What it Takes to Achieve the Data Protection Trustmark


The Data Protection Trustmark (DPTM) is a new certification that’s designed to help organisations exhibit responsible and accountable data protection practices. The Data Protection Trustmark pits organisations against data protection assessments. Once passed, the certification is valid for three years.

After three years, organisations will have to apply for re-certification before the expiry. Organisations that want to be certified can avail of DPTM consultancy to assist them in establishing procedures, policies, data breach management plans, and impact assessments.

When getting DPTM consultancy, organisations can also get assistance with staff training so they will be educated on PDPA and DPTM requirements. The Singapore Infocomm Media Development Authority, under the Ministry of Communications and Information hopes the certification can replicate some elements of PDPA.

They are also hoping that it can also replicate the best practices that are laid out in privacy frameworks such as the APEC CBPR/PR. Organisations that want to be awarded DPTM compliance need to meet the following criteria:

Principle #01: Governance and Transparency

Appropriate Practices and Policies

  • Create data protection practices and policies
  • Create complaints, queries, and dispute resolution handling processes
  • Create a data breach management plan
  • Create processes that can assess, identify, and address any data protection risks
  • Appoint a data protection officer or DPO


  • The business contact information of the data protection officer should be made available to the public
  • External stakeholders should be given information on personal data protection policies

Internal Training and Communication

  • Communicate data protection practices and policies to the staff
  • Data protection training should be given to all internal stakeholders

Principle #02: Personal Data Management

Appropriate Purpose

  • The collection of personal data should be for purposes that are appropriate and clear in the circumstances

Appropriate Notification

  • Make sure the purpose(s) of the collection of personal data is provided on or before personal data is collected
  • Make sure there is notification of new purposes before the disclosure or use of personal data

Appropriate Consent

  • Make sure that consent has been given on or before personal data is collected
  • Make sure to obtain consent for personal data with special considerations

Appropriate Disclosure and Use

  • The use of personal data should only be for the purpose for which consent has been given
  • Disclosure of personal data should only be for the purpose for which consent has been obtained

Compliant Overseas Transfer

  • Make sure the right personal data transfer policies are used and implemented as required under the law

Principle #03: Care of Personal Data

Appropriate Protection

  • Make sure all the required security practices and policies are implemented
  • Make sure third parties have a good security arrangement laid out to protect personal data
  • Ensure the security measures are tested

Appropriate Disposal and Retention

  • Make sure appropriate personal data protection retention policies are being followed and implemented
  • Make sure the right methods and processes are implemented for the destruction, disposal, and anonymization of personal data when there is no longer any business or legal purpose to retain them

Complete and Accurate Records

  • Make sure personal data that’s used for disclosure or use are complete and accurate
  • Ensure any personal data that are provided to third party organisations are complete and accurate

Principle #04 Individuals’ Rights

Effect Withdrawal of Consent

  • Provide withdrawal of consent for the use, disclosure, and collection of individuals’ personal data

Provide Correction Rights and Access

  • Ensure individuals have access to their personal data that are in the possession of the organisation
  • Ensure individuals can correct personal data that are in the possession of the organisation

Aside from the principles there are also some key questions organisations need to ask themselves. For instance, does the organisation have practices and policies set in place to effectively manage personal data? Other questions might be related to the security measures that are in place to protect the personal data in their care.

Leave a reply