Back to Resources
AI Governance11 min read

Website Security & PDPA for Singapore Businesses: What You Must Know

SSL, data storage, form handling, and consent — a practical security and PDPA compliance checklist for Singapore business websites.

Haojun See
Haojun See

Founder & Director, On The Ground

Updated 26 May 2026

Why Website Security Matters for Singapore SMEs

Most Singapore SMEs think cyberattacks only happen to banks and government agencies. The data says otherwise. The Cyber Security Agency of Singapore (CSA) reported that SMEs accounted for 52% of ransomware victims in Singapore in 2025. Website defacements, data breaches, and phishing through compromised business sites are increasing year over year. Why SME websites are targeted: • Low-hanging fruit. Attackers scan for known vulnerabilities in outdated CMS platforms (WordPress, Joomla) and unpatched plugins. Most SME websites have at least one critical vulnerability within 6 months of launch if not actively maintained. • Customer data is valuable. A contact form collecting names, emails, and phone numbers is a PDPA-regulated data asset. If that data is breached, you face both the PDPC and your customers' loss of trust. • Supply chain attacks. Your website might be used to attack your customers — serving malware, hosting phishing pages, or redirecting to fraudulent payment forms. You become liable even if you weren't the direct target. The financial reality: • Average cost of a data breach for a Singapore SME: S$120,000–S$350,000 (including remediation, legal, and lost business) • Average PDPC fine for SME website breaches: S$10,000–S$120,000 • Cost of proper ongoing security: S$100–S$300/month The maths is clear. Prevention is dramatically cheaper than remediation. For SMEs building new websites, security and PDPA compliance should be designed in from the start — not retrofitted after a breach. That's the approach we take with Groundwork, where every website ships with security and PDPA handled from day one.

PDPA Obligations for Business Websites

The Personal Data Protection Act applies the moment your website collects, uses, or stores personal data about an identifiable individual. Here's what that means in practice: What counts as personal data on a website: • Names and email addresses (contact forms, newsletter sign-ups) • Phone numbers (callback requests, WhatsApp links with pre-filled messages) • IP addresses combined with browsing behaviour (analytics) • Photos with identifiable faces (testimonials, team pages) • Location data (if your site requests geolocation) • Any unique identifier that can be linked to a specific person Your key PDPA obligations: 1. Consent (Section 13–17) You must obtain consent before collecting personal data. For websites, this means: • Explicit opt-in checkboxes on forms (not pre-ticked) • Clear statement of purpose at point of collection • Separate consent for different purposes (e.g., service enquiry vs marketing) • Consent must be voluntary — you cannot refuse service for refusing marketing consent 2. Purpose Limitation (Section 18) Use data only for the purpose stated at collection. If someone submits a contact form about your accounting services, you cannot add them to your newsletter without separate consent. 3. Notification (Section 20) Inform individuals what you're collecting and why — before or at the time of collection. Your privacy policy must be accessible from the point of data collection (link it next to every form). 4. Access and Correction (Sections 21–22) Individuals can request access to their personal data and ask for corrections. Your privacy policy must explain how to make these requests. 5. Retention Limitation (Section 25) Do not keep personal data longer than necessary. Define a retention period (e.g., 24 months for enquiry forms) and implement automated deletion or review processes. 6. Transfer Limitation (Section 26) If personal data leaves Singapore (e.g., stored on servers in the US), you must ensure the receiving jurisdiction provides comparable protection, or implement contractual safeguards. 7. Data Breach Notification (Section 26D) If a breach affects 500+ individuals or causes significant harm, you must notify the PDPC within 3 calendar days and affected individuals without unreasonable delay. For more detail, see our comprehensive PDPA compliance guide.

Technical Security Baseline

Every business website in Singapore should meet this minimum security standard. It's not optional — it's the baseline that prevents the most common attacks. SSL/TLS (HTTPS) • All pages served over HTTPS — no mixed content • TLS 1.2 minimum (TLS 1.3 preferred) • HSTS header enabled (tells browsers to always use HTTPS) • Certificate auto-renewal configured (Let's Encrypt or equivalent) Security Headers • Content-Security-Policy — prevents XSS attacks by controlling which scripts can run • X-Frame-Options — prevents clickjacking by blocking your site from being embedded in iframes • X-Content-Type-Options — prevents MIME-type sniffing attacks • Referrer-Policy — controls how much referrer information is sent • Permissions-Policy — restricts browser features (camera, microphone, geolocation) DDoS Protection • CDN with DDoS mitigation (Vercel, Cloudflare, AWS CloudFront) • Rate limiting on form submissions and API endpoints • Geographic restrictions if your business only serves Singapore/APAC Dependency Management • Automated vulnerability scanning (Dependabot, Snyk, or equivalent) • Monthly review of third-party scripts and plugins • Remove unused dependencies — every package is an attack surface Backups • Automated daily backups of site content and form data • Backups stored in a separate location from the live site • Monthly backup restoration test (untested backups are not backups) Access Control • Two-factor authentication on all admin accounts • Principle of least privilege — staff get only the access they need • Remove access immediately when staff leave • Audit admin login activity monthly This baseline protects against the vast majority of attacks targeting SME websites. Groundwork managed websites include all of the above as standard.

Form Data Handling Done Right

Contact forms are the most common source of PDPA liability for SME websites. Most are misconfigured — sending unencrypted data to personal email accounts, storing submissions indefinitely, and lacking proper consent mechanisms. Where form data should go:Not: A personal Gmail inbox where submissions sit indefinitely alongside personal emails • Not: A shared spreadsheet accessible to everyone in the company • Yes: An encrypted database with access controls, retention policies, and audit logging • Yes: A dedicated business system (CRM, helpdesk) with proper data governance Encryption requirements:In transit: All form submissions must use HTTPS (encrypted between browser and server) • At rest: Form data stored in databases must be encrypted at rest (AES-256 or equivalent) • In processing: If form data triggers automated actions (email notifications, CRM syncs), those channels must also be encrypted Minimal collection principle: Only collect data you actually need. Most contact forms ask for far more than necessary: • Do you need a physical address for an enquiry form? Probably not. • Do you need a date of birth? Almost certainly not. • Do you need the company name? Maybe — justify it. Every field you collect is a field you must protect, retain appropriately, and potentially disclose in an access request. Less data = less risk. Retention policies: • Define how long form data is kept (recommend 12–24 months for general enquiries) • Implement automated deletion or flagging for review when retention period expires • Document your retention periods in your privacy policy • Keep records of deletion for audit purposes Practical implementation: For Groundwork websites, form submissions are: • Encrypted in transit (HTTPS) and at rest (AES-256) • Stored with role-based access controls • Subject to configurable retention periods • Processed with minimal data collection by default • Compliant with PDPA notification and consent requirements at point of collection
Cookie consent in Singapore sits in a grey area. PDPA doesn't have a specific "cookie law" like GDPR's ePrivacy Directive. But the principles still apply: if cookies collect personal data, you need consent. What cookies does your website actually set? Most SME websites set more cookies than their owners realise: • Essential cookies: Session management, security tokens, load balancing. These don't require consent — they're necessary for the site to function. • Analytics cookies: Google Analytics, Plausible, Fathom. These track visitor behaviour. Google Analytics (GA4) uses cookies that can identify individual users across sessions — this likely constitutes personal data collection under PDPA. Privacy-focused alternatives (Plausible, Fathom) use aggregated data without individual tracking. • Marketing cookies: Facebook Pixel, Google Ads remarketing, LinkedIn Insight Tag. These build individual profiles for targeted advertising. Definitely personal data. Definitely require consent. • Third-party embeds: YouTube videos, Google Maps, social media widgets. These often set tracking cookies without your knowledge. Best practice for Singapore businesses: Even though PDPA doesn't mandate cookie banners specifically, we recommend implementing them for three reasons: 1. Future-proofing. Singapore's regulatory landscape is evolving. The PDPC has signalled increasing attention to online tracking. Building consent mechanisms now avoids costly retrofitting later. 2. Customer trust. Singaporean consumers are increasingly privacy-aware. A clear, honest cookie banner signals that you respect their data. 3. International visitors. If any website visitors are from the EU, UK, or other GDPR jurisdictions, you need cookie consent regardless of your business location. Implementation approach: • Implement a banner that blocks non-essential cookies until consent is given • Offer granular controls (analytics yes, marketing no) • Remember consent preferences (don't ask every visit) • Provide an easy way to withdraw consent • Log consent records (who consented, when, to what) For businesses wanting the simplest compliant approach: use privacy-focused analytics (Plausible or Fathom), avoid marketing pixels unless essential, and implement a simple consent banner for any remaining tracking.

Choosing Secure Hosting

Where your website lives determines its baseline security posture. For Singapore businesses, hosting choice also affects PDPA compliance (data residency) and performance (latency for local visitors). What to look for:SOC 2 Type II certification. This means the hosting provider has been independently audited for security, availability, and confidentiality controls. Major providers (Vercel, AWS, Google Cloud, Azure) all hold this certification. • Singapore or APAC data centres. Data stored in Singapore simplifies PDPA compliance. If your hosting provider has Singapore edge nodes (CDN points of presence), your site loads faster for local visitors. Vercel and Cloudflare both have Singapore PoPs. • Automatic SSL and renewals. Your hosting should handle SSL certificate provisioning and renewal automatically. Expired certificates break your site and destroy visitor trust. • DDoS mitigation included. Enterprise-grade DDoS protection should be part of the platform, not an expensive add-on. • Automated backups. Daily backups with point-in-time recovery. The hosting provider should store backups in a geographically separate location. • Immutable deployments. Modern platforms (Vercel, Netlify) deploy each version of your site as an immutable snapshot. If something goes wrong, you can roll back instantly. This also means attackers can't modify your live site — they'd need to compromise your build pipeline. Hosting options for Singapore SMEs:Vercel — Best for modern web frameworks (Next.js, React). Singapore edge nodes. SOC 2 certified. Automatic SSL. Built-in DDoS protection. S$20–S$100/month for business use. • AWS (ap-southeast-1) — Maximum flexibility but requires technical expertise. Singapore data centre. SOC 2 certified. S$30–S$200/month depending on configuration. • Shared hosting (GoDaddy, Bluehost, etc.) — Cheapest option but least secure. Shared servers mean your site's security depends on your neighbours. No Singapore data centres for most providers. Not recommended for businesses collecting personal data. Groundwork websites are hosted on infrastructure with Singapore edge nodes, SOC 2 compliance, automatic SSL, DDoS protection, and daily backups — all included in the managed plan. See pricing and details.

The Cybersecurity Checklist for SME Websites

Use this 10-point checklist to assess your current website's security posture. If you score below 7/10, your site has material security gaps. 1. HTTPS everywhere Every page loads over HTTPS. No mixed content warnings. HSTS header active. Pass/Fail: Visit your site — does the browser show a padlock on every page? 2. Security headers configured Content-Security-Policy, X-Frame-Options, X-Content-Type-Options all present. Pass/Fail: Run your domain through securityheaders.com — aim for A or A+ grade. 3. Software is current CMS, plugins, themes, and dependencies are all on their latest versions. No known vulnerabilities. Pass/Fail: Check your CMS admin panel or run npm audit / composer audit. 4. Admin access is secured Two-factor authentication on all admin accounts. No default passwords. No shared accounts. Pass/Fail: Review your admin user list — any accounts you don't recognise? 5. Backups are automated and tested Daily automated backups running. Backup restoration tested within the last 90 days. Pass/Fail: When did you last successfully restore from a backup? 6. Forms use HTTPS and validate input All forms submit over HTTPS. Server-side input validation prevents injection attacks. Pass/Fail: Try submitting <script>alert('test')</script> in a form field. 7. PDPA consent mechanisms work Forms have explicit opt-in. Consent records are logged. Privacy policy is linked. Pass/Fail: Submit your own contact form — is consent properly recorded? 8. Third-party scripts are audited You know every external script running on your site. No unnecessary tracking or analytics. Pass/Fail: Open browser DevTools > Network tab — recognise every domain making requests? 9. DDoS protection is active CDN or hosting provider includes DDoS mitigation. Rate limiting on form endpoints. Pass/Fail: Check with your hosting provider — is DDoS protection included? 10. Error pages don't leak information 404 and 500 error pages show friendly messages, not stack traces or server details. Pass/Fail: Visit a non-existent URL on your site — what does the error page reveal? Scoring: • 9–10: Strong security posture. Maintain it with monthly reviews. • 7–8: Adequate but has gaps. Address the failures within 30 days. • 5–6: Material risk. Prioritise fixes immediately. • Below 5: Your site is likely already compromised or will be soon. Get professional help. If your score is below 7, consider a managed website service that handles security for you — or contact us for a security review of your existing site.

Security and PDPA Should Be Built In, Not Bolted On

Retrofitting security and PDPA compliance onto an existing website is expensive, disruptive, and usually incomplete. The smarter approach: build it right from the start. Every Groundwork website includes: • SSL/TLS with auto-renewal and HSTS • Security headers (CSP, X-Frame-Options, X-Content-Type-Options) • DDoS protection via edge network • PDPA-compliant forms with encrypted handling and consent logging • Privacy policy tailored to your business • Cookie consent mechanism • Automated backups • Monthly security updates and vulnerability scanning (managed plan) Your options:Get a secure, PDPA-compliant website built for free — pay only if you like the result • Talk to us about securing an existing site — we'll assess what needs fixing • Read more: Affordable Website Design for SMEs | Website as a Service

Frequently asked questions

What are the PDPA fines for data breaches involving a business website?

The PDPC can impose financial penalties of up to S$1 million per breach for organisations. In practice, fines for SMEs with website-related breaches have ranged from S$10,000 to S$120,000. The reputational damage — being named in a public enforcement decision — often costs more than the fine itself.

Do I need a privacy policy on my website?

Yes, if your website collects any personal data — including contact forms, email sign-ups, analytics that identify individuals, or cookies that track behaviour. Under PDPA Section 20, you must inform individuals of the purposes for which you collect, use, or disclose their personal data. A published privacy policy is the standard mechanism for this.

Is SSL/HTTPS enough to secure my website?

SSL is necessary but not sufficient. It encrypts data in transit but does nothing for data at rest, server-side vulnerabilities, or application-level attacks. A properly secured website also needs security headers, regular dependency updates, DDoS protection, secure form handling, and automated backups.

Where should my website data be stored to comply with PDPA?

PDPA doesn't mandate Singapore-only storage, but it does require adequate protection for overseas transfers (Section 26). For most SMEs, hosting with a provider that has Singapore or APAC data centres (Vercel, AWS ap-southeast-1, Google Cloud asia-southeast1) simplifies compliance. If data crosses borders, you need contractual protections equivalent to PDPA standards.

Do I need a cookie consent banner in Singapore?

PDPA doesn't explicitly regulate cookies the way GDPR does. However, if your cookies collect personal data (e.g., analytics that track individual users, remarketing pixels that build profiles), you need consent under PDPA's general consent obligations. Best practice for Singapore businesses: implement a consent banner with granular controls. It builds trust and future-proofs you against regulatory changes.

Should I manage website security myself or use a managed service?

Unless you have dedicated IT staff who actively monitor for vulnerabilities, a managed service is safer and more cost-effective. Security requires continuous attention — dependency updates, certificate renewals, backup testing, vulnerability scanning. A single missed update can expose your site to known exploits. OTG's [Groundwork managed plan](/groundwork) includes all security maintenance for S$250/month.

Want to Apply This to Your Business?

We're a Singapore AI development and automation agency. Let's discuss how we can help solve your specific challenges.