💡 律咖编者按
本文由律咖网社群读者 anteater 投稿分享。
为了方便大家阅读,律咖网编辑 JingJing(微信:lvga2015)对原文进行了细致的逻辑润色与合规性整理。希望能给正在 新加坡 创业路上的你带来真实的参考。

I didn’t think much about data privacy until my daughter asked me, “Daddy, is your phone spying on us?”

It was a Tuesday evening. I was sitting at our rented HDB flat in Bukit Panjang, surrounded by unpacked boxes of USB hubs and Bluetooth speakers — the first batch of my 3C products for a small Amazon FBA test run. My wife had just left for Shanghai to visit her parents. The silence in the apartment felt heavier than the air conditioning unit humming overhead.

I opened my laptop. I’d just read a fragment of news — something about a breach in the UK Foreign Office. A group called Storm 1849. Allegedly Chinese-linked. Thousands of visa documents potentially exposed. I didn’t know if it was true. I didn’t even know if it was relevant to me. But my chest tightened. Because I had just submitted my Employment Pass application. My company’s registered address was here, in Bukit Panjang. My personal data — passport, bank statements, employment history — had been uploaded to a government portal.

And now? I didn’t know who else might have seen it.

That’s the thing about data privacy in Singapore: you’re told it’s safe. You’re told the laws are strict. You’re told the Personal Data Protection Commission (PDPC) is rigorous. But no one tells you where to go when you start doubting it.

I’m 31. I studied business management in Heilongjiang, then came here with $20,000 in savings and a dream I didn’t fully believe in anymore. My parents think I’m reckless. My wife says I’m “too quiet when you’re scared.” Maybe she’s right.

I spent three days researching. Not because I wanted to — but because I couldn’t sleep.

The Silence Between Policy and Practice

Singapore’s Personal Data Protection Act (PDPA) is clear on paper. It governs how organizations collect, use, and disclose personal data. It requires consent. It mandates data protection officers. It even gives individuals the right to access or correct their own information.

But here’s the gap: Where do you go when you suspect a breach?

I called the PDPC helpline. The automated system offered three options:

  1. File a complaint
  2. Learn about compliance obligations
  3. Request a copy of your data from an organization

I chose #3. Then I realized — I didn’t know which organization had my data. Was it the Ministry of Manpower? The Immigration & Checkpoints Authority? The third-party service provider who processed my company registration?

I dug deeper. Found the PDPC’s official website: www.pdpc.gov.sg. Buried under “Your Rights,” there was a section: “If you believe your personal data has been mishandled, you may file a complaint.”

But no button. No form. Just instructions: “Submit your complaint in writing via email or post.”

I wrote an email. I didn’t know who to send it to. I sent it to info@pdpc.gov.sg. I didn’t get a reply. Not yet.

I asked a local accountant — a Chinese-speaking woman in Bukit Panjang who helped me set up my company. She said, “You’re worrying too much. Singapore is not like China. They don’t leak data here.”

I didn’t say anything. But inside, I thought: What if they don’t leak — but someone else steals it?

That’s the information asymmetry I felt:
I was told the system is secure.
I read news about breaches elsewhere.
But no one told me: What if it happens here? And what do you do next?

My Framework: Three Layers of Control

I realized I couldn’t control whether a government server got hacked. But I could control three things:

  1. What data I shared
    I reviewed every form I’d signed — company registration, bank account opening, tax filing. I deleted unused accounts. I stopped uploading my passport photo to every third-party logistics vendor. I asked: “Why do you need this?” Most couldn’t answer.

  2. Where I stored it
    I stopped using Google Drive for sensitive documents. I switched to a local encrypted drive — the kind sold by a small shop in Tiong Bahru. The guy there didn’t speak English. He just handed me a USB with a lock symbol. “This no connect internet,” he said. I paid $120. It felt like buying armor.

  3. Who I talked to
    I stopped asking random Facebook groups. I started asking licensed corporate service providers — the ones with physical offices, not just WhatsApp profiles. I visited three in Bukit Panjang. One had a sign: “PDPC-Registered Agent.” I didn’t ask if they’d been breached. I asked: “If my data gets leaked, what’s your protocol?” One said, “We notify you within 72 hours.” Another said, “We don’t keep your data longer than necessary.” The third just smiled and said, “You’re safe here.” I didn’t choose him.

I realized: data privacy isn’t about laws. It’s about who you trust — and whether they’ve thought through the worst-case scenario.

What I Learned (That No One Tells You)

  1. Time is your most expensive asset.
    I spent 17 hours over three weeks researching this. That’s 17 hours I could’ve spent negotiating with a factory in Shenzhen. But I didn’t. Because I was scared. And fear doesn’t care about ROI.

  2. “Compliance” is not a checkbox.
    Having a “PDPA-compliant” website doesn’t mean your data is safe. It just means you’ve paid someone to write the terms. I read my own company’s privacy policy. It was 12 pages long. Half of it was copied from a template. The other half was in legalese I couldn’t parse. I still don’t know what “sharing” means here. Is it selling data? Is it handing it to the police? Is it letting a cloud provider back it up?

  3. There’s no emergency hotline.
    In China, if your ID is stolen, you call the police. In Singapore, if you suspect a breach? You email. You wait. You hope. There’s no 110. No hotline. No live chat. Just a form you fill out. And no one tells you how long it takes.

✅ Three Action Steps — Not Promises, Just Paths

If you’re reading this in Bukit Panjang, or Tampines, or Jurong, and you’re also wondering:

  1. Visit PDPC’s official website
    Go to www.pdpc.gov.sg → Click “Your Rights” → Scroll to “How to file a complaint.”
    Tip: Save the PDF of your data request form. You’ll need it if you ever need to prove you asked.

  2. Ask your corporate service provider for their Data Protection Policy
    Not their “Privacy Policy.” Their Data Protection Policy.
    Ask: “Do you have a Data Protection Officer? What’s their contact?”
    If they say “no,” you might want to reconsider.

  3. Use encrypted local storage for sensitive documents
    Don’t rely on cloud. Buy a physical encrypted drive. Use a local vendor. Ask them: “Is this device ever connected to the internet?”
    If they hesitate — walk out.

Final Thought

I used to think entrepreneurship was about speed.
About scaling.
About winning.

Now I know it’s about silence.
The silence between when you hear bad news…
…and when you decide whether to act.

I still don’t know if my data was exposed.
I still don’t know if Storm 1849 touched Singapore.
I don’t even know if the news was true.

But I do know this:
I asked questions.
I didn’t assume safety.
I didn’t wait for someone else to protect me.

And that’s the only advantage I have as a small entrepreneur — not capital, not tech, not connections.

Just the quiet courage to ask: Where do I even start?

🔸 延伸阅读

🔸 Government says visa applicants’ details likely not compromised in Foreign Office hack allegedly by Chinese group 🗞️ 来源: Lvga.com – 📅 2026-04-13
🔗 阅读原文

🔸 Storm 1849 linked to October cyberattack on government servers; minister cautions on unverified reports 🗞️ 来源: Lvga.com – 📅 2026-04-13
🔗 阅读原文

💡 如果你也曾在深夜盯着屏幕,担心数据被偷、合同被篡、签证被卡……
你不是一个人。

我是 anteater,一个来自上海奉贤、在新加坡磕磕绊绊做3C生意的普通人。

如果你愿意聊聊你在 Bukit Panjang 的困惑 —— 数据隐私、公司注册、租房合同、签证续签……

我认识律咖网的编辑 JingJing。
她不卖服务,不承诺结果。
她只是安静地听,然后帮你理清那些没人说清楚的细节。

微信:lvga2015

加她,不为解决问题。
只为确认:你不是在独自面对整个系统。

📌 免责声明
请知悉:律咖网(Lvga.com)是跨境创业公开信息与内容分享平台,不提供法律、税务、会计或合规服务。
本文内容基于公开资料,并由人工编辑与 AI 工具协助整理,仅供信息参考之用,不构成任何法律、投资、移民或商业决策建议。
政策可能随时间变化,请以官方渠道与当地持牌专业人士意见为准。
如内容有需要修订之处,欢迎随时与我联系。