By Data Protection Trustmark Team
As the first insurance company to attain both the Data Protection Trustmark (DPTM) and APEC Cross Border Privacy Rules (CBPR) certifications, Great Eastern Life has boosted its stakeholders’ confidence—making it the insurer of choice for customers, financial representatives and partners.
With Great Eastern Life proactively digitalising, the certifications will reassure customers that their personal data, such as health and financial details, will be protected in accordance with the relevant legal standards. The value of the certifications is also further emphasised with the growing importance of cross-border data sharing to support business activities in Malaysia and Indonesia.
“Having the CBPR certification has helped Great Eastern Life to gain trust from our subsidiaries, related companies and country regulators as there is added assurance that Great Eastern will handle and protect personal data to a high standard.”
Commitment from the Heart
With over 1.8 million customers, 5,000 financial representatives and 1,500 employees, Great Eastern Life has a strong tradition of emphasising the need to safeguard the personal data of its customers and internal stakeholders.
At the heart of it all is the Group Data Governance Committee, which oversees all data related matters and provides guidance for data breaches. Chaired by the Managing Director from the Data and Strategic Transformation division, the committee comprises the Group Chief Risk Officer as well as Managing Directors from different business groups. One initiative that was recently introduced in 2020 was the Data Stewardship programme, where each division has a dedicated “Data Steward” to ensure that data policies and standards endorsed by the Group Data Governance Committee were translated into practices. Armed with a clearer picture on how data moves through its lifecycle, the Data Steward was empowered to manage data incidents swiftly and effectively.
To strengthen the data protection culture within Great Eastern Life, the company made onboarding training and annual refresher training mandatory for all staff and financial representatives—equipping them with knowledge on the Personal Data Protection Act (PDPA) and their obligations. Until today, regular circulars on data protection topics are also sent across the company to reiterate the importance of safeguarding their customers’ personal data in the digital age.
“Data protection is a journey and we continue to look at ways to further strengthen our processes and to safeguard our data,” said Ms Tay.
Road to Accountability
When DPTM and APEC CBPR certifications were introduced in 2019, the senior management and staff of Great Eastern Life alike quickly saw the value in obtaining both certifications to assure its customers, business partners and stakeholders that the company takes data protection seriously.
To prepare for the assessment, an internal review was conducted where all business units performed a self-assessment of their policies and procedures to ensure compliance to the DPTM and APEC CBPR requirements,” said Ms Tay.
Great Eastern Life’s preparations paid off, resulting in a smooth assessment with only a few suggested improvements to strengthen the company’s data protection policies. Ms Tay attributed this success to the strong commitment from Great Eastern Life’s leaders and staff. She explained: “The business units were prepared and responded to the assessor’s queries with their deep knowledge on data protection and supporting documents promptly. We also took advantage of the integrated assessment to obtain both DPTM and APEC CBPR certifications at one go, saving us time and effort.”
The unforeseen COVID-19 pandemic and resulting delays did not dampen Great Eastern Life’s road to secure the certifications. By September 2020, the company was finally awarded the DPTM and APEC CBPR certifications.
“We are proud of the achievement as these certifications are testament to Great Eastern Life’s commitment to data protection. It validates the data protection efforts and is a measurement of our success on personal data management and practices.”
From Good to Best Practices
Since then, the certifications have reinforced Great Eastern Life’s data protection regime. For instance, the company enhanced its PDPA contractual clauses within vendor agreements involving personal data, ensuring that its vendors adopt the same standard when handling personal data belonging to Great Eastern Life. It also saw the importance of maintaining up-to-date documentation of existing workflows and found the sharing of best practices by the assessor to be very useful.
As the cross border personal data transfer increases, the CBPR certification also allows Great Eastern Life to transfer data across borders easily and assures multi-national companies that the company is handling their personal data with utmost care. Moreover, the CBPR certification provides assurance to the regulators of countries where the Great Eastern group of entities operate in that personal data held by the group is properly protected.
With rising digitalisation and the growing adoption of cloud technology across businesses, data flows are expected to be seamless even beyond physical borders. Thus, it is imperative for the organisations particularly in the finance and insurance sector like Great Eastern Life, to provide continuous confidence to their stakeholders that the personal data they hold is appropriately safeguarded.
IMDA’s Data Protection Trustmark
The Infocomm Media Development Authority (“IMDA”) Data Protection Trustmark (“DPTM”) is a voluntary enterprise-wide certification that recognises organisations with accountable data protection practices. Developed based on the PDPA and international benchmarks, the DPTM provides assurance to organisations that they have robust data protection policies and practices in place. It also helps organisations increase their business competitiveness through strengthening trust with their customers, business partners and regulators.
The APEC Cross Border Privacy Rules and Privacy Recognition for Processors
The APEC Cross Border Privacy Rules (“CBPR”) and Privacy Recognition for Processors (“PRP”) Systems are accountability-based and enforceable certifications developed by APEC economies to build consumer, business and regulator trust in cross border flows of personal data. The APEC CBPR and PRP Systems establish a harmonised set of data protection standards consistent with the APEC Privacy Framework, bridging differing national privacy laws to facilitate trusted data transfers across borders. Together, certified organisations can seamlessly exchange personal data across participating APEC economies, thus reducing barriers to the flow of data for global trade.