

About DPTM
Under the Personal Data Protection Act of Singapore (PDPA), organizations have a legal obligation to protect personal data.
The Data Protection Trustmark (DPTM) is a certification scheme administered by the Singapore Infocomm Media Development Authority (IMDA).
The scheme was put in place for organizations to demonstrate accountable data protection practices. For the general public and enterprises alike, you can be confident that your personal data is in safe hands.
Do you engage in any of these practices?
![]() Hardcopy FormsCollecting personal information for employment, enrolment | ![]() Web/ Online FormsCollecting personal information for employment, enrolment, subscribe to services, lucky draws.. | ![]() Photo IDCollecting or retaining national ID (NRIC) for entry into premises | ![]() Biometric SystemEye scan, fingerprint scan for entry into premises |
---|---|---|---|
![]() Events photographyPhoto taking of events showing faces of guests or general public | ![]() CCTVCCTV, surveillance camera capturing faces of general public |
If your answer is "Yes"...
Your organization is required by law under the Singapore Personal Data Protection Act 2012 to protect the collected personal data from:
-
Misuse / Abuse
-
Loss
-
Theft

Why It Matters




How We Can Help...
...In 5 Steps
We can assist your organization by setting up the data protection framework leading to the Data Protection Trust Mark Certification.
Frequently Asked Questions
No. The DPTM certification is for Singapore registered organizations. However, the DPTM certification is applicable if you have a subsidiary registered in Singapore.
My organization is registered overseas. Can I apply for DPTM certification?
The Personal Data Protection Act applies to any part of the personal data process executed in Singapore for collection, storage, processing, transfer, use, and archive.
If for example, the personal data is transferred and processed outside of Singapore, your organization must ensure the parties involved in the transfer and processing is able to abide by local data protection laws or are certified for Cross Border Privacy Rules (CBPR) System and Privacy Recognition for Processors (PRP) System certification.
Does the PDPA apply to personal data being handled overseas?
No. The Personal Data Protection Act does not discriminate between locals or foreigners. The law applies to both local and foreigner personal data being collected, stored, processed, transferred, used and archived in Singapore.
Does personal data information protection apply to local residents only?
Yes, as long as your business is handling personal data information.
My business is just a one man show. Do I need to comply with the PDPA?
DPTM certification is voluntary. Being certified provide confidence to your customers that your organization have the necessary framework in place to safeguard their personal data.
However, compliance with the Personal Data Protection Act (PDPA) is compulsory if your organization is handling personal data.
Is Data Protection Trust Mark (DPTM) Certification Compulsory?
Personal data can exist in the form of hardcopy written information or softcopy data. Example of personal data information covers:
Personality Data (Name / Gender /Age / Marital Status / Professional or Education Status)
National Identity (E.g., NRIC / FIN / Passport Number / Visa Number/ Work Permit Number)
Employment Information
Contact Details (Phone / Home Address / E-mail Address)
What is personal data?
General FAQs
The grant covers qualifying costs for
Consultancy to set up your DPTM system
Certification
Testing (e.g., network penetration by a third party)
Training
For more details on the grant, click here.
What is the grant amount?
You should apply for the Enterprise Development Grant (EDG) under Infocomm and Media Authority (IMDA) of Singapore. Please ensure your organization qualifies as a Small, Medium Enterprise (SME).
Which government grant should I apply for?
Grant FAQs
Yes, we do.
You can engage us for a specific portion of the project. Some clients have engaged us to do the following:
Conduct a data inventory map of its entire organization.
Conduct a Data Protection Impact Assessment.
Conduct a pre-certification assessment to gauge readiness.
The above is what we call a piece meal approach. Please use the RFQ page and indicate this special request in the expected completion date and remarks section of the RFQ form.
Do note that if your organization is applying for grants, the grant does not cover piece meal projects.
Do you provide consultancy for a specific portion of the DPTM certification preparation?
Certification costs are capped and regulated by IMDA. From experience, a single site small enterprise certification fee is around $3,000 and a large single site enterprise certification fee may go up to $12,000.
For consultancy, the cost is very dependent on the scope and complexity of processes. As an example, we have assisted a small single site entity for as much as $5,000. The good news is that these costs can be offset by grant subsidies.
Please use the RFQ page if you wish to know the cost estimate. Select Data Protection Trust Mark.
How much does it cost to obtain certification?
From experience, a single site operation handling simple personal data can be certified within 6 months or less from project kick-off. The required time is also dependent on the number of sites and complexity of processes handling personal data.