The Data Protection Trustmark (DPTM) is a voluntary enterprise-wide certification for organizations to demonstrate accountable data protection practices. The DPTM will help businesses increase their competitive advantage and build trust with their customers and stakeholders. It is a certification that is issued by IMDA when organizations put in place a strict data protection regime to comply with the PDPA.
It is important for businesses to take necessary steps to secure their data in this modern-day context than ever as Covid drives businesses online and towards remote/hybrid working models. Client information is more commonly stored in digital format than ever which means it becomes much easier to be copied and sent out of the organization by insider threat and much easier to be hacked by malicious attackers in cyberspace. Even large companies are not spared from data breaches that resulted in thousands of sensitive customer information being leaked resulting in damages to the reputation that may be hard to recover from.
Why use a vendor with Data Protection Trustmark (DPTM)
No solution is 100% bulletproof but organizations are expected to put fore their best efforts must be ensured their sensitive data are always protected and protection is only as good as the weakest link. Choosing a DPTM vendor could help you avoid troubles especially when it comes to shared corporate services such as accounting firms and HR firms that handles highly confidential information about your company.
In order to achieve the DPTM, these organizations must go through stringent guidelines provided by IMDA to ensure is accountability to customers, business partners and regulator that they adopt responsible data protection practices to manage personal data.
How else can Data Protection Trustmark (DPTM) help me in event of a breach?
DPTM may also serve as a mitigating factor against enforcement action in the event of a data breach. The maximum penalty for data breaches will be increased to SGD1,000,000 or 10% of your company’s revenue whichever is higher. However, if DPTM is achieved and the organization can prove that the data was leaked despite the best effort to follow protocol, it can help with getting an expedited enforcement decision and a more favorable outcome (as per the PDPC website).
It also opens doors to allow a certified organization to self-initiate remediation plans and resolve the breach. Under the Active Enforcement Framework, in the event of a data incident, organizations with accountable practices may consider the option of (a) an undertaking and/or (b) expediated enforcement decision instead of a full investigation, under certain circumstances specified by PDPC
Does my organization need the Data Protection Trustmark (DPTM)
The Data Protection Trustmark is not compulsory but is something that we must work towards having. All organizations in Singapore including sole proprietorship must appoint at least 1 person as a data protection officer, to be responsible for ensuring that the organization complies with PDPA. The DPO’s business contact number must also be made available to the public. Compliance with PDPA remains the responsibility of the organization notwithstanding the appointment of the data protection officer.
The appointed person should have appropriate expertise and knowledge to ensure the organization complies with the matter of the PDPA and can develop a process to receive and respond to complaints with respect to the application of PDPA
If your organization deals with personal information that you collect from customers, especially their full names, contact number, address, and/or their National Registration Identity Card (NRIC) should take extra steps to ensure they do not suffer a data breach due to negligence. Taking the steps towards getting the Data Protection Trustmark (DPTM) will help you learn about what needs to be done, establish a comprehensive protocol, and enforce it. Once the Data Protection Trustmark (DPTM) has been achieved, your customers can be assured that they are engaging someone with who they can trust their personal data the same way your can trust Data Protection Trustmark (DPTM) vendors.