Competition was intense. TRS Forensics was up against a field of well-known international competitors bidding for a high-value forensics technology project. But it had an ace up its sleeve. The company’s Data Protection Trustmark (DPTM) caught the eye of the client, a large multinational company from the European Union (EU), and it went on to secure the contract.
TRS Forensics is a Singapore-based risk-consultancy firm that aims to go global by demonstrating that its data protection policies and processes are aligned with international standards. The DPTM has given the company a competitive advantage in this respect, as it is based on Singapore’s Personal Data Protection Act (PDPA) as well as international benchmarks and best practices, said TRS Forensics’ chief executive officer Mr Tan Swee Wan. The fact that Singapore’s IMDA is the certification body strengthens the legitimacy of the certification to consumers and businesses in other countries.
Personal data in risk consultancy
Established in 2017, TRS Forensics saw an opportunity to deploy technology solutions to speed up and automate audit and accounting functions, as well as to offer a full range of risk consultancy services.
The company’s areas of expertise include internal audit, investigation, and cybersecurity advisory services.
In the course of its engagement with clients, TRS Forensics handles a lot of personal data. In internal audit, for example, a client may want the company to look at payroll processes and records. To do so, TRS Forensics would need access to payroll as well as transaction records containing names, national identification numbers, bank account numbers and salary information.
As part of its cybersecurity services, the firm may conduct penetration testing which involves going into the company’s network with the client’s permission. Sometimes in the course of an investigation, it may require access to client’s affected personal data and other sensitive data as part of the evidence-gathering process.
“Need to know” basis
Given the nature of the data that it has access to, TRS Forensics makes it a point to ensure that it has processes and procedures in place to safeguard clients’ and employees’ personal data.
It places restrictions on who can access what data. For example, access to all the engagement files is granted on a “need to know” basis. It has clear policies and internal procedures to safeguard the data, covering how it receives the data, what kind of consent it has to obtain, how it stores the data, what data needs to be encrypted, and how the data is to be destroyed at the end of the engagement.
When the company first learnt about the DPTM through the media, it decided that this was a good certification to work towards.
“The DPTM presents a lot of advantages,” said Mr Tan. “It allows us to test our own processes and procedures to see if what we have put in place can be benchmarked against international recommended practices. This enables us to show proof to our clients that we have a robust mechanism to protect important data. We are also giving assurance to our own employees that the data they entrust us with is well protected.”
TRS Forensics’ certification journey began in October 2018 with a self-assessment. This was followed by an assessment conducted by an independent body from IMDA’s appointed panel.
“The key thing we gained was having an independent third party to take a look at what we have implemented. Although we are in the industry and we offer cybersecurity and data protection services, it is always good to have an external pair of eyes to scrutinise our processes,” said Mr Tan.
The DPTM also proved to be an advantage when the company bid for a technology forensics project earlier this year. “We were the only Singapore-based firm invited to pitch because of our credentials,” said Mr Tan. “The client’s legal counsel agreed that the DPTM was a good thing to have.”
This was because amongst the requirements of the DPTM were principles based on international requirements and guidelines, such as the EU’s General Data Protection Regulation (GDPR), the Asia-Pacific Economic Cooperation (APEC) Privacy Framework, and the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. When a DPTM-certified company operates in these geographies, the trustmark provides its clients with the assurance that the company’s data protection policies are aligned with international best practices.
The Singapore Factor
As a government-backed certification scheme, the DPTM is also a strong selling point for Singapore companies looking to expand into the region.
“There is a lot of trust in the Singapore government. We get a lot of work because of Singapore’s reputation. So it helps that the DPTM is administered by the IMDA,” said Mr Tan. “This gives us an edge compared to other overseas competitors.”
Mr Tan cited the example of a client in Malaysia, an e-wallet company, which was willing to pay more for a DPTM-certified Singapore company with a presence in Malaysia. “They are willing to pay a premium for the trust and recognition,” he said.
Last but not least, the DPTM has also enabled TRS Forensics to communicate clearly to its employees the importance of personal data protection.
“From Day 1, we have had policies and processes, but as known in any cybersecurity or data protection scenario, human beings are usually the weakest link. We have to constantly remind our employees to be vigilant,” said Mr Tan.
The certification process helped drive home this point when the employees were interviewed by the independent assessor. “Having a third party talk to them brings out the importance of being vigilant and shows that the company is dead serious about data protection,” said Mr Tan.
“The DPTM certification process enabled us to improve what was already a strong system, and to also to send the right message to our employees. This strengthens our reputation in data protection and gives our clients the confidence that we practise what we preach.”
For more information, visit the Data Protection Trustmark webpage.
(This story was first published in the Data Protection Trustmark Success Stories e-booklet.)