Strategies for DPTM Success: Insights from a DPO of a Twice-certified Company

By Quan Cheng Ng, 

In the age of digitalisation and rising data breaches, investing in data protection is paramount to organisations building consumer trust and standing out from your competitors. Achieving a Data Protection Trustmark (DPTM) certification in Singapore is a testament to an organisation’s commitment to data protection. 

Earlier this year, we got re-certified for our DPTM. Today, we're privileged to hear from our very own Head of IT and Data Protection Officer, Quan Cheng Ng, who shares key insights from our DPTM certification experience both times. 

    Q: Is it just the DPO who is involved in the DPTM audit? Who else should be involved?

An organisation’s DPTM certification process, be it the first time or the second, cannot be driven by just the DPO - department heads need to be engaged to form a working Data Protection Committee. The auditor will likely call on departments that process significant personal data for interviews, so it is imperative that these stakeholders are involved in the conversation and aligned on corporate data protection practices and policies. The auditor checks for consistency in the rollout of Data Protection practices across the company, so this is important for demonstrating a coordinated effort within the organisation when it comes to upholding compliance in personal data protection and governance.  

    Q: How would going through the DPTM certification help a company evaluate their processes and what are some of the key benefits you would highlight for organisations interested in DPTM?

Speaking from our own experience of going through certification twice, the DPTM exercise helped us to gain clarity of the organisational processes and owners of data, such that each department was able to arrive at risk assessments specific to them and draw up policies within their scope of operations and responsibility. 

Different departments that interact with the same type of personal data may share similar risks and therefore, create similar controls that duplicate efforts and costs. By identifying these common risks, we were able to save duplication and effort with good Risk Management practices. This was done by having a formalised method for documenting risks and assessments with actionable Risk Registers that enables a DPO like me to aggregate duplicate risks and recommend common controls. In our case, the Risk Register was linked to controls and processes in our data protection management tool, DPOinBOX, so it was more easily managed and saved weeks of manual labour. This saved up to 50% of time for the department heads as I could help formulate corporate controls and policies on behalf of multiple departments.

Recommendation: Implement remote monitoring and management system on all staff laptops

The DPTM exercise also helped our department heads improve their third-party due diligence for more accurate assessment at appropriate levels of risk. Many companies use a one-size-fits-all questionnaire for third-party vendors. This frustrates the small procurement process and vendors as the information asked for may be too onerous or irrelevant. Smaller vendors may answer Not Applicable or Non Compliant for many of such fields, and is seen as a red flag to auditors if you accept them. We were able to help our departments tailor their due diligence to the complexity of data processing activities, ensuring vendors meet necessary data protection requirements commensurating with the project size and sensitivity.

    Q: What are some of the mistakes most would fall into during their DPTM process?

There are a couple of potential potholes along an organisation’s DPTM journey, but there are 3 key areas that come to mind immediately:

• Lack of granularity in the execution of the Data Protection Management Programme (DPMP). Companies may overlook processes that cross departments and lump various departments into one business process. So it is important to break down your DPMP into granular steps to ensure thorough implementation. These allow for controls and policies that are relevant and more likely to be implemented and followed.
• Missing out on Data Protection Impact Assessments (DPIAs), a critical component in the DPTM audit that often catches organisations by surprise. In an evolving digital landscape, you need to demonstrate you have performed a DPIA for every new process or technology that interacts with personal data. 
• Not having a robust Data Breach Management Plan that takes into account the latest Data Breach Notification Obligation (2021). While a Data Breach Management Plan has been required since the introduction of the DPTM in 2019, amendments to the Personal Data Protection Act (PDPA) in 2021 has made it mandatory to report a data breach to the Personal Data Protection Commision (PDPC) within 72 hours of determining that it is notifiable (i.e. Significant Harm to Affected Individuals or Significant Scale). Many have not updated their DPMP to include this and as such, rollouts of poorly planned Data Breach Management Plans will fail in this tightened law. The auditor will require you to have a well-implemented and tested Data Breach Management Plan, supplemented with regular tabletop simulations that are documented. PDPC has a CARE framework for breach responses, which we have adopted ourselves.

If you’re enjoying this interview, download a handy guide we’ve put together on the 10 Tips to Nail Your DPTM Certification to keep today’s insights in the back of your pocket!

    Q: What are some baseline practices that we had in place that accelerated our recertification?

As mentioned earlier, a systemised and automated tool such as DPOinBOX has helped us oversee the lifecycle of our Data Protection Management Programme (DPMP). Documenting one’s Data Inventory Map or Process Map involves multiple stakeholders, heavy databases and doing it in traditional spreadsheets becomes unwieldy when you need to update them and produce them in an audit. We were able to track decisions made, communication points and audits. And by systemising and optimising our DPIA, we cut down time spent in DPIA meetings by 80%. An automated system has made it easy to update one’s Data Breach Management Plan to meet the requirements of the Data Breach Notification obligation too.

The auditor will check for regular management reviews, and it helped that we already practised delivering monthly DPO reports to the management, which covers new risks and recommendations. Our reports had clear metrics of risks and links to controls that allowed for efficient identification of gaps in our data protection measures, saving time and effort on reporting and speeds up approvals by 50%. 

We also created a library of Standard Operating Procedures (SOPs) for running our DPMP to maintain consistency in execution. It is common for SOPs to involve multiple departments but it is also a common mistake for these to be isolated or siloed. As such, it is important that these SOPs are visible to those who are actually running the processes.

Last but not least, we had systemised and codified the capabilities and processes of a DPO in alignment with the standards of the DPTM in our Capabara Capability Management System. This enables anyone enrolled into the Data Protection team to operate the tasks in the DPMP to a high degree of success and it’s documented for the next person to take over easily if needed. And since getting the management’s buy-in to sign off on a policy needs to be supported by documented events that necessitate that policy, having these things systemised helps us do this.

    Q: What do the assessment bodies consider in their evaluation of a company?

Assessment bodies are always seeking for evidence and documentation of a company’s DPMP, and indicators of Governance and Accountability in one's policies, processes, SOPs, and third-party due diligence. If you are engaging one, prepare to answer inquiries about the number of departments handling personal data, quantity of data subjects, processes, data transfers, and more. You can join us on 2 November 2023 for an upcoming industry talk on the DPTM. We’ve invited an Assessment Body, Baljit Singh from GICG, and a cybersecurity expert, Dave Gurbani from CyberSafe, to speak on essential elements of a successful DPTM assessment. Catch the event teaser to get a taste of what's coming up!

Hear our speakers share more. Or read about the top insights shared by Baljit Singh at our last event.

The journey to certification isn’t easy, but it can be done collectively. Take it from Baljit, who concluded our previous industry talk on the following final word:

The most important thing is, if you are going on this journey, make sure that you're committed. And make sure you choose the right people to go on this journey with, be it your internal team or an external consultant. Get top management buy-in, build a committee and do it together. 

This article was first published on The Governance Age on 16 October 2023.