3 Reasons why the Singapore IMDA’s Data Protection Trustmark can be a Quicksand and How You Can Avoid Being Stuck

The Data Protection Trustmark (DPTM) was launched in January 2019 and to date, 45 organisations have been awarded the DPTM. I have met over 100 companies that indicated an interest in attaining this prestigious certification – some have even gone on to enhance their Data Protection Management Programme (DPMP) – and most of them are still on the journey towards attaining the DPTM.

In this article, I will summarise three reasons why organisations may get stuck in this quest and offer three tips on how to break free of the mire.

Reason #1: No sound and operational DPMP in place

We have shared over the years that organisations aspiring toward the DPTM must ensure that they have a sound and operational DPMP in place. That is to say, they have formed a competent Data Protection (DP) team to construct a strong baseline and have implemented the DPMP based on a best practices framework.

As part of the DPMP, organisations are expected to be able to provide evidence of implementation which can be demonstrated through relevant documents such as policies, Standard Operating Procedures (SOPs) and training records. These will be crucial in the first phase of the DPTM assessment (by the assessment body), also referred to as the Desktop Assessment where an organisation completes and submits the Self-Assessment Form (SAF) with its answers and supporting evidence. In IMDA’s DPTM information kit, you can find an overview of the four principles that the DPTM is based on. If you can answer “yes” and substantiate with evidence to all the questions, it is an indication that you are ready for the DPTM assessment. Otherwise, you should review and enhance your DPMP accordingly.

Reason #2: Mismatch between expectations of a DPO and level of support for DPO

While your Data Protection Officer (DPO) is particularly important to the success of your DPMP (and hence DPTM journey), what is probably more important is the support provided to the DPO. The DPO would be tasked to oversee your DPMP but the DPO alone cannot implement this programme. This is reinforced in PDPC’s Guide to Developing a Data Protection Management Programme. As the DPTM assessment is an organisation-wide assessment, the management must ensure that the various business process owners who own the processes involving the collection, usage, disclosure and storage of personal data (of both its internal and external stakeholders) form the DP team. Some “by default” personal data processing departments would include IT, human resources, B2C marketing, B2C Sales, Customer Care/Customer Service, Facilities/Admin (for the handling of multi-function copiers or CCTV, where relevant). As the DPTM Assessment Principle 3 covers Care of Personal Data (which include the Protection obligation), all information systems (such as websites or databases), office IT networks as well as laptops of employees will be part of the scope of assessment. Therefore, another “by default” department that will typically be part of the scope of assessment will be the IT department.

In addition, these department representatives are typically interviewed during the DPTM site audit and are expected to demonstrate a reasonable level of understanding and ability to apply DP principles to their scope of work. On top of this, senior management support will be key to push through improvement measures to enhance the organisation’s data protection capabilities, which is evaluated as part of the DPTM assessment.

In spite of this, I still observe in my capacity that a possibly significant number of organisations do not have an adequate level of support for their DPOs, which probably contributed to a delay in their DPTM aspirations.

Reason #3: Outsourcing without a Baseline

Over the past six months, I have observed an increase in demand for outsourced DPOs, or as some would term it (incorrectly), Data Protection- as- a- Service. Do note that if you are exploring this option, you must define the scope very clearly. Of the cases I have come across, here are THREE danger signs of an outsourcing proposal:

1. The outsourced party offers to draw up/review policies and SOPs without referencing your data inventory and data flows.
2. The proposal is based on bit-part components of a DPMP.
3. It is overly focused on conducting training and handling data subject access requests (DSAR)/complaints.

You would have noticed that all three signs show an obvious lack of focus towards building up your baseline to ensure that the DPMP is sound and relevant. In turn, this may result in a delay to your DPTM plans.

So, what now?

Don’t worry if one or more of the three points apply to you, because that does not mean the DPTM is beyond reach. On the contrary, you may just have to do some minor tweaks to get your programme back on track. Here are three ‘Es’ for you on how to do so!

Tip #1: Engage a certified consultant

The DPTM has a strong focus on implementation of the DPMP. Thus, you should seek help from certified consultants who have prior operational experience in implementing a DPMP. With an increase in the number of firms offering DP consulting services, it has become increasingly important to understand how to evaluate the consultant. One international certification you can look out for is the Fellow of Information Privacy (FIP) administered by the International Association of Privacy Professionals (IAPP). According to the IAPP, a criterion for FIPs is for the consultant to have gained “considerable on-the-job experience as you’ve helped your organization navigate through and remain current with the complexities of our dynamic industry.”

Other certifications such as the Practitioner’s Certificate, Certified Information Privacy Manager, Certified Information Privacy Professional would indicate knowledge and understanding of data protection but does not necessarily indicate considerable on-the-job experience.

For organisations working towards the DPTM, it may also be advantageous to explore working with a DPTM-certified consultancy firm such as Straits Interactive.

Tip #2: Enable your DP team

If you are part of the senior management team, consider providing relevant support to your DP team, in the form of professional training for the DPO and DP team members. Another practical way is to ensure a direct channel of communication to you via your DPO and being involved in the DP meetings. Schedule regular updates by your DP team, especially on the data protection related risks that they may have identified and would require your support.

Tip #3: Ensure your DPMP is up-to-date

As with the evolution in technological advancements, the privacy landscape is ever-changing. Therefore, your organisation must have a system to monitor changes such as the recent amendments to the PDPA, which have been factored into the 17 February version of the DPTM checklist. This could be a rather steep learning curve for a lean DP team, so you may wish to subscribe to the PDPC’s DPO Connect Newsletter and join data protection communities such as the Data Protection Excellence (DPEX) Network.

There you go! With these tips, avoid the potential potholes and turbocharge your team towards attaining the DPTM.

Article By Loke Qian Li (FIP, CIPM, CIPT, CIPP/A)

If you would like to contact the author of this article, please book an appointment slot via the link below