What it means to get a Data Protection Trustmark certification
We put various personal information to organizations for many purposes, such as our names, contact numbers, and our home and business address. We do this to help us easily transact with our trusted organizations who provide us services or keep us updated with the latest news and trends. However, how can we make sure that our data is kept safe? The Data Protection Trustmark is the answer.
Data Protection Trustmark, defined
The Data Protection Trustmark is a certification developed by the PDPC and Info-Communications Media Authority (IMDA). It is a voluntary enterprise-wide certification for organizations to exhibit accountability over data protection practices.
Such certification helps these organizations to build trust with their shareholders and customers and build their competitive advantage. You can find the list of Data Protection Trustmark-certified organizations here.
According to the certification framework, organizations like Privacy Ninja, certified with Data Protection Trustmark, have sound protection policies and practices that protect and manage their consumer’s personal data.
How Data Protection Trustmark helps in better data protection
Organizations that are DPTM-certified have data protection policies and practices laid, which are assessed by an approved third-party assessment body.
Under the certification framework of DPTM, it is required for Organizations to pass a set of robust and comprehensive criteria. According to Infocomm Media Development Authority, the following practices must be put in place:
- Trained Data Protection Officer and staff to handle your personal data;
- Reasonable collection, use, and disclosure of data with consent obtained and purpose made known;
- Appropriate measures for protection, retention, and disposal of data;
- Provision of withdrawal of consent, access and correction of data; and
- Appropriate measures to take in the event of the data breach.
Furthermore, according to Digital Guardian, the following criteria must first be met to achieve DPTM compliance:
PRINCIPLE 1: GOVERNANCE AND TRANSPARENCY
Appropriate Policies and Practices
- Establish data protection policies and practices
- Establish queries, complaints, and dispute resolution handling processes
- Establish processes to identify, assess and address data protection risks
- Establish a data breach management plan
- Appoint Data Protection Officer (DPO)
- Make available business contact information of the DPO to the public
- Provide information on personal data protection policies to external stakeholders
Internal Communication and Training
- Communicate data protection policies and practices to all employees
- Implement data protection training for all relevant internal stakeholder
PRINCIPLE 2: MANAGEMENT OF PERSONAL DATA
- Ensure collection of personal data is for purposes that are clear and appropriate in the circumstances
- Ensure notification of the purposes for the collection of personal data, on or before the collection of personal data
- Ensure notification of new purposes before the use or disclosure of personal data
- Ensure that consent for the purposes has been obtained on or before collecting the personal data
- Ensure that consent for personal data with special considerations has been obtained
Appropriate Use and Disclosure
- Ensure the use of personal data is for purposes for which consent has been obtained
- Ensure the disclosure of personal data is for purposes for which consent has been obtained
Compliant Overseas Transfer
- Ensure appropriate personal data transfer policies are implemented as required under law
PRINCIPLE 3: CARE OF PERSONAL DATA
- Ensure reasonable security policies and practices are implemented
- Ensure third parties make reasonable security arrangements to protect personal data
- Ensure testing of security measures
Appropriate Retention and Disposal
- Ensure personal data retention policies are implemented
- Ensure appropriate implementation of processes and methods for the disposal, destruction, or anonymization of personal data when there are no longer legal or business purposes to retain the personal data
Accurate and Complete Records
- Ensure personal data for use or disclosure is accurate and complete
- Ensure personal data disclosed to a third party organization is accurate and complete
PRINCIPLE 4: INDIVIDUALS’ RIGHTS
Effect Withdrawal of Consent
- Ensure provision for the withdrawal of consent for the collection, use or disclosure of ‘individuals’ personal data
Provide Access and Correction Rights
- Ensure provision for individuals’ access to their personal data in the organization’s possession or under its control on request
- Ensure provision for individuals’ correction of their personal data in the organization’s possession or under its control on request
- Customers can rest assured that with these practices put in place and criteria to be followed, their personal data will be safeguarded.
Why do Organizations need to get a Data Protection Trustmark?
The Data Protection Trustmark is a visible indicator for organizations that these organizations adopt sound data protection practices. Once an Organization, like Privacy Ninja, has a DPTM certification, customers can ease their worries about keeping their data safe. Such certification means these organizations can be trusted in handling customer’s personal data.
According to PDPC, having a DPTM certification benefits Organizations in the following ways:
- DPTM may serve as a mitigating factor against enforcement action in the event of a data breach. In addition, under the PDPC’s Active Enforcement Framework, the PDPC and/or the Data Protection Trustmark-certified organization that is able to demonstrate accountable data protection practices, may initiate an undertaking process.
- DPTM can be an accountability tool to demonstrate to your customers, business partners and regulator that your organization adopts responsible data protection practices to manage personal data.
- Data intermediaries/third parties that are DPTM-certified can assure their clients of their responsible data protection policies and practices.