The Data Protection Trustmark 

Nowadays, organisations that want to improve their policies qualifications and data protection practices can apply for DPTM or Data Protection Trustmark. Getting DPTM can act as a good testament of an organisation’s data protection practices. 

The Info-comm Media Development Authority of Singapore rolled out the Data Protection Trustmark with the following objectives in mind: 

  • For organisations to exhibit accountable and sensible data protection practices.
  • To promote consistency and enhance data protection standards across all sectors.
  • To provide certified businesses with a competitive advantage.
  • To boost confidence of consumers in how their personal data are managed by the organisation.

For many Data Protection Officers (DPOs), there are three practical reasons to pursue DPTM for the organisation:

  • Set a standard and prepare for a regional compliance programme
  • Function as competitive advantage in tender considerations
  • Achieve a high level of data protection excellence 

Unfortunately, despite the obvious benefits of DPTM, many organisations are still not familiar with the requirements, application procedures, and the qualification process. To give you an idea, below are all the basics you need to know about the Data Protection Trustmark:

Who are qualified to apply for a DPTM?

Any organisation recognised or formed under the laws of Singapore that are interested may apply for a DPTM. Also, residents and those with an office of business may also apply. Even organisations that are undergoing investigations by the PDPC or those who have breached the PDPA can also apply.

Those who are undergoing investigation or have breached the PDPA are required to comply with specific conditions like officially declaring all the investigations or breaches within the last two years before their DPTM application.

How can an organisation apply for DPTM?

The application is done online. Start by preparing your entity profile and following the instructions provided when submitting the supporting documents required. The organisation will also complete a self-assessment form. For a quotation of the assessment fee, they can approach the IMDA-appointed Assessment Bodies (ABs).

After you have appointed the AB, you can submit the completed self-assessment form to the AB. The AB will arrange for an on-site verification for the organisation. Organisations have the option to rectify any non-compliance within 2 months (or another time frame agreed upon with the IMDA).

The AB will take care of submitting the completed assessment. The AB will also submit the report to the IMDA so they can review and decide if they will award the DPTM to the organisation. 

The IMDA will inform the successful applicants and will have the organisation’s name included in the certified organisation listing. The organisation will also receive a welcome kit.

What will it take to achieve DPTM?

There are four key principles the DPTM self-assessment is based on:

  • Governance and Transparency
  • Management of Personal Data
  • Care of Personal Data
  • Individuals’ Rights

If an organisation is still not familiar with data protection and has yet to establish a baseline related to the Personal Data Protection Act (PDPA), they can get in touch with the PDPC’s data protection service providers for assistance.  The final assessment will be done by the Assessment Body appointed.

The Assessment Body will function as an independent body and will assess the data protection practices of the organisation and determine if it conforms to the requirements set by the DPTM.

What will happen if there is a breach after a DPTM certification?

Organisations are discouraged to get the DPTM certification as they have the impression that a post-certification breach might nullify their efforts. However, this is nothing more than a myth. It is highly likely that the PDPC will treat the DPTM certification as a mitigating factor.