The Ninja Sensei’s Logbook: Personal Data vs Sensitive Data: Why Knowing the Difference Matters

Privacy Ninja
2 min readApr 13


Every organisation in Singapore collects, uses, and discloses data.

However, when data is breached, it doesn’t necessarily mean that the PDPA is also breached; it still depends on what type of data the bad actors acquired. This is why we should know the difference between personal data and sensitive data and why knowing their differences matter.

Based on the PDPA, personal data is any data of an individual that can identify their identity through it. Examples are their names, birthdays, addresses, and social security numbers. When this is breached, damages could be incurred by the affected individual, such as through impersonations.

Sensitive data, on the other hand, is any data that the company holds for its accounts and other business information, such as trade secrets, that could be detrimental to the company when it leaks. An example is the secret formula for a product the company sells.

The difference between the two lies mainly in the effects of them being breached and as to who will be involved. When personal data is breached, the organisation will be burdened to answer to the PDPC through a possible financial penalty, and its customers who trusted the organisation to keep their information safe. Compared to sensitive data that is breached, the PDPC and the organisation’s customers will not be involved.

In both instances, the company will suffer consequences, especially if the organisation does not take remedial actions promptly. However, as to how much damage will be incurred, since ensuring that the personal data is secured is laced with public policy, a breach of personal data is considered to be much more disruptive, considering the fact that the organisation’s reputation could be on the line.

Knowing the difference between the two matters as it gives organisations insights into what to do next when a breach occurs. This is because when personal data is breached, there is a specific procedure under the PDPA that should be followed or else incur a much heftier fine.

P.S. Got questions or do you need help with your cybersecurity and data protection compliance journey? Don’t hesitate to reach out to your friendly cybersecurity and data protection experts at Privacy Ninja. We are always a text/call or email away!

📱 WhatsApp: +65 8750 4250

📧 email:

This post first appeared on Andy’s LinkedIn wall. Follow us on the following pages for more updates! Facebook | Twitter | LinkedIn | YouTube | Website



Privacy Ninja

Privacy Ninja is Singapore’s leading cybersecurity & data protection firm offering the most affordable services, like outsourced Data Protection Service & VAPT.