Getting Your DPTM: Top Tips from an Assessor

“You won’t get DPTM certified if you’re simply complying with PDPA,” Baljit Singh, Head of Certification at Guardian Independent Certification said. He was addressing a roomful of attendees considering their journeys in attaining the Data Protection Trust Mark certification, at a talk organised by Straits Interactive on 4 October 2023. Guardian Independent Certification is one of the assessment bodies appointed by IMDA to assess organisations' alignment with DPTM requirements.

As the national gold standard for data protection, the DPTM brings with it numerous advantages for businesses. However, there could be some potential challenges to navigate.  So, what steps do organisations need to take to obtain the Data Protection Trust Mark?

Baljit offers some tips:

1. Start with a Committee:

   • Recognize that obtaining DPTM certification is a collective effort involving the entire organisation.

   • Secure buy-in from department heads and establish the scope, and clear objectives.

2. Engage a Trusted Consultant:

   • Seek guidance from experienced consultants like Straits Interactive.

   • Receive assistance in understanding requirements, stakeholder engagement, and the entire certification process.

3. Establish Your Data Protection Management Programme and Controls:

   • Define policies and practices to establish governance and assess risks.

   • Implement the Data Protection Management framework and align your processes accordingly.

4. Review, Update, Measure and Monitor:

   • Continually assess the effectiveness of your processes.

   • Regularly update documentation and measure, monitor, and review your procedures.

5. Conduct an Internal Audit:

   • Prior to seeking an external audit with the assessment body, conduct an internal audit.

   • Verify the functionality of your processes and consider engaging a trusted consultant to guide you through the process.

If you’re considering your organisation’s DPTM journey, click here to join us for an informative session on 2 November.

Three Vital Areas 

Baljit outlined three key criteria that assessors, like him, look out for:

1. Establish Data Protection Policies and Practices:

• Ensuring your data protection policies and practices are not only in place but also approved by senior management is crucial. 

• These policies should be effectively communicated and cascaded throughout the organisation. 

• Periodic reviews are necessary, with tailored policies for various stakeholders, such as employees, customers, and third-party vendors, depending on the amount of personal data collected.

2. Set up Queries, Complaints, and Dispute Resolution Process:

   • Ensure mechanisms are in place to handle queries about data usage.

   • Well-defined procedures for handling queries and complaints are essential. Individuals should have a clear and accessible way to submit queries about their data usage.

3. Identify Data Protection Risks:

• Data Protection Impact Assessments (DPIAs) are fundamental for every touchpoint that collects personal data. 

• This requires a comprehensive consideration of operational functions and business needs related to personal data. 

• The top management's commitment to the risk assessment process will is also important

Achieving DPTM certification is a significant organisational undertaking, with a thorough evaluation process. Engaging expert guidance, complying with best practices, and maintaining a commitment to data protection are pivotal in securing the certification.

If you’re considering your DPTM journey, join us at the next upcoming DPTM in-person talk on 2 November 2023, where you will have the chance to get answers to your questions. Indicate your interest here.

 If you’d like expert assistance about getting your DPTM, please contact us at sales@straitsinteractive.com.