Be aware of scammers impersonating as IMDA officers and report any suspicious calls to the police. Please note that IMDA officers will never call you nor request for your personal information. For scam-related advice, please call the Anti-Scam helpline at 1800-722-6688 or go to

How Great Eastern Life demonstrates accountable data protection practices

How Great Eastern Life demonstrates accountable data protection practices

Networking and digitalisation, representing the importance of secure cross-border data sharing and personal data protection with IMDA
Read on to find out how Great Eastern protects their customers’ personal data and ensures secure cross-border data sharing.

By Data Protection Trustmark Team

As the first insurance company to attain both the Data Protection Trustmark (DPTM) and APEC Cross Border Privacy Rules (CBPR) certifications by IMDA, Great Eastern Life has boosted its stakeholders’ confidence in data protection and data sharing practices—making it the insurer of choice for customers, financial representatives, and partners.

With Great Eastern Life proactively digitalising, the certifications will reassure customers that their personal data, such as health and financial details, will be protected in accordance with the relevant legal standards. The value of the certifications by IMDA is also further emphasised with the growing importance of cross-border data sharing to support business activities in Malaysia and Indonesia.

Having the CBPR certification has helped Great Eastern Life to gain trust from our subsidiaries, related companies and country regulators as there is added assurance that Great Eastern will handle and protect personal data to a high standard.

Ms Kathleen Tay

Head of Group Data Management & Governance, Great Eastern Life

Ms Kathleen Tay, Great Eastern Life’s Head of Data Management & Governance, shares about IMDA's CBPR certification
Great Eastern Life’s Head of Group Data Management & Governance, Ms Kathleen Tay shared that having the CBPR certification has bolstered trust and confidence of their stakeholders.

Commitment from the Heart

With over 1.8 million customers, 5,000 financial representatives and 1,500 employees, Great Eastern Life has a strong tradition of emphasising the need to safeguard the personal data of its customers and internal stakeholders, focusing on data protection, data sharing, and personal data protection practices.

At the heart of it all is the Group Data Governance Committee, which oversees all data related matters and provides guidance for data breaches. Chaired by the Managing Director from the Data and Strategic Transformation division, the committee comprises the Group Chief Risk Officer as well as Managing Directors from different business groups. One initiative that was recently introduced in 2020 was the Data Stewardship programme, where each division has a dedicated “Data Steward” to ensure that data policies and standards endorsed by the Group Data Governance Committee were translated into practices. Armed with a clearer picture on how data moves through its lifecycle, the Data Steward was empowered to manage data incidents swiftly and effectively.

To strengthen the data protection culture within Great Eastern Life, the company made onboarding training and annual refresher training mandatory for all staff and financial representatives—equipping them with knowledge on the Personal Data Protection Act (PDPA) and their obligations. Until today, regular circulars on data protection topics are also sent across the company to reiterate the importance of safeguarding their customers’ personal data in the digital age.

“Data protection is a journey and we continue to look at ways to further strengthen our processes and to safeguard our data,” said Ms Tay.

Laptop with a pop-up of login details and security lock, highlighting the importance of personal data protection enforced by IMDA
Great Eastern is committed in their endeavour to protect and safeguard their customers’ data. This can be seen from their data protection culture which involves mandatory onboarding training and annual refresher training for all staff on the Personal Data Protection Act (PDPA) and their obligations.

Road to Accountability

When DPTM and APEC CBPR certifications by IMDA were introduced in 2019, the senior management and staff of Great Eastern Life alike quickly saw the value in obtaining both certifications to assure its customers, business partners, and stakeholders that the company takes data protection seriously.

To prepare for the assessment, an internal review was conducted where all business units performed a self-assessment of their policies and procedures to ensure compliance to the DPTM and APEC CBPR requirements,” said Ms Tay.

Great Eastern Life’s preparations paid off, resulting in a smooth assessment with only a few suggested improvements to strengthen the company’s data protection policies. Ms Tay attributed this success to the strong commitment from Great Eastern Life’s leaders and staff. She explained: “The business units were prepared and responded to the assessor’s queries with their deep knowledge on data protection and supporting documents promptly. We also took advantage of the integrated assessment to obtain both DPTM and APEC CBPR certifications at one go, saving us time and effort.”

The unforeseen COVID-19 pandemic and resulting delays did not dampen Great Eastern Life’s road to secure the data protection certifications. By September 2020, the company was finally awarded the IMDA’s DPTM and APEC CBPR certifications. 

We are proud of the achievement as these certifications are testament to Great Eastern Life’s commitment to data protection. It validates the data protection efforts and is a measurement of our success on personal data management and practices.

Ms Kathleen Tay

Head of Group Data Management & Governance, Great Eastern Life

From Good to Best Practices

Since then, the certifications have reinforced Great Eastern Life’s data protection regime. For instance, the company enhanced its PDPA contractual clauses within vendor agreements involving personal data, ensuring that its vendors adopt the same standard when handling personal data belonging to Great Eastern Life. It also saw the importance of maintaining up-to-date documentation of existing workflows and found the sharing of best practices by the assessor to be very useful.

Network connectivity icons with a download to drive icons
Data flows are expected to be seamless even beyond physical borders due to the growing adoption of cloud technology across businesses and rising digitilisation.

As the cross border personal data transfer increases, the CBPR certification also allows Great Eastern Life to transfer data across borders easily and assures multi-national companies that the company is handling their personal data with utmost care. Moreover, the CBPR certification provides assurance to the regulators of countries where the Great Eastern group of entities operate in that personal data held by the group is properly protected.

With rising digitalisation and the growing adoption of cloud technology across businesses, data flows are expected to be seamless even beyond physical borders. Thus, it is imperative for the organisations particularly in the finance and insurance sector like Great Eastern Life, to provide continuous confidence to their stakeholders that the personal data they hold is appropriately safeguarded.


IMDA’s Data Protection Trustmark

The Infocomm Media Development Authority (“IMDA”) Data Protection Trustmark (“DPTM”)  is a voluntary enterprise-wide certification that recognises organisations with accountable data protection practices. Developed based on the PDPA and international benchmarks, the DPTM provides assurance to organisations that they have robust data protection policies and practices in place. It also helps organisations increase their business competitiveness through strengthening trust with their customers, business partners, and regulators.

The APEC Cross Border Privacy Rules and Privacy Recognition for Processors

The APEC Cross Border Privacy Rules (“CBPR”)  and Privacy Recognition for Processors (“PRP”) Systems are accountability-based and enforceable certifications developed by APEC economies to build consumer, business, and regulator trust in cross border flows of personal data. The APEC CBPR and PRP Systems establish a harmonised set of data protection standards consistent with the APEC Privacy Framework, bridging differing national privacy laws to facilitate trusted data transfers across borders. Together, certified organisations can seamlessly exchange personal data across participating APEC economies, thus reducing barriers to the flow of data for global trade.

Explore related tags


Explore more