterprise. Verify "no training on data" in the contract. 2. Redact before you prompt. Replace personal names with [PERSON_A], dates with [DATE], identifying numbers with [AMOUNT], addresses with [REDACTED]. The analysis is rarely sensitive to those identifiers. 3. Send the minimum. If you only need a clause analysed, send the clause, not the whole 80-page contract. Surface area = risk. 4. Match the model tier to the data sensitivity. Routine ops data: any enterprise tier. Client-confidential: enterprise + redaction. Highly sensitive (matrimonial, criminal defence, regulated finance): on-device deployment. 5. Document AI use in the matter file. A line: "[date]: Used [Model] for [task]. Output verified by [name]." That's the audit trail. 6. Verify outputs. Citations, names, numbers. Especially for legal and financial work where Claude can hallucinate plausibly. 7. Set a retention policy. Most teams accumulate prompt history forever. Set a 30/60/90-day retention based on your data class and delete older sessions automatically. 8. Disclose where material. If AI use is material to the engagement (a value prop, a billing factor, or a term in the engagement letter), disclose to the client. Many SG firms now include a standard clause.

Ready-made redaction prompt

Use this before pasting any client data: *"Below is a document. Produce a redacted version that: - Replaces all personal names with [PERSON_A], [PERSON_B] etc. - Replaces all specific monetary figures with [AMOUNT] - Replaces all specific dates with [DATE] - Replaces all addresses, phone numbers, NRIC numbers with [REDACTED] - Replaces specific company names where they could identify clients with [COMPANY_A] - Preserves clause structure, paragraph numbering, and substantive terms exactly Output only the redacted document. No summary. No analysis. Document: [PASTE]"* Use the redacted output as input to your actual analysis prompt. Personal data never reaches the analysis context.

What 'enterprise-tier' actually means in 2026

Each major AI vendor offers a tier with contractual no-training-on-data: - Anthropic Claude Pro / Team / Enterprise — input not used for model training by default - OpenAI ChatGPT Team / Enterprise / API with no-data-retention flag — same posture - Google Gemini Enterprise — same - Microsoft Copilot for M365 Enterprise — covered under your existing M365 enterprise contract Free / individual tiers for all of these may train on input unless explicitly opted out (and in some cases not at all). For any team handling personal data routinely, the per-seat cost difference is trivial vs. the regulatory exposure. Verify in your specific contract — terms can change. Anthropic's current data usage terms are at anthropic.com/legal.

Where the checklist breaks down

Three patterns to watch for. Junior associate convenience. A junior under deadline pastes the whole brief into ChatGPT (their personal account). Mitigation: firm-issued enterprise accounts, monitored, with usage onboarding. Make the right thing easier than the wrong thing. WhatsApp screenshots. Client messages forwarded by WhatsApp screenshot to Claude. The screenshot still contains the personal data even if the surrounding paragraph is generic. Mitigation: train staff to retype in redacted form rather than forward screenshots. Auto-summarisers in third-party tools. Some browser extensions and meeting tools auto-summarise content via cloud AI without the user realising. Audit the tools your team uses. Reference: PDPC's PDPA Advisory Guidelines.

Where to next

For lawyer-specific PDPA detail, see PDPA-Safe Claude Prompts: A Lawyer's Checklist. For sector-specific compliance (MAS for fintech, IRAS for tax), see Singapore-Context Prompting: PDPA, IRAS, MAS, EDG. For deeper engagement on compliance posture (DPIAs, governance frameworks, incident response), book a free 30-minute call — OTG works with Singapore firms across sectors on practical PDPA-and-AI integration.

Frequently asked questions

Is this checklist legal advice?

No. It's a practical operational checklist informed by the PDPA and PDPC guidance. For matters where compliance is critical, get advice from your DPO or external counsel. Authoritative source: [PDPC](https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act).

Does this apply to all AI tools or just Claude?

All cloud-based AI tools (Claude, ChatGPT, Gemini, Copilot, Perplexity). The principles are identical; the implementations differ slightly per vendor.

What's the difference between PDPA and the new AI Verify framework?

PDPA governs personal data. The [Model AI Governance Framework for Generative AI](https://aiverifyfoundation.sg/wp-content/uploads/2024/05/Model-AI-Governance-Framework-for-Generative-AI-May-2024-1-1.pdf) is sector-agnostic guidance from AI Verify Foundation on responsible AI use. The two are complementary.

Do I need a DPIA before using Claude in my SME?

PDPA requires a Data Protection Impact Assessment for high-risk processing. Most SME use of Claude (writing emails, drafting documents) is low-risk. Higher-risk use (processing health data, financial records, legal client matters) merits a lightweight DPIA. OTG offers DPIA templates and review as part of consulting engagements.

What if my client data is in another country?

PDPA's Transfer Limitation Obligation requires comparable protection when personal data is transferred overseas. Anthropic's enterprise terms typically satisfy this; verify in your specific contract.

PreviousThe Singapore Prompt Library: 50 Production-Tested Claude Prompts Next Vibe Coding Workshops in Singapore: What You'll Actually Learn

Want to Apply This to Your Business?

We're a Singapore AI development and automation agency. Let's discuss how we can help solve your specific challenges.

Get in Touch View our services