What is the DPTM?

2020-03-18
banner

The Info-comm Media Development Authority of Singapore (IMDA) launched the Data Protection Trustmark Certification (DPTM) earlier this year to help increase the standard of data protection practices within organisations in Singapore.

Now, companies* can apply for the DPTM if they wish to sharpen their existing data protection practices and policies qualifications. Having attained the DPTM will act as a positive testament of the company’s reliable data protection practices.

IMDA rolled out the DPTM with the following objectives:

  1. for organisations to demonstrate sound and accountable data protection practices;
  2. to enhance and promote consistency in data protection standards across all sectors;
  3. to provide a competitive advantage for businesses that are certified; and
  4. to boost consumer confidence in organisations’ management of personal data.

(Source: https://www.imda.gov.sg/dptm)

After having spoken with a few Data Protection Officers (DPOs), there were three main reasons why one might pursue the DPTM for his/her organisation:

  1. To set a standard in preparation of a regional compliance programme
  2. To act as a competitive advantage in tender considerations
  3. To aim towards a high level of data protection excellence as a trusted organisation

Despite its clear benefits, many organisations are unclear about and unfamiliar with, the qualification process, requirements and application procedures.

We have thus summarised and broken it down into clear, palatable segments. We hope that it will relieve some of the anxiety that your organisation might have about the certification process.

Who can apply for the DPTM?

Any interested organisation formed or recognised under the laws of Singapore, or, resident or having an office of business, in Singapore, and in any case, not a public agency may apply for the DPTM.

This even extends to organisations previously found to have breached the PDPA or are undergoing investigations by the PDPC. Such parties may apply for the DPTM as long as they comply with specific conditions, such as making an official declaration of all the breaches or investigations within the last two years prior to the date of application for the DPTM.

How might an organisation apply for the DPTM?

Application is done online by preparing the Entity Profile and following the instructions given in submitting any relevant supporting documents. Next, the organisation will be given a self-assessment form to complete. The organisation can then approach the IMDA-appointed Assessment Bodies (ABs) for a quotation for their assessment fees. Once the organisation has appointed the AB, the organisation can then submit the completed self-assessment form to its appointed AB. The AB will then arrange with the organisation for an on-site verification.

The organisation has the opportunity to do remediation work by rectifying any non-compliance items within 2 months or a timeframe that is agreed by IMDA. The AB will follow up to complete the assessment and submit the assessment report to IMDA for review and for its decision whether to award the DPTM to the organisation. Successful applicants will be informed by IMDA and will have its name reflected in the certified organisation listing and issued a welcome kit to the organisation.

What does it take to achieve the DPTM?

The DPTM self-assessment is based on four principles:

  1. Governance and Transparency
  2. Management of Personal Data
  3. Care of Personal Data
  4. Individuals’ Rights

If your organisation is new to Data Protection and has not established a baseline in relation to the Personal Data Protection Act (PDPA), you may wish to contact the PDPC’s list of Data Protection Service Providers for assistance to prepare for DPTM readiness.  With all the preparation, the final assessment on the award of DPTM is conducted by the appointed Assessment Body. The Assessment Body (AB) acts as an independent body to assess the organisation's data protection practices if it conform to the DPTM requirements. 

Click here to find out about eligibility to apply for DPTM.


Is there any financial assistance for organisations to work towards the DPTM?

Fortunately, there are two pieces of good news. The application fee for DPTM is waived for SMEs** and NPOs*** until 31 December 2019. Moreover, SMEs can leverage on the Enterprise Development Grant (EDG) while Social Service Organisations (SSOs) can seek support from the National Council of Social Services (NCSS) under the NCSS Organisational Development Grant (ODG) for some of the costs associated with the DPTM certification.

Moreover, Singapore Management University (SMU) Academy also offers a public course called Advanced Data Protection Techniques: Data Protection by Design, DPIA & DPTM, run jointly with Straits Interactive. Participants will learn the key principles and implementation for Data Protection by Design in various scenarios including Data Protection Trust Mark (DPTM) considerations and principles.

Singapore Citizens or Singapore Permanent Residents are eligible for 70% course fee funding (excluding GST) for successful enrollment into approved courses under the Programme. This funding is applicable to both individual and company sponsored participants*. Singapore Citizens aged 40 and above will enjoy 90% course fee funding (excluding GST).

This is an excellent course towards DPTM readiness and it is available for any participant to sign up. There is also a dedicated in-house programme for organisations that send at least 10 participants, with the objective of attaining the DPTM certification. This will include the same course curriculum but will also include DPTM consultancy. It will cost as little as $4,000 - $5,000 after SSG funding. Click here to find out more about the course and contact SMU Academy if you are interested in its in-house corporate DPTM programme.

This translates to an extremely favourable condition in Singapore whereby companies have unprecedented support to work towards the DPTM. Hence, companies in Singapore should act fast to leverage on this initiative to build a competitive edge with the DPTM.

What happens if there is a breach after my organisation achieves the DPTM certification?

Companies are often discouraged from going for the DPTM certification as they are concerned if a breach happens during post-certification period which will nullify their efforts. This is in fact a myth. The opposite is true. The PDPC will likely look at the DPTM certification as a mitigating factor.

Hear from DPOs who have guided their organisations through the DPTM journey

It can be particularly illuminating to hear the experiences of those who have walked the journey. DPOs will have a rare opportunity to hear these experiences first-hand at the upcoming Data Protection Excellence (DPEX) Network Forum 2019, which will be held from 11 to 12 June 2019. More information can be found here. Do note that participants who are Singaporeans or Permanent Residents may avail themselves to a separate funding$ of up to 90% for the Data Protection, Data Security & Data Sharing Masterclass which grants complimentary access to the DPEX Network Forum 2019.


With a wealth of resources and support cushioning the certification process, the DPTM is more feasible than you think. * The word ‘organisations’ and ‘companies’ is used interchangeably in this article. ** SMEs are defined as (i) companies with at least 30% local shareholding; AND (ii) group annual sales turnover of not more than $100 million or group employment size of not more than 200 employees. (Source: Enterprise Singapore) ** Non-Profit Organisations (NPOs) refer to Voluntary Welfare Organisation (VWOs), Non-Governmental Organisations (NGOs) and Societies. $ Terms and Conditions apply.



Article contributed by  Loke Qian Li CIPP/A, CIPM, FIP. GRCP


Click here to find out how to start on the DPTM



Just one more step! We've sent an email to .
Please check your inbox or spam and open it to activate your account.

Topics
Related Articles