Increasingly, businesses are looking to adopt data protection certifications and standards for myriad reasons, including enhancing consumer trust, demonstrating compliance when contracting with partners and managing regulatory risk.
We have prepared a high-level comparison to guide Singapore businesses in determining which certification or certifications could be the best fit.
Who can apply: All organisations, private or public, regardless of size and for-profit status. Data controllers and processors/intermediaries are eligible to apply.
Features: The ISO/IEC 27701:2019 standard provides a data privacy extension to ISO/IEC 27001:2013 Information Security Management and ISO/IEC 27002:2013 Security Controls. It extends their requirements to take into account, in addition to information security, the protection of privacy of individual consumers as potentially affected by the processing of personal data.
The annexes to the standard list the applicable controls for data controllers and processors, and map the provisions of the standard against the EU General Data Protection Regulation (GDPR), amongst other things.
Geographical scope: International
Cost: A purchase fee for the ISO/IEC 27701:2019 standard document, and the accredited certification body’s fees.
In a nutshell: The recently issued ISO/IEC 27701:2019 standard provides organisations with guidance on how to boost their information security practices to incorporate privacy. The standard focuses on individual consumers (namely, data subjects who are in a business-to-consumer relationship), which should make it particularly appealing for businesses that handle consumer data. The standard could also achieve enhanced cooperation amongst information security and privacy teams and streamline their responsibilities for organisations.
Data Protection Trustmark (Singapore) (DPTM)
Who can apply: All private sector organisations, regardless of size and for-profit status. Data controllers and processors/intermediaries are eligible to apply.
Features: The certification requirements cover the following areas: governance and transparency, management of personal data, care of personal data and the rights of individuals.
The assessment requires applicants to provide documented data protection policies and processes as well as to demonstrate that these are implemented and practiced on the ground.
Geographical scope: Singapore
Cost: An application fee of S$535 is payable to the Info-communications Media Development Authority (IMDA), and an assessment fee of between S$1,400 and S$10,000 plus tax is payable to the assessment body.
A single application fee of S$535 is payable to IMDA when organisations apply for multiple certifications (DPTM, CBPR, PRP) in a single application process.
The application fee is waived for small and medium enterprises (SMEs) and non-profit organisations until 31 December 2020.
There are development grants offered by Enterprise Singapore and the National Council of Social Services to help defray some of the costs of certification and consultancy services for eligible entities.
In a nutshell: Singapore’s Data Protection Trustmark is a voluntary enterprise-wide certification for Singapore organisations to demonstrate accountability under the Personal Data Protection Act.
APEC Cross Border Privacy Rules (CBPR)
Who can apply: Data controllers
Features: The certification is based on the Asia-Pacific Economic Cooperation (APEC) privacy framework and covers the following areas: accountability, the prevention of harm, notice, choice, collection limitation, use of personal information, integrity of personal information, access and correction and security safeguards.
Geographical scope: APEC CBPR participating economies
Cost: An application fee of S$535 is payable to IMDA, and an assessment fee of between S$1,000 and S$8,000 per entity (depending on the size and scope of the assessment required) plus tax is payable to the assessment body.
A single application fee of S$535 is payable to IMDA when organisations apply for multiple certifications (DPTM, CBPR, PRP) in a single application process.
The application fee is waived for SMEs until 30 June 2020.
There are development grants offered by Enterprise Singapore to help defray some of the costs of certification and consultancy services for eligible entities.
In a nutshell: The APEC CBPR system is a certification framework that facilitates cross-border flows of personal data that are otherwise subject to differing data protection laws of APEC participating economies.
APEC Privacy Rules for Processors (PRP)
Who can apply: Data processors/intermediaries
Features: The certification is based on the APEC privacy framework and covers the following areas: accountability and security safeguards.
Geographical scope: APEC PRP participating economies
Cost: An application fee of S$535 is payable to IMDA, and an assessment fee of between S$1,000 and S$8,000 per entity (depending on the size and scope of the assessment required) plus tax is payable to the assessment body.
A single application fee of S$535 is payable to IMDA when organisations apply for multiple certifications (DPTM, CBPR, PRP) in a single application process.
The application fee is waived for SMEs until 30 June 2020.
There are development grants offered by Enterprise Singapore to help defray some of the costs of certification and consultancy services for eligible entities.
In a nutshell: The APEC PRP system is a certification framework specifically for data processors/intermediaries that facilitates cross-border flows of personal data amongst participating economies.
Comment
Whilst different considerations may be at play in deciding which certifications to adopt, these should not discourage organisations from implementing relevant best practice standards in data protection.
External counsel can be engaged to advise and work with organisations to put in place any necessary policies, agreements and other relevant documentation prior to an assessment.
Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style, Reed Smith Pte Ltd (hereafter collectively, Reed Smith). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith’s Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.