DPTM in a Nutshell

The Infocomm Media Development Authority of Singapore (IMDA) launched the Data Protection Trustmark Certification (DPTM) earlier this year. Its primary purpose is to increase the standard of data protection practices within the different organisations in Singapore. With the DPTM, the organisation can start on an international privacy certification programme such as the ISO/IEC 27701 and the reverse is also true.

Now, organisations can apply for a DPTM if they want to sharpen their current data protection policies and practices qualifications. Having a DPTM will also act as testament to the organisation’s current data protection practices.

The Infocomm Media Development Authority of Singapore (IMDA) rolled out the DPTM with the following objectives in mind:

• For organisations to exhibit accountable and sound data protection practices.
• To promote and enhance data protection standards across all sectors.
• To provide certified businesses with a competitive advantage.
• To boost the confidence of consumers in terms of how organisations manage personal data.

After speaking with some Data Protection Officers or DPOs, three primary reasons were identified why an organisation should pursue DPTM:

• To ensure they have set a standard that will prepare them for a regional compliance programme.
• To function as a competitive advantage in tender considerations.
• To aim for a high level of data protection as a trusted company or organisation.

Unfortunately, despite all the peerless benefits, many organisations are still not familiar with the requirements, application procedures, and qualification process. For the uninitiated, below are the basics of DPTM that you need to know:

Who can apply for DPTM?

Any organisation that is formed or recognised under the Singapore laws can apply for DPTM. Any resident that has an office of business in Singapore can also apply. Even organisations that are undergoing investigations by the PDPC or have breached the PDPA may apply given that they comply with certain conditions.

For instance, similar organisations should make an official declaration of all the investigations and breaches within the last two years before their DPTM application date.

How an organisation can apply for DPTM

Application is carried out online. You can start by preparing your Entity Profile. From there, you will just follow the instructions when submitting relevant supporting documents. Your organisation will also be given a self-assessment form that you need to complete.

From there, the organisation can approach the IMDA-appointed Assessment Bodies (ABs) for a quotation. Once an AB has been appointed by the organisation, you can then submit the self-assessment to the AB once complete. The AB will arrange the on-site verification for the organisation.

Your organisation has the opportunity to do remediation work and rectify any non-compliance items. Typically, organisations are given two months to do this. The AB will then ensure the assessment is completed. The assessment report will then be submitted to the IMDA for review.

The IMDA will review the report and will decide whether the DPTM will be awarded to the organisation or not. IMDA will inform successful applicants. The organisation’s name will then be reflected in the certified organisation listings. The organisation will also receive a welcome kit.

What will it take to achieve DPTM?

DPTM self-assessment will be based on the following four principles:

1. Governance and Transparency
2. Management of Personal Data
3. Care of Personal Data
4. Individuals’ Rights

If the organisation is new to data protection and no baseline in terms of Personal Data Protection Act (PDPA) has been established yet, it is recommended that you get in touch with the PDPCs list of Data Protection Service Providers for assistance so they can prepare for DPTM readiness.

The appointed Assessment Body will conduct the final assessment. The Assessment Body (AB) will also act as an independent body to assess the organisations in their data protection practices to ensure it conforms to the DPTM requirements.