All You Need to Know About the Data Protection Trustmark (DPTM)

IMDA (Info-comm Media Development Authority of Singapore) launched DPTM (Data Protection Trustmark) to improve and strengthen the standard of data protection practices within Singapore organisations. The DPTM was also created to help establish Singapore as a trusted data hub with advanced data ecosystems.

Organisations can apply for DPTM if they want to significantly enhance their current data protection policies and practices. Attaining the DPTM is solid proof of an organisation’s data protection practices. Some of the key objectives of the DPTM scheme include:

  • For organisations to demonstrate accountable and sound data protection practices
  • For organisations to provide a competitive advantage for businesses that are certified
  • To boost consumer confidence in an organisation’s management of personal data
  • To promote and enhance consistency in data protection standards across various sectors

For Data Protection Officers (DPOs), there are three key reasons why organisations should pursue DPTM.

  1. To set a standard when preparing for a regional compliance programme
  2. To function as a competitive advantage in tender considerations
  3. To attain a high level of data protection excellence as a reliable and trusted organisation

DPTM: Badge for Responsible and Accountable Data Protection Practices

An enterprise-wide certification designed to assess an organisation’s data protection practices, policies, and processes, the DPTM was also developed based on the PDPA or the Personal Data Protection Act. The DPTM incorporates best practices and elements of international benchmarks.

The DPTM also acts as a public-facing badge for certified companies to showcase they have effective and sound data protection standards set in place. When they are given the DPTM, organisations can gain a competitive business advantage.

According to PDPC’s Perception & Awareness Survey held in 2019, two in three consumers prefer purchasing from a DPTM-certified organisation or company. Also, four in five companies also prefer doing business with a DPTM-certified company.

With increased awareness of personal data protection among businesses and consumers, getting the DPTM is proof that your organisation has a solid data protection strategy to safeguard their personal data.

A third-party certification like the DPTM can also provide internal assurance within the organisation as it validates current practices and uncovers weaknesses in the data protection practices.

Unfortunately, despite the numerous benefits, some organisations are unfamiliar with the qualification process, application procedures, and requirements.

Qualified Applicants for the DPTM

Any organisation that’s recognised or formed under the laws of Singapore, residents, or those with an office of business in Singapore can apply for DPTM. This extends to organisations that are undergoing investigations by the PDPC or those that have breached the PDPA.

Some organisations can also apply for DPTM once they are able to comply with certain conditions such as declaring all the investigations or breaches within the last two years before the DPTM application.

What It Takes to Achieve the DPTM

The DPTM self-assessment is based on the following four principles:

  • Governance and Transparency
  • Management of Personal Data
  • Care of Personal Data
  • Individuals’ Rights

If an organisation is new to Data Protection but has yet to establish a baseline in relation to the Personal Data Protection Act (PDPA), they can contact the PDPC’s list of Data Protection Service Providers for assistance. This can help organisations prepare for DPTM readiness.

The final assessment will be conducted by the appointed Assessment Body (AB). The Assessment Body functions as an independent body to assess the data protection practices of the organisation, ensuring that it conforms with the DPTM requirements.

Some organisations are hesitant to obtain the DPTM certification as they are afraid their efforts are nullified if a breach happens during the post-certification period. The opposite is actually true. The DPTM certification will be considered by the PDPC as a mitigating factor.