DPTM Journey Series: Roadmap towards the Data Protection Trustmark (DPTM)

The Data Protection Trustmark (DPTM) is the only organisational certification administered by the Infocomm Media Development Authority (IMDA) with the aim to improve data protection competencies within Singapore-based companies. DPTM is a highly recognised means to demonstrate that an organisation has sound data protection practices in place. Launched in 2018, only 60 companies at the time of writing have been DPTM certified.

Is it difficult to achieve the DPTM certification?

DPTM demonstrates that the organisation has sound data protection practices already in place and not that it has plans to implement these practices. In other words, it can be considered as part of a roadmap that can be systematically achieved by organisations. The roadmap consists of four phases - Governance, Baseline, Implementation and Certification.

Learn about three reasons why organisations get stuck in their quest for DPTM certification - and find out the three tips to overcome these obstacles.

Breaking down the roadmap phase-by-phase

Governance: 
Forming a Data Protection (DP) Office led by the Data Protection Officer (DPO). This team should be trained and competent in providing advice in relation to personal data and the Personal Data Protection Act (PDPA) and will be collectively responsible for the operationalisation of the organisation’s practices to comply with PDPA.

Baseline:
An organisation needs to ensure that its practices are reflected in the documented policies and procedures, which can be achieved by having the governance team map the relevant inventories and data flows within the organisation. In addition, organisations should adopt a risk-based approach towards establishing their Data Protection Management Programme (DPMP).

Implementation:
In this next phase, the organisation must ensure that all employees understand, acknowledge and embody the spirit of its PDPA posture. Through the operationalisation of its documented policies and procedures for both internal and external parties, the organisation should be ready to demonstrate with evidence that their DPMP is being run on an ongoing basis with strong management support.

Certification:
When the organisation is ready with the previous phases adequately implemented, it can pursue the DPTM certification process. This involves six steps:

1. Registering and applying for the Data Protection Trustmark through IMDA’s website
2. Completing the self-assessment form
3. Appointing the assessment body
4. Conducting a desktop assessment
5. Conducting a site audit
6. Remediating based on assessment feedback

An organisation that has completed this process will be awarded the DPTM certification.

What if I need reliable assistance?

The DPTM is a structured process and it will be difficult to attain if the organisation has not prepared accordingly.

It is recommended for organisations to select data protection service providers that:

• Have been through the process and attained their DPTM
• Provide professional services rendered by Fellows of Information Privacy, which is currently the only certification that demonstrates an individual possesses both deep knowledge in data protection and rich implementation experience
• Have client testimonials

Once the organisation has selected their data protection service providers, it is also vital to review the process consistently. Here are three signs that your organisation should review the DPTM project carefully:

• The engaged service provider is overly focused on templated documentation
• It is obvious that the engaged service provider has little implementation experience
• The engaged service provider proposes only cybersecurity-related services

Straits Interactive is a DPTM-certified Data Protection Service Provider (DPSP).

Article by:
Loke Qian Li (FIP, CIPM, CIPP/E, CIPP/A, GRCP)

-----

Qian Li was a practising Data Protection Officer before joining Straits Interactive. He has assisted companies along the entire journey towards attaining the DPTM. He currently leads the Fellows of Information Privacy (FIP) Affinity Group globally.

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEX Network.