Get Your Organization’s Data Protection Trustmark Out of the Quicksand with These 3 Tips
The Data Protection Trustmark (DPTM) was first launched in January of 2019. As of 2020, at least 45 organizations have been awarded the DPTM. Understandably, many organizations and companies have shown interest in obtaining the Data Protection Trustmark (DPTM).
Some companies have even gone the extra mile by enhancing their Data Protection Management Programme (DPMP) just to attain the prestigious certification. However, there are three possible reasons why organizations can get stuck in their quest to attain the DPTM and how they can get out of the quicksand.
They have no operational and sound DPMP in place.
Organizations that are aspiring to attain the DPTM need to ensure that they have an operational and sensible DPMP in place. That said, they need to also have a competent Data Protection (DP) team that can help them establish a strong baseline and implement the DPMP based on a best practices framework.
As part of their DPMP, companies and organizations are expected to show proof of implementation. This can be demonstrated using relevant documents like training records, Standard Operating Procedures (SOPs), and policies. These are critical during the first phase of the DPTM assessment.
In IMDA’s DPTM information kit, you can see an overview of the four important principles the DPTM is based on. If you can substantiate and provide evidence, it is a good indication that you are ready for our DPTM assessment. If not, consider reviewing and enhancing your DPMP accordingly.
Mismatch between the level of support DPOs are getting and their expectations.
While having a Data Protection Officer (DPO) is key to the success of the organization’s DPMP, equally as important is the support the DPO gets. The DPO is tasked to oversee the DPMP but they cannot implement the programme alone. The management needs to ensure that the various business process owners are part of the DP team.
By default, personal data processing departments can include human resources, B2C marketing, customer care/customer service, office IT networks, facilities/admin, etc. Also, since the DPTM assessment principle will cover the care of personal data, all information systems, office IT networks, and even laptops of the employees will be assessed.
During a DPTM site audit, representatives of the default departments will be interviewed. They are expected to show a good level of understanding and ability to integrate DP principles in their scope of work. Senior management support will also be key and will be evaluated as part of the DPTM assessment.
Outsourcing without any baseline.
For those who are exploring outsourcing DPOs, it is recommended that you define their scope of work very clearly. There are 3 danger signs when you outsource your DPO:
- The outsourced party can offer to draw up or review the SOPs and policies without referencing your data flows and data inventory.
- The proposal might be based on bit-part components of a DPMP.
- It can be overly focused on handling data subject access requests/complaints.
Three Tips to Help You Attain DPTM
Work with a certified consultant.
Ideally, you need to work with certified consultants with prior operational experience in implementing DPMP. It is also important that you know how to properly evaluate a consultant. Start by looking for the international certification Fellow of Information Privacy (FIP), provided by the International Association of Privacy Professionals.
Make sure you enable your team.
If you belong to the senior management team, ensure you provide your DP team with relevant support in the form of professional training. You also need to ensure there is a direct communication channel to you through your DPO. Make sure you also schedule regular updates with your DP team to identify risks and provide support.
Ensure your DPMP is updated.
Since the privacy landscape is constantly evolving, you need to have a system that monitors the changes (i.e., the latest PDPA amendments). For a lean DP team, this can be a steep learning curve so joining data protection communities like DPEX is recommended.