IMDA explains Singapore’s data protection regulations

Recent findings from the Personal Data Protection Commission (PDPC) found that three in four consumers would rather buy from a brand that is certified to protect their personal data. At the same time, seven in ten organisations prefer to work with partners that are certified to properly manage personal data.

This sentiment becomes even more important given factors such as increasing cyberthreats worldwide and the impact of the COVID-19 pandemic. Consumers need to be assured that their personal data is handled with care as they perform large numbers of online transactions in their daily lives.

There are several compelling reasons for organisations to protect the data that they handle, whether it’s customer details, employee records, or transactions. These include:

  • Preventing data breaches. According to Cisco’s 2021 Data Privacy Benchmark Study, 74% of organisations with medium-maturity privacy practices and 88% of organisations with high-maturity privacy practices list “Mitigating Losses from Breaches” as one of the top benefits of investing in data privacy.
  • Losing business and customer trust due to data breaches. A Centrify study found that 65% of data breach victims lost trust in the organisation that suffered the breach.

  • Maintaining brand value. An Infosys and Interbrand report revealed that the risk in brand value of a data breach to the world’s top brands could amount to as much as $223 billion.

Setting data protection standards

This is where the Infocomm Media Development Authority (IMDA) comes in. IMDA is a statutory board of the Singapore government that develops and regulates the local info-communication and media sectors. It seeks to safeguard consumer interests while fostering pro-enterprise regulations.

To help organisations establish responsible data protection practices and facilitate how they exchange personal data across Asia-Pacific Economic Cooperation (APEC) member economies, the IMDA administers the following data protection certifications:

  • The Data Protection Trustmark (DPTM) is a voluntary certification for companies to demonstrate accountable data protection practices. The certification assessment will help organisations identify gaps, improve processes, and ensure there are drawer plans to respond promptly to data breaches.

    Why the DPTM matters: Investing in customers’ data protection will help enterprises grow their brand value locally and internationally, as the DPTM framework aligns with the Singapore’s Personal Data Protection Act and international benchmarks. In addition, the certification will help customers feel safe transacting with the organisation.
  • The APEC Cross Border Privacy Rules (CBPR) System is a government-backed data privacy certification that facilitates how organisations can exchange personal data across APEC member economies. It requires participating companies to implement data privacy policies that comply with APEC’s Privacy Framework. The CBPR System applies specifically to organisations (data controllers) that control the collection, holding, processing, or use of personal data.

    Why the CBPR System matters: Because of the rapidly digitalising world economy, companies today need to send data across the globe as part of their regular operations. For instance, an Australian firm may service customers worldwide by setting up a back-end process in the Philippines, working with an India-based payment gateway, and making use of a Singapore-based cloud service. The CBPR System would enable each of these businesses to adopt a consistent set of privacy standards, even if they are across several countries in the region.
  • The APEC Privacy Recognition for Processors (PRP) System is a voluntary certification for organisations (data processors) who process data on behalf of client organisations, to demonstrate their ability to implement a data controller’s privacy requirements. The PRP system also requires participating companies to carry out relevant data privacy rules that adhere with the APEC Privacy Framework.

    Why the PRP System matters: Because of the CBPR System’s restricted scope, APEC developed a mechanism for data processors as well. Such a system enabled processors in APEC member economies to independently verify their ability to effectively implement a controller’s privacy requirements and help controllers to identify qualified and accountable processors.

For clarity, the term “data controller” refers to companies that determine the purpose and manner of data processing. The data controller dictates why and how data is going to be used by the company. The “data processor”, in contrast, processes the information that the data controller gives them.

Expanding on the IMDA certifications

The information above covers the basics about IMDA’s certifications. For more particulars about the data protection initiatives – like why and how the certifications were established, how they benefit Singapore, and what other technologies may need a certification framework – Frontier Enterprise talked to Lee Wan Sie, Director, Trusted AI & Data, IMDA.

Image courtesy of IMDA

What brought about the creation of IMDA’s DPTM, APEC CBPR, and PRP certifications? Were there any specific factors or circumstances that led to their formation?

With increased data flows for global trade, we saw a demand for a harmonised set of data protection standards to facilitate cross-border data transfer. Interoperability is an important objective of Singapore’s efforts to ensure that data flows seamlessly between economies with effective data protection systems and accountable organisations that have implemented good data protection practices. This led to the focus of efforts on system-level constructs like mutual recognition and certifications, such as the APEC CBPR and PRP systems, that support cross-border data flows. These help assure overseas customers and businesses transacting with Singapore that the personal data will be protected and used responsibly.

At home, strong consumer confidence is essential to the growth of the digital economy. It leads to trusted participation in digital transactions amongst businesses and consumers, while enabling the innovative use of technology. There was also a need for mindset shift on data protection from mere compliance to an organisational culture of stewardship and accountability. Organisations should be proactive in providing consumers the assurance that they have robust policies and practices to protect the personal data entrusted to them. The DPTM promotes high standards that go beyond domestic data protection laws, and which are aligned with international standards, such as the OECD Privacy Principles and APEC Privacy Framework. It enforces consistency as it entails regular independent third-party review. With this in mind, IMDA launched the DPTM certification in January 2019.

Together, the three data protection certifications continue to strengthen our position as a robust data ecosystem that supports competition and innovation as well as the cross-border flow of data.

How did the IMDA come up with the certifications? Was there extensive consultation with the infocomm industry, other government agencies, or looking at examples of other countries? Who were the internal and external stakeholders involved?

IMDA, together with the PDPC, conducted studies and consultations involving the public, industry, and other government agencies as part of the process to develop the DPTM scheme. Companies across diverse industries, as well as consumers, were engaged to solicit feedback on the value of a data protection certification. Benchmarking studies on international and local certifications were also done to glean learning points on the expectations, operations, and adoption of a certification scheme.

The PDPA already exists. Why the need for DPTM? How do they complement each other?

Globally, data protection laws are shifting towards a risk-based, accountability approach to ensure organisations meet data protection standards. Likewise, in Singapore, the PDPC has been supporting organisations in making the shift towards an accountability-based approach to data protection and supported IMDA’s DPTM certification.

The DPTM is a visible badge of recognition that organisations are accountable and responsible in their data protection practices. It enhances the competitive advantage of certified organisations who can differentiate themselves in the marketplace by their data management practices. Customers and business partners can be assured that not only are adequate data safeguards in place, there is also vigilant monitoring of systems, and drawer plans to contain and manage data breaches, should they occur. It complements the PDPA by helping organisations validate and strengthen their data protection capability and aligning them to internationally recognisable standards.

It is often said that technology is always a step ahead of regulation. How does IMDA in its policy initiatives seek to address this gap? How do these certifications help Singapore as a whole position itself as a technology leader in the globe?

The adoption of new technology across all aspects of life, from e-commerce to remote working and learning tools, has accelerated over the years. Proliferated use of Internet of Things (IoT) devices, machine learning, and artificial intelligence (AI) is leading to an increased ability to collate and analyse large amounts of data, opening up new possibilities to derive insights that can yield enormous benefits for organisations, individuals, and society in general.

To keep pace with these magnitudinal shifts, we have put data innovation at the centre of our policies. For example, Singapore has initiated Digital Economy Agreements to position our island as a key node in the global network of digital flows and transactions.

The amendments to the PDPA were another step to ensure our legislative and regulatory regime is fit for purpose for a digital economy with a complex data landscape. Consumers must have the confidence that their personal data will be secure and used responsibly, even as they benefit from digital opportunities and data-driven services. Organisations need certainty to harness personal data for legitimate business purposes, with the requisite safeguards and accountability. The amendments to the PDPA sought to strike this balance so as to maximise the potential benefits, and minimise the risks, of collecting and using personal data.

The data protection certifications, too, play an important role in amplifying this confidence. It provides even more assurance to customers and stakeholders that the personal data held is properly managed and safeguarded. This in turn allows organisations to make greater use of data to improve customer experience, create more business opportunities, and thrive with innovation.

What are some of the technologies on the horizon that you think might need a certification framework in place (e.g. AI, machine learning, IoT, etc)?

There are ongoing international efforts on AI ethics and governance. In 2020, Singapore launched the Model AI Governance Framework and the accompanying Implementation and Self-Assessment Guide for Organisations.

Currently, we are engaging like-minded partners to develop an AI governance testing framework for AI systems. It will help industry achieve greater transparency around AI systems and enable organisations to deploy AI in a trusted manner. We will also explore collaborations to support interoperability of the testing framework with emerging global regulatory requirements.