Is DPTM Like an ISO Certification?
The Data Protection Trustmark (DPTM) is a voluntary enterprise-wide certification for organisations that is used to demonstrate accountable data protection practices. The Data Protection Trustmark helps businesses gain more competitive advantage and build trust among stakeholders and customers.
The Data Protection Trustmark (DPTM) is also the only organisational certification that is administered by the Infocomm Media Development Authority (IMDA). Its aim is to enhance the data protection competencies of Singapore-based companies. It is also a recognised means of demonstrating an organisation’s sound data protection practices.
On the other hand, an ISO certification certifies that a manufacturing process, management system, service or documentation procedure has all the requirements for quality assurance and standardisation. ISO (International Organization for Standardization) is a non-governmental, independent, and international organisation.
ISO develops standards that can ensure the safety, efficiency, and quality of services, products, and systems. ISO standards are also created to ensure consistency. Each ISO certification comes with separate criteria and standards and is classified numerically.
DPTM Certification: Is It Difficult to Achieve?
DPTM demonstrates that an organisation has sound data practices in place and not merely plans to implement said data practices. That said, DPTM is considered a key part of a roadmap that organisations can systematically achieve. Said roadmap has four phases: governance, baseline, implementation, and certification.
This involves establishing a Data Protection (DP) Office that is spearheaded by a Data Protection Officer (DPO). This team should be competent and trained and should provide advice regarding personal data and the Personal Data Protection Act (PDPA). The team will also be collectively responsible for the operationalisation of the practices of the organisation to comply with the PDPA.
It is important for an organisation to ensure that its practices can be seen in the documented procedures and policies. This can be achieved by ensuring the governance team maps out the organisation’s data flows and relevant inventories. In addition, organisations need to adopt an approach that’s risk-based towards the establishment of their Data Protection Management Programme (DPMP).
In this phase, the organisation needs to ensure that all employees acknowledge, embody, and understand their PDPA posture. Through the operationalisation of the documented procedures and policies for both external and internal parties, the organisation should readily demonstrate with evidence that DMPM is run on a consistent basis and with strong management support.
When your organisation has properly implemented the previous phases, it can proceed to pursuing the DPTM certification process. The DPTM certification process involves the following six steps:
- DPTM registration and application (done through the IMDA website)
- Completion of the self-assessment form
- Appointment of the assessment body
- Conducting a desktop assessment
- Conducting a site audit
- Remediating (based on the assessment feedback)
Once the organisation has completed all the processes, they will be awarded the DPTM certification.
What to Do If You Need Some Assistance
Since the DPTM is a structured process, it can be difficult to attain if the organisation is not prepared. That said, it is recommended that organisations seek the help of data protection service providers. When choosing a data protection service provider, ensure they have the following qualifications:
- Have done the process and have attained DPTM certification
- Provides professional services rendered by the Fellows of Information Privacy
- Have testimonials and reviews from previous clients
Once you have selected the right data protection service provider, it is ideal that you review their process thoroughly. Below are three signs to look out for that would indicate you need to review the DPTM project accordingly:
- The service provider is too focused on documentation that is templated
- The service provider has minimal implementation experience
- The service provider proposes services that are only cybersecurity-related