Singapore as a Trusted Data Hub

As the world becomes increasingly digitised, personal data has become an essential part of business operations. With the increase in cyber threats, it is essential for businesses to ensure that they protect the personal data of their customers and employees. In 2021, the Cyber Security Agency of Singapore (CSA) reported a 54% increase in Singapore firms hit by ransomware attack , and in a separate 2021 Cisco Cybersecurity for SMBs report, as many as two in five Singapore Small-Medium Enterprises (SMEs) suffered a cyber incident in the past 12 months, with 75% of these incidents involving loss or breach of customer data . With affected companies expecting to lose an average of USD$2.87mil from a data breach , suffering a data breach could mean the end of business for a SME.

To ensure that Singapore remains competitive with a strong reputation as a trusted data hub in the digital economy, and to help organisations, especially SMEs level up their data protection standards, the Infocomm Media Development Authority (IMDA) and the Personal Data Protection Commission (PDPC) developed a series of data protection initiatives to help organisations strengthen their data protection standards and gain the competitive advantage in the digital economy.

Data Protection Essentials – helping SMEs acquire the essentials

The Data Protection Essentials (DPE) is a programme designed to support SMEs in acquiring a basic level of data protection and security practices to protect customers’ personal data and recover quickly from a data breach. Under this programme, SMEs can tap on a one-stop professional service for a holistic implementation of basic data protection and security practices through a one-time setup and retainer service.

DPE One-Stop Professional Service

The DPE one-stop professional service provides SMEs with a suite of professional service offered by service providers appointed by IMDA. This includes a one-time set up service that would cover 5 keys areas:

1. Accountability – establish data protection and cyber security practices to provide confidence and foster trust with customers and business partners.


2. Basic Data Security Practices – put in place basic data security practices to better protect your business and customers’ personal data, and to recover quickly should a data breach occurs.


3. Incident Management – develop an incident management plan to manage any data breach in a systematic manner.


4. Training and communications – facilitate/ conduct data protection and cyber awareness training to help employees understand their data protection obligations and f oster a culture of personal data protection.


5. Review – conduct desktop and phishing exercises to review the robustness of the practices after six months of implementation.

SMEs can also subscribe to a retainer service provided by the service providers to ensure that their policies and practices are up-to-date. Under this retainer service, SMEs can expect bi-annual reviews and refreshers of their data protection and security practices implemented through desktop and phishing exercises.

Why should SMEs go for the DPE?

Besides acquiring basic data protection and security practices to mitigate risks of data breaches, SMEs that implemented the one-time setup and signed a minimum 1-year retainer service under the DPE one-stop professional service would enjoy:

1. Recognition for their efforts in being accountable by being listed on IMDA’s website and awarded the DPE logo; and
2. In the event of a data breach, the PDPC may consider a SME’s implementation of the DPE as a mitigating factor.

Data Protection Trustmark

Launched in 2019, the DPTM is a voluntary enterprise-wide certification and will be a visible indicator that an organisation adopts accountable and responsible data protection practices. Assessed by independent third parties, DPTM-certified organisations not only have to demonstrate good practices but also an effective system to monitor and detect incidents, along with ready plans to manage and recover from incidents.

The DPTM certification framework and controls were developed based on Singapore’s Personal Data Protection Act (PDPA), coupled with elements of international benchmarks and best practices. Certification is valid for 3 years.

Why should organisations go for the DPTM?
DPTM-certified organisations agree on the following benefits:

1. Demonstrate PDPA Compliance
   

   DPTM-certified organisations would be able to demonstrate that, at the point of their certification, they have in place robust policies and practices that are in compliance with the PDPA, providing assurance to customers, business partners and regulators in their commitment to protecting personal data.

   In the unfortunate event of a data breach, DPTM-certified organisations may request from the PDPC a voluntary undertaking in lieu of an investigation to allow them the opportunity to implement their remediation plans. PDPC may also consider DPTM as a mitigating factor.

2. Establish Good Data Governance
   

   The DPTM involves a robust third party assessment that would validate your data protection regime. During the assessment, the assessor would highlight gaps or areas that can be improved and provide recommendations to allow the applicant organisations to remediate and strengthen their overall data governance standards. Most importantly, it would give you peace of mind knowing that your organisation is in good shape.

3. Increase Competitive Advantage
   

   Based on a recent PDPC Survey , 4 in 5 companies preferred to do business with DPTMcertified companies. The DPTM is also increasingly recognised and incorporated by public agencies in their procurement as a way to identify trusted vendors and suppliers, as the DPTM is aligned to the government’s IM8 Personal Data Protection Policies and Standards.

Conclusion

As consumers become increasingly aware of their personal data protection rights, and with the increase in data breaches, there would be a demand for businesses to be accountable and to show that they have robust data protection standards in place when managing personal data. Thus, it is imperative that organisations recognise that being accountable in managing personal data is not simply a matter of compliance, but a worthwhile investment that would strengthen their organisation’s reputation, build consumer trust, and help them stand out from their competitors.

To find out about the Data Protection Essentials and the Data Protection Trustmark and the available grants, please visit:
DPE – www.imda.gov.sg/dpe
DPTM – www.imda.gov.sg/dptm

About The Author

The Infocomm Media Development Authority
The Infocomm Media Development Authority (IMDA) leads Singapore’s digital transformation by developing a vibrant digital economy and an inclusive digital society. As Architects of Singapore’s Digital Future, we foster growth in Infocomm Technology and Media sectors in concert with progressive regulations, harnessing frontier technologies, and developing local talent and digital infrastructure ecosystems to establish Singapore as a digital metropolis.
For more news and information, visit www.imda.gov.sg or follow IMDA on Facebook (IMDAsg) and Twitter (@IMDAsg).