3 Reasons why the Singapore IMDA’s Data Protection Trustmark can be a Quicksand and How You Can Avoid Being Stuck

The Data Protection Trustmark (DPTM) was launched in January 2019 and to date, 45 organisations have been awarded the DPTM. I have met over 100 companies that indicated an interest in attaining this prestigious certification – some have even gone on to enhance their Data Protection Management Programme (DPMP) – and most of them are still on the journey towards attaining the DPTM.

In this article, I will summarise three reasons why organisations may get stuck in this quest and offer three tips on how to break free of the mire.

Reason #1: No sound and operational DPMP in place

We have shared over the years that organisations aspiring toward the DPTM must ensure that they have a sound and operational DPMP in place. That is to say, they have formed a competent Data Protection (DP) team to construct a strong baseline and have implemented the DPMP based on a best practices framework.

As part of the DPMP, organisations are expected to be able to provide evidence of implementation which can be demonstrated through relevant documents such as policies, Standard Operating Procedures (SOPs) and training records. These will be crucial in the first phase of the DPTM assessment (by the assessment body), also referred to as the Desktop Assessment where an organisation completes and submits the Self-Assessment Form (SAF) with its answers and supporting evidence. In IMDA’s DPTM information kit, you can find an overview of the four principles that the DPTM is based on. If you can answer “yes” and substantiate with evidence to all the questions, it is an indication that you are ready for the DPTM assessment. Otherwise, you should review and enhance your DPMP accordingly.

Reason #2: Mismatch between expectations of a DPO and level of support for DPO

While your Data Protection Officer (DPO) is particularly important to the success of your DPMP (and hence DPTM journey), what is probably more important is the support provided to the DPO. The DPO would be tasked to oversee your DPMP but the DPO alone cannot implement this programme. This is reinforced in PDPC’s Guide to Developing a Data Protection Management Programme. As the DPTM assessment is an organisation-wide assessment, the management must ensure that the various business process owners who own the processes involving the collection, usage, disclosure and storage of personal data (of both its internal and external stakeholders) form the DP team. Some “by default” personal data processing departments would include IT, human resources, B2C marketing, B2C Sales, Customer Care/Customer Service, Facilities/Admin (for the handling of multi-function copiers or CCTV, where relevant). As the DPTM Assessment Principle 3 covers Care of Personal Data (which include the Protection obligation), all information systems (such as websites or databases), office IT networks as well as laptops of employees will be part of the scope of assessment. Therefore, another “by default” department that will typically be part of the scope of assessment will be the IT department.

In addition, these department representatives are typically interviewed