The Data Protection Trustmark (DPTM) has been secured, but the job is not done. For insurer AIG Singapore, its data protection journey is an ongoing process.
The DPTM is a voluntary certification that enables organisations to demonstrate that they have a robust data governance standard and are able to meet the obligations of Singapore’s Personal Data Protection Act (PDPA) and elements of international benchmarks.
“It is not about ticking the boxes. Risk is ever evolving. We need to constantly keep pace with advancements in technology and their impact on consumers. We cannot afford to be complacent just because we are certified,” said Mr Christian Sandric, President and Chief Executive Officer of AIG Singapore.
Underpinned by trust
AIG is one of the largest insurance companies in the world and has had a presence in Singapore since 1953. It serves both individual customers and commercial clients, with insurance products offering coverage ranging from personal accident, car, travel and home, to that of energy and cyber risks for large corporate customers.
When AIG Singapore underwrites risk, it has to collect information about its customers. Depending on the types of insurance applied for, this could include personal data such as name, NRIC number, contact information and existing health conditions. During the claims process, it also needs to gather information about a particular situation or incident. For example, if a customer falls ill, it has to collect medical information in order to process the medical insurance claim.
AIG Singapore has controls designed to ensure that it only captures information that is needed to provide services to its customers, and has policies and processes in place designed to ensure that this information is well protected. These include exercising care in data collection, understanding how to store the data safely and how to destroy it, and performing appropriate verification before any information is disclosed.
The important piece that underpins all these is trust. “Our business is based on trust and reputation, and trust lies at the heart of data protection. Certification provides good validation that our personal data protection efforts are on the right track, and thereby raises consumers’ confidence in our brand. The people, organisational capabilities and services behind it are important. People buy from us because they trust us as an organisation,” said Mr Sandric.
End-to-end accountability
“The ability to look at things end-to-end across the board is of paramount importance,” said Mr Sandric. “We cannot say we have good data protection practices in a particular area if we do not understand the downstream impact of what we are doing.”
When the PDPA was introduced, AIG Singapore set up a working group to study its then existing data protection policies and processes and map them against the PDPA. The group, comprising around 20 subject matter experts from different lines of business, set about analysing the organisation’s standard operating procedures for handling personal data and making sure that the proper controls were in place. A data register was also set up so that the organisation would have a better overview of the data that it collects and discloses.
Then in 2018 when the pilot for the DPTM was announced, AIG Singapore decided to pursue certification. “It’s one thing to tell ourselves we are doing the right thing and that we are continuously working to strengthen data protection; but it’s a great perspective to get someone else to look at what we have done and provide validation that we are doing the right things,” said Mr Sandric.
Rigorous process
The certification process was rigorous. “As a global organisation, we have internal compliance policies in place across all our entities. In preparation for the certification, we consolidated the necessary documentation and data from various stakeholders and sorted the information for sharing with the DPTM assessor according to the certification requirements,” explained Mr Sandric.
The assessment criteria also had to be contextualised for insurance business operations so that the organisation was able to clearly articulate to the assessor the controls it already has in place. “The whole process required us to get into a high level of detail across all levels of the organisation as we examined our current state against the certification standard,” said Mr Sandric.
From this experience, one important insight that AIG Singapore shared was that organisations should have their data protection policies and practices firmly in place before they embark on DPTM certification. “Be prepared,” said Mr Sandric. “There are many criteria to meet in the self-assessment phase of the certification, so you need to get the basics right. Do not rush into it when you are not ready. ”
In June this year, AIG Singapore became the first insurer in Singapore to receive the DPTM.
For the organisation, the certification provides reaffirmation and validation that its efforts in personal data protection are focused on the right areas. Internally, the DPTM has helped reinforce the emphasis that AIG Singapore places on personal data protection to its employees.
And for partners and customers, third-party validation in the form of the DPTM helps strengthen their trust in the company. “It’s not just us saying that we are protecting your data; the DPTM also attests to that.”
“It is also important to keep in mind that personal data protection is an ongoing process,” said Mr Sandric. “We cannot take certification to mean that we are all good. We have to continuously focus on personal data protection, and ensure that our policies, processes and practices are evolving with changes in the data landscape.”
Taking a wider perspective, Mr Sandric feels that DPTM is important not just for AIG Singapore but also for the insurance industry as a whole.
“Data protection matters greatly to our customers so it is important for the insurance industry to put the right focus on this,” he said. “We have a collective responsibility to make sure we continuously improve our data protection measures for our customers. Even though we are first in the industry to achieve the DPTM certification, I hope other insurers will follow.”
For more information, visit the Data Protection Trustmark webpage.
.webp)