What is Singapore’s New Data Protection Trustmark Certification (DPTM) All About?
In a heavily publicized case, personal information of more than 1.5 million patients of SingHealth was stolen in a massive cyber attack on 21 July 2018. A few days later, on 25 July, the Singapore government announced the Data Protection Trustmark (DPTM) scheme, under which Singapore-based firms will be able to get officially certified for their data protection measures. The certification will assure clients or consumers that their personal data is being securely handled. So what exactly are the DPTM certification requirements and why might it concern your company?
The Assessment Process
Depending on the company’s choice, one of the three following assessment agencies will be assessing the company’s data protection practice: ISOCert, Setsco Services, or TUV SUD PSB. The company will be judged based on four principles developed by the Personal Data Protection Commission (PDPC): governance and transparency, management of personal data, care of personal data, and individuals’ rights. Each principle has a few components, as set out in the overview of certification requirements published with the government’s official announcement on 25 July. Details of the components can be found here: Overview of DPTM Cert Controls
The PDPC will further refine these assessment requirements based on feedback the Commision receives during the pilot program, which will last until the official DPTM scheme launches at the end of this year. Currently, eight companies, including DBS Bank, RedMart, and Singtel, have signed up to be a part of the pilot.
The assessment requirements are also said to incorporate principles in the APEC Privacy Framework and OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. This means that if your company hopes to attain other data protection certificates in the Asia-Pacific region after attaining the DPTM certificate, having the DPTM will facilitate that process. The DPTM alone, however, is a local certificate, only applicable to Singapore-based firms and recognized within Singapore.
The Cost, Timeline, and Effective Duration
Prior to the certificate’s official launch in 2018, companies can apply to participate in the pilot. There are two reasons why your company might consider doing so. First, if your company passes the assessment, it could attain the DPTM earlier. The certificate will remain effective after the pilot period, giving your company a competitive edge over others in your industry who might be late to the assessment process. Second, it potentially gives your company a chance to shape the official DPTM assessment requirements. If your company wishes to sign up to be in the pilot, it must do so before 30 September 2018. Find out how to apply here.
The DPTM logo lasts for three years, and the company will need to reapply after the logo expires. The assessment fee will range from $1,400 to $10,000, excluding GST, depending on the size of your organization.
Do Singaporean Consumers Actually Care?
The scale and impact of SingHealth’s recent personal data leak have likely heightened Singaporeans’ awareness of how important personal data protection is. On top of that, in a survey of 1,500 consumers conducted by the PDPC from February to March 2018, four out of five consumers indicated that organizations should have strong data protection policies and practices if they want to collect consumers’ personal information. Two-thirds of the survey’s respondents also indicated that they favor organizations with sound data protection practices.
Given all of these factors, the new DPTM scheme will be very relevant for your company if it collects personal information from customers.
Sign up for a Free Trial and Free Legal Health Check Today