What is the Data Protection Trustmark (DPTM)?

Singapore’s Infocomm Media Development Authority (IMDA) launched the Data Protection Trustmark (DPTM) to increase the data protection practices standards within Singapore organisations. Nowadays, organisations can apply for the Data Protection Trustmark (DPTM) if they want to sharpen their current data protection policies and practices qualifications.

Attaining the DPTM will also serve as a strong testament of the organisation’s dependable data protection practices. When IMDA rolled out the DPTM, they had the following objectives and goals in mind:

  • For organisations to show accountable and sound data protection practices
  • To promote and enhance consistency in data protection standards across all sectors
  • To provide certified businesses a competitive advantage
  • To boost confidence of consumers in the organisations’ management of personal data

For many Data Protection Officers (DPOs), there are three primary reasons to pursue the DPTM for the organisation.

  1. To set a standard that prepares the organisation for a regional compliance programme
  2. To serve as a competitive advantage in tender considerations
  3. To aim towards a higher level of data protection excellence

Unfortunately, despite its many benefits, many organisations are not aware or familiar with the DPTM requirements, application procedures, and qualification process.

Can Your Organisation Apply for the DPTM?

Any interested organisations that are recognised and formed under the Singapore laws can apply for the DPTM. Likewise, any resident or businesses that has an office in Singapore can also apply.

This even extends to those organisations that have been found to have breached the PDPA before or have undergone (or are undergoing) investigations by the PDPC. Such parties can apply for DPTM given that they comply with certain conditions. The conditions include officially declaring all the investigations and breaches they have undergone within the last two years before the date of their DPTM application.

How Can Your Organisation Apply for DPTM?

Application can be done online. You begin the application process by preparing the entity profile and following all the instructions provided when submitting the supporting documents required. The organisation will need to complete a self-assessment form.

From there, you can approach Assessment Bodies (ABs) appointed by the IMDA for the assessment fees quotation. Once you have appointed an AB, you can then submit the completed self-assessment form to the AB. The AB will arrange the on-site verification for the organisation.

Your organisation will be given the opportunity to do remediation work. This is done by rectifying within two months (or a timeframe approved by the IMDA) any non-compliance items. The AB will make the necessary follow-ups to ensure the assessment is completed and the assessment report is submitted to the IMDA for review.

The IMDA will inform the successful applicants. Its name will also be reflected in the certified organisation listing. A welcome kit will also be provided by the IMDA and given to successful applicants.

What Will It Take to Achieve the DPTM?

The DPTM self-assessment will be based on four key principles:

  1. Governance and Transparency
  2. Management of Personal Data
  3. Care of Personal Data
  4. Individuals’ Rights

If an organisation is new to data protection and has not created a baseline yet in terms of the Personal Data Protection Act (PDPA), they can contact the PDPC’s list of Data Protection Service Providers to help them prepare for DPTM readiness.

The final assessment on the DPTM award will be carried out by the appointed Assessment Body. The Assessment Body will also serve as an independent body that will assess the data protection practices of the organisation and decide if it conforms to the DPTM requirements.