The Data Protection Trustmark (DPTM) is voluntary and an enterprise-wide certification that’s designed for organisations so that they can demonstrate accountable data protection practices. The Data Protection Trustmark (DPTM) is designed to help businesses build trust with stakeholders and customers, and to increase their competitive advantage.
Who Can Apply for DPTM Certification?
Organisations that have in place a data protection regime to comply with the Personal Data Protection Act (PDPA) obligations can apply for DPTM. They should also be either recognised and formed under the laws of Singapore, be formed by a resident, or have an office or place of business in Singapore.
It is easier for organisations with ISO/IEC 27001 and 27701 to attain DPTM certification as they would have already demonstrated compliance with good privacy and information security management standards. Upon submission of your application, you will be bound by the Terms of Agreement of the DPTM scheme.
Overview of Certification Requirements
The certification requirements are based on parameters that include international standards (PRP requirements / APEC CBPR/PRP), relevance to enhanced PDPA and industry best practices. They are also organised around four principles. Each principle is framed by a set of assessment criteria.
Principle #01: Governance and Transparency
- Appropriate Policies and Practices
- Internal Communications and Training
Principle #02: Management of Personal Data
- Appropriate Purpose
- Appropriate Notification
- Appropriate Consent
- Appropriate Use and Disclosure
- Compliant Overseas Transfer
Principle #03: Care of Personal Data
- Appropriate Protection
- Appropriate Retention and Disposal
- Accurate and Complete Records
Principle #04: Individuals’ Rights
- Effect Withdrawal of Consent
- Provide Access and Correction Rights
Organisations need to have a written document on policies, practices, and processes for data protection. Organisations need to also demonstrate that the data protection processes, practices and policies are practiced and implemented on the ground.
The Data Protection Trustmark Phase-By-Phase Roadmap
DPTM demonstrates that your organisation has sound data protection practices in place and not that it has plans to implement said practices. The roadmap consists of four phases namely: governance, baseline, implementation and certification.
This involves forming a Data Protection (DP) Office that’s led by a Data Protection Officer (DPO). The team needs to be competent and trained to provide advice in relation to personal data and the PDPA. They will be collectively responsible for the operationalisation of the practices so that it complies with the PDPA.
Organisations need to make sure their practices are reflected in the documented procedures and policies. This can be achieved by making sure the governance team maps the relevant data flows and inventories within the organisation. Additionally, organisations need to have a risk-based approach to establishing their data protection management programme, or DPMP.
In the implementation phase, the organisation needs to ensure all employees acknowledge, understand and embody the spirit of their PDPA posture. Through the operationalisation of the documented procedures and policies for both external and internal parties, the organisation should demonstrate that their DPMP is being run on an ongoing basis and with strong management support.
When the organisation is ready and the phases adequately implemented, it can now start pursuing the DPTM certification process. The certification process involves six steps, namely:
- Registration and application for the Data Protection Trustmark through the IMDA website
- Completion of the self-assessment form
- Appointment of the assessment body
- Carrying out of the desktop assessment
- Conducting a site audit
- Remediating based on assessment feedback
Once the process has been completed, an organisation will be awarded the DPTM certification.
The application fee is S$535 and is payable to IMDA. This is already inclusive of GST. The assessment fee is payable to the assessment body and will depend on the size of the organisation and the assessment body engaged. You need to get in touch with the assessment bodies for a quotation of the actual fee.