On 9 January 2019, the Info-Communications Media Development Authority (IMDA) launched the Data Protection Trustmark (DPTM) Certification program. The DPTM is an enterprise wide certification scheme administered by the IMDA utilising independent assessment bodies to assess that the organisation’s data protection practices conforms to the DPTM requirements. The DPTM does not currently cater for product/service level certification as originally anticipated in the IMDA's 2016 tender.
The DPTM scheme is open to organisations that are: (a) formed or recognized under the laws of Singapore; or (b) resident, or has an office or place of business in Singapore. Therefore, Singapore companies as well as Singapore based foreign companies may apply. Businesses with different ACRA numbers are considered separate entities, even if they belong to the same holding company, i.e. a separate application and separate application fee will be required for each entity even if they are part of the same corporate group, although it may be possible for the assessment body to be flexible when it conducts the assessment to take into account shared/group level policies and processes.
The DPTM Process
Organisations interested in the DPTM start the process by submitting an online application to IMDA for approval to participate in the program and agreeing to the terms applicable to the DPTM scheme. The fee for submission is SGD 500 and the estimated timeframe for approval is 1 month. The application fee will be waived for SMEs (Small and Medium sized Enterprises) until 31 December 2019.
Upon approval, successful applicants receive a notification from the IMDA, along with a self assessment form. Successful applicants may engage any one of 3 appointed assessment bodies - ISOCert, Setsco Services and TUV SUD PSB, to perform the assessment. The assessment bodies will utilize criteria set by the IMDA in performing their assessment. The assessment will comprise of both documentary as well as on-site assessment and interviews. The assessment body may also recommend remediation measures to assist the applicant in meeting the certification criteria before submitting its final assessment to the IMDA.
An overview of the requirements for DPTM certification is available on the IMDA's website at the link provided below. Further details of the assessment criteria are available to applicants in the self-assessment form provided after approval has been granted by the IMDA.
An assessment is estimated to cost between 1,400 - 10,000 SGD and may take between 2-4 months depending on the size of the organization and its state of readiness
Upon completion, the assessment body will submit its assessment to the IMDA for its review and approval. Successful applicants will receive a DPTM certification which is valid for 3 years. Organisations should apply for recertification at least 6 months before expiry of their current certification.
Companies who satisfy the following criteria may apply for an Enterprise Development Grant from Enterprise Singapore to defray costs of obtaining the DPTM:
- Be registered and operating in Singapore;
- Have a minimum of 30% local (i.e. Singapore) shareholding; and
- Be in a financially viable position to start and complete the DPTM certification.
Organisations that successfully obtain the DPTM certification may benefit in the following ways:
1. Assurance of their data protection regime
DPTM certification helps to provide validation of an organisation’s data protection regime. The certification may increase an organisation's data governance and protection standards, uncover potential weaknesses and enable the organisation to take steps to mitigate risks.
2. Increased Business Competitiveness
Obtaining DPTM certification demonstrates to customers that an organisation has robust data protection policies and practices in place to safeguard personal data. This may help strengthen the organisation's reputation, build trust and foster confidence in the business, raising its competitiveness both locally and overseas.
3. Ease of future recognition with APEC Cross-Border Privacy Rules (CBPR)
Singapore is participating in the CBPR which is intended to facilitate cross-border transfer of personal data with other participating economies. The IMDA is concurrently exploring avenues for recognition of the DPTM certification with the CBPR. DPTM certified companies may benefit from easier paths to recognition under CBPR in future.
The other economies participating in the CBPR are USA, Canada, Australia, Mexico, Chinese Taipei, Japan and Republic of Korea.
Companies that are interested may find out more on IMDA's website or contact us for any further queries.
Organisations may wish to engage professional consultancy services prior to making a DPTM application as applicants will have to wait three months if their previous application for certification is rejected. The Personal Data Protection Commission (PDPC) provides a directory of data protection services available in Singapore.
The DPTM is administered by the IMDA and not the PDPC. For organisations who are under investigation by the PDPC or who have been previously found to have breached the PDPA within the last 2 years, they will have to make a self declaration and submit a breach report to the IMDA.