Rate Our Information

Was this Information useful?






Data Protection Trustmark Certification

last updated 02 April 2019

To help businesses increase their competitive advantage and build consumer trust, IMDA has launched the Data Protection Trustmark (DPTM) certification to help organisations demonstrate sound and accountable data protection practices.

Data Protection Trustmark Certification

As part of advancing Singapore’s digital economy as a trusted data hub that supports competition and innovation as well as the cross-border flow of data, the IMDA has launched the Data Protection Trustmark (DPTM) Certification to help organisations demonstrate accountable and responsible data protection practices.

The key objectives of the certification are:

  • for organisations to demonstrate sound and accountable data protection practices;
  • to enhance and promote consistency in data protection standards across all sectors;
  • to provide a competitive advantage for businesses that are certified; and
  • to boost consumer confidence in organisations’ management of personal data.

The benefits to being DPTM-certified:

  1. Increases Business Competitiveness

    Obtaining DPTM certification demonstrates to your customers that you have robust data protection policies and practices in place to safeguard their personal data. This will help strengthen your reputation, build trust and foster confidence in your business, raising your business competitiveness both locally and overseas.

  2. Provides Assurance to Your Organisation

    Third-party certification helps to provide validation of your organisation’s data protection practices. The certification will increase your data governance and protection standards, uncover potential weaknesses and enable your organisation to take steps to mitigate risks.

DPTM is a voluntary enterprise wide certification looking at an organisation’s standard of data protection policies, processes and accountability practices. Certification is valid for 3 years and organisations would need to reapply at least 6 months from the date of expiry of the certification.

The list of DPTM-certified organisations can be found here.

For more information on DPTM certification, please click here to watch our video and download the following:

For queries on DPTM, please email Data_Protection_Certifications@imda.gov.sg or call 6377 3800.


Interested organisations can submit their application online. Only online applications will be accepted.

Upon submission of the application, the Applicant Organisation is bound by the Terms of Agreement between the Certification Body (IMDA) and Applicant Organisation in relations to the Data Protection Trustmark scheme.

Applicants will be notified within 5 working days on the status of their application. Incomplete submission will delay the processing time.

The DPTM Certification Framework was developed based on adopting and aligning it with Singapore’s Personal Data Protection Act (PDPA) and incorporating elements of international benchmarks (e.g. APEC CBPR/PRP requirements) and best practices.  

Please refer to Overview of Certification Requirement for details.

The complete DPTM certification controls will be shared with the organisation upon IMDA’s acceptance of its application.

For queries on the DPTM certification controls, please email to Data_Protection_Certifications@imda.gov.sg.

Organisations that have put in place a data protection regime to comply with the obligations of the PDPA can apply for DPTM certification. They should also strongly believe in active accountability, beyond mere compliance, in personal data protection and are either (1) formed or recognised under the laws of Singapore, or (2) resident, or having an office or a place of business, in Singapore, and in any case, not a public agency (as defined in the Personal Data Protection Act 2012).

The Assessment Body (AB) acts as an independent body to assess that an organisation’s data protection practices are aligned to the DPTM requirements, and to identify gaps for the organisations to address, if any.

An organisation may select any of the following three ABs – ISOCert Pte Ltd, Setsco Services Pte Ltd and TUV SUD PSB Pte Ltd.  Contact details of the 3 Assessment Bodies:

Assessment BodyContact Person Contact No Email 

ISOCert Pte Ltd
(www.isocert.sg

 Saju S Pillai 9105 4718/
6659 0810
saju@isocert.com.sg
 Setsco Services Pte Ltd
(www.setsco.com)
 Dixon Ng 9795 9875/
6895 0650
ngds@setsco.com
 Laura Koh 6895 0659laurakoh@setsco.com
 TUV SUD PSB Pte Ltd
(www.tuv-sud-psb.sg
 Lau Boon Cheng 8383 8696DP_Trustmark@tuv-sud-psb.sg

There are two fees payable by organisations – the application and the assessment fee:

  1. The application fee is payable to IMDA. 
  2. The assessment fee is payable directly to the Assessment Body.
Type of FeesAmount
 Application*$535 (inclusive of GST)  
 Assessment**Between $1,400 – $10,000 (depending on the size of the organisation)

* Application fee is waived for SMEs till 31 December 2019.
** Assessment fee stated above is an indicative range. It is payable to the assessment body, which will confirm the actual fee. GST applies where applicable.

Notes:

  • All Fees are subject to change. Revisions to the fee structure, including any directions or guidelines, will be notified via our website.  
  • The Application fee is payable to IMDA within 5 working days upon IMDA’s acknowledgment of the DPTM application, and is strictly non-refundable.  

Funding Support for Singapore Companies

Singapore companies can consider applying to Enterprise Development Grant (EDG) to seek support for some of the costs for DPTM certification and consultancy services. Applications will be assessed by Enterprise Singapore based on project scope, project outcomes, and competency of service providers, etc.

Companies can refer to https://www.enterprisesg.gov.sg/financial-assistance/grants/for-local-companies/enterprise-development-grant/apply/pre-application for more details on the criteria and process for EDG application.

Funding Support for Social Service Organisations 

IMDA has partnered with the National Council of Social Services (NCSS) to provide funding support to social service organisations (SSO) for their DPTM certification through the NCSS Organisational Development Grant (ODG). 

SSOs who are (1) NCSS members, or (2) MSF-funded, can apply for the ODG online via NCSS’ Funds Application System (FAS). For more details on the ODG and access to the FAS, SSOs can visit NCSS’ website at www.ncss.gov.sg/Grants-Search/VCF-ODG-Organisational-Development.

Professional Consultancy Services

Prior to applying for the DPTM certification, an organisation may wish to engage professional consultancy services to prepare them for DPTM certification.  The PDPC’s list of Data Protection Service Providers provides a basic directory of the data protection services available in Singapore (www.pdpc.gov.sg/Organisations/Help-for-Organisations/List-of-Data-Protection-Service-Providers).

 

General

  1. What is the Data Protection Trustmark (DPTM) certification? 

    The DPTM is a voluntary enterprise-wide certification for organisations to demonstrate sound and accountable data protection practices. A DPTM certification will help businesses increase their competitive advantage and build trust with their clients. The DPTM will be a visible indicator that an organisation adopts sound data protection practices.

  2. What are the benefits of DPTM certification?

    i. Increases business competitiveness

    Obtaining DPTM certification demonstrates to customers that an organisation has robust data protection policies and practices in place to safeguard its customers’ personal data. This will help strengthen an organisation’s reputation, build trust and foster confidence in its business, raising its business competitiveness both locally and overseas.

    ii. Provides assurance to the organisation

    The certification helps to validate an organisation’s data protection regime. The certification will help enhance organisation’s data governance and protection standards, uncover potential weaknesses and enable the organisation to take steps to mitigate risks.

For Organisation

  1. What requirements do organisations have to fulfil to apply for the DPTM Certification?

    Organisations that have put in place a data protection regime to comply with the obligations of the PDPA can apply for DPTM certification. They should also strongly believe in active accountability, beyond mere compliance, in personal data protection and are either (1) formed or recognised under the laws of Singapore, or (2) resident, or having an office or a place of business, in Singapore, and in any case, not a public agency (as defined in the Personal Data Protection Act 2012).  

  2. What is the cost for applying the DPTM?

    Applicants are required to pay IMDA an application fee of $535 (inclusive of GST). They are also required to engage an Assessment Body (from the IMDA-appointed panel) to conduct the certification assessment, which can range from $1,400 to $10,000 plus prevailing GST. 

    To encourage SMEs to obtain the certification, IMDA will waive the application fee for SMEs and NPOs till 31 December 2019.
     
  3. Is funding support available for DPTM certification?

    Enterprise Singapore (ESG) is offering support for Singapore companies through the Enterprise Development Grant (EDG) while National Council of Social Services (NCSS) is offering support for social service organisations through the NCSS Organisational Development Grant (ODG).
     
  4. Where can the full set of DPTM certification Controls be found?  

    The overview of certification requirement from DPTM website can be downloaded from the DPTM website.  The complete DPTM certification controls will be made available upon IMDA’s acceptance of an organisation’s application.

  5. Who will conduct the DPTM assessment? 

    DPTM assessment can only be conducted by IMDA appointed panel of assessment bodies. Organisation will select one of the Assessment Bodies to conduct an assessment of its data protection policies and practices.

  6. What is the validity period for the DPTM certification? 

    Each DPTM certification is valid for 3 years. Organisations should apply for the re-certification at least 6 months from the date of expiry of the certification. 

  7. What happens if an organisation undergoes the assessment but fails to make the cut?

    The certification assessment process provides for remediation where necessary. Organisations will be given an opportunity to take corrective actions to meet the certification requirements within a timeframe. Should an organisation require significantly more time and effort to remediate, it could mean that there could be systemic failure or the organisation is simply not ready. In this case, organisation will not be certified and will need to re-apply for the certification when they are ready.

  8. Is the DPTM certification recognised overseas?

    The DPTM is a local certification scheme. Depending on regional developments, IMDA may explore mutual recognition of similar certifications with other countries.

For Consumer/Individual

  1. How would one know if the company is DPTM-certified? 

    Organisations who attained the DPTM certification will have their details published in IMDA’s website (www.imda.gov.sg/dptm). In addition, all certified organisations will be able to display the 1) DPTM decal and DPTM certificate at their premises; and 2) DPTM Certification Mark in their company website and marketing materials.

  2. How can one feedback or report an issue related to DPTM? 

    For any query, feedback or to report an issue relating to DPTM, please email to data_protection_certification@imda.gov.sg or call 6377 3800.