PDPA

SHOW ME YOUR BADGE: DATA PROTECTION TRUSTMARK CERTIFICATION

With the increasing number of data breaches, consumers may become more hesitant to entrust their personal data with organisations. The Data Protection (“DP”) Trustmark aims to alleviate some of the consumers’ concerns relating to the collection of their personal data by providing consumers assurance that an organisation adopts appropriate data protection measures.

Introduction

The DP Trustmark is a voluntary certification introduced by the Personal Data Protection Commission (“PDPC”) together with the Info-Communications Media Development Authority (‘IMDA”).

The DP Trustmark is awarded to organisations which have implemented data protection policies that are compliant with the Personal Data Protection Act (“PDPA”).1

“The Government has put in place trustmark certifications to help companies better identify IT vendors with strong data and cyber security practices. The Data Protection Trustmark (DPTM), overseen by the Infocomm Media Development Authority (IMDA), recognises companies with sound policies and practices to protect the personal data they manage and use it responsibly.”

-Mrs Josephine Teo, Measures to ensure companies engage licensed IT vendors to minimise risk of data breaches and leaks

Significance

A DP Trustmark works as a visible indicator that an organisation has implemented PDPA-compliant data protection policies. This can increase an organisation’s competitive advantage as it helps boost consumers’ confidence in an organisation’s personal data management by providing assurance that an organisation is adopting PDPA-compliant data protection measures to safeguard the collected personal data.2

A survey conducted by The Nielsen Company revealed that 2 in 3 consumers prefer to buy from a company with a DP Trustmark. Similarly, 4 in 5 businesses prefer to work with a company that has a DP Trustmark.3

Further, the DP Trustmark can serve as a mitigating factor in the event of a data breach, as it shows that an organisation has implemented accountable data protection policies.4

An organisation with DP Trustmark would also be able to enjoy quicker application processing for cyber insurance, as the DP Trustmark serves as evidence that an organisation has PDPA-compliant data protection policies.5

Application process

So long as an organisation is recognised under the laws of Singapore or has a place of business in Singapore, and is not a public agency, the organisation would be able to apply for a DP Trustmark.6

An application fee is payable when an organisation applies online at the IMDA website for a DP Trustmark certification. It takes around two to four weeks for IMDA to process the application.

Once the application is accepted, the organisation can select one out of the seven approved Assessment Bodies to assess its data protection policy. The Assessment Body engaged as well as the size of an organisation will affect the amount of assessment fee payable.

The assessment stage takes approximately two to three months. During the assessment stage, the Assessment Body will conduct documentation reviews, on-site assessment and remediation (if required). A report would be generated at the end of the assessment stage to be submitted to IMDA. IMDA would award the DP Trustmark after reviewing the report.

The DP Trustmark is valid for three years. After which, the organisation has to apply for re-certification at least six months before the expiry of the DP Trustmark.7

Certification Requirements

There are four overarching principles governing the DP Trustmark certification:

  1. Governance and Transparency
  2. Management of Personal Data
  3. Care of Personal Data
  4. Individual’s Rights

Under the first principle of governance and transparency, an organisation should have implemented appropriate data protection policies to manage personal data and these policies should be communicated to the various stakeholders such as employees, consumers and external vendors. For instance, an organisation should have an internal data protection policy for its employees which is annexed to the employment form and signed by the employees. For external vendors, an organisation should have agreements relating to the management of the organisation’s personal data which is annexed to the main contract.8

Under the second principle of management of personal data, an organisation should have policies in place relating to obtaining consent from individuals to collect, use and disclose personal data. For instance, an organisation should have documented procedures in place to obtain consent from individuals for the use of their personal data. An organisation should also have a Data Inventory Map to track the flow of personal data within the organisation to ensure that personal data is collected and used only for the purposes it was collected.9

Under the third principle of care of personal data, an organisation should ensure appropriate information security, retention, disposal, accuracy and completeness of personal data. For instance, an organisation should have appropriate data protection measures to prevent unauthorised access, collection and use of personal data in its possession. An organisation should also have data retention and disposal policies for the personal data in its possession.10

Under the fourth principle of individual’s rights, an organisation should have in place policies relating to the withdrawal of consent, access and correction of personal data by individuals. For instance, an organisation should communicate to individuals on how they can request access or correct their personal data. An organisation should also keep a record of such requests.11

“As part of advancing the digital economy strategy to allow Singapore to stand out as a trusted data hub with a well-developed data ecosystem that supports competition and innovation as well as the cross-border flow of data, the PDPD has developed the DP Trustmark Certification to help organisations verify their conformity to personal data protection standards and best practices.”

-Call for Assessment Bodies for DP Trustmark Certification (14 Mar 2018)

Conclusion

With the globalised flow of data and information today, it is imperative for organisations to adopt robust data protection measures so that consumers can be assured when providing their personal data to the organisation. In this respect, the DP Trustmark is the gold standard an organisation can seek to achieve when it comes to the handling of personal data.

For PDF version of this article, please click here.

References

[1] Infocomm Media Development Authority, “Data Protection Trustmark Certification” < https://www.imda.gov.sg/how-we-can-help/data-protection-trustmark-certification > (accessed 24 May 2024)
[2] Infocomm Media Development Authority, “Data Protection Trustmark Certification: Recognising Organsations’ Transition From Compliance To Accountability”, page 3.
[3] Id, page 6.
[4] Personal Data Protection Commission Singapore, “Data Protection Trustmark” < https://www.pdpc.gov.sg/overview-of-pdpa/data-protection/business-owner/data-protection-trustmark > (accessed 24 May 2024)
[5] Supra n 1.
[6] Ibid.
[7] Supra n 2, page 10.
[8] Infocomm Media Development Authority, “Overview of Certification Requirement” < https://www.imda.gov.sg/-/media/imda/files/programme/dptm/overview-of-dptm-cert-controls.pdf > (accessed 24 May 2024)
[9] Ibid.
[10] Ibid.
[11] Ibid.

At Infinity Legal LLC, we provide assistance and guidance to organisations in their DP Trustmark application journey. 

© Infinity Legal LLC 2024

The content of this article is for general information purposes only, and does not constitute legal advice and should not be relied on as such. Specific advice should be sought about your specific circumstances. Infinity Legal LLC does not accept any responsibility for any loss which may arise from reliance on information or materials published in this article. Copyright in this publication is owned by Infinity Legal LLC. This publication may not be reproduced or transmitted in any form or by any means, in whole or in part, without prior written approval.

Infinity Legal LLC thanks and acknowledges Interns Valencia Wan for their contribution to this article.

 [Last Updated: 28 May 2024, 4:35 pm]