Strengthening Trust with Data Protection Essentials
Trust is paramount in the mortgage brokerage sector where sensitive personal data, such as financial information, are required for brokers to facilitate loan applications. It is imperative that proper measures are in place to safeguard customers' data. Find out in this article how a small-medium enterprise (SME) managed to build trust with their clients by strengthening their data protection practices with the IMDA's Data Protection Essentials (DPE) programme.
In the modern digital economy, companies are harnessing the power of technology to enhance their customers’ experiences and increase efficiency through improving processes. Insurance companies for example, allow individuals to “self-serve” online which grants them more autonomy and speed in service instead of having to waiting for a sales representative to be available or having to adhere to business hours. Banks too, are leveraging chatbots to provide immediate assistance to their customers without the need for physical banking.
Priding itself as Singapore’s first mortgage fintech platform, IQRate’s core business includes providing home loans and specialised advice on mortgage matters for its clients. For them, they have observed a notable shift in the demographics of home buyers, who are getting younger and are generally more tech-savvy with a preference towards using apps to meet their needs. One other pain point that often come up amongst their clients is the complexity that can come with mortgage brokerage.
By creating their own mobile application, IQRate enables their clients to “self-serve” and instantly obtain necessary information, such as the best home loan rates in Singapore or how to earn cash rewards, without the hassle of comparing rates across multiple banks.
“By employing technology, we aim to break down barriers and make it more convenient for our clients.” - Ms Angeline Eng, Founder and Director of IQRate.
FOSTERING A CULTURE OF ACCOUNTABILITY
It is not always picture-perfect when technology gets involved. While digital apps may bring about added convenience, there are risks that need to be considered and, ideally, prevented. For IQRate, their clients may be required to provide sensitive data such as financial information and NRIC, to facilitate the bank loan process through the app.
Fortunately for IQRate, the culture of accountability is well-ingrained into the company. As communicated by their Chief Marketing Officer, Mr Roy Koh, they “consider these personal data as important, and therefore protecting them is our top priority. With the growing number of cyber-attacks and data breaches, we as a small company can ill-afford to suffer one”.
For example, they enforce a strict “clean desk policy” and set out guidelines to ensure all documents containing sensitive data must be password protected before sending them out. Even so, relying on guidelines alone was not enough, a proper structure was necessary to entrench accountability as part of its organisational culture.
STARTING OUT RIGHT WITH THE DATA PROTECTION ESSENTIALS
IQRate first heard about the Data Protection Essentials (DPE) programme by word-of-mouth, and was then introduced to Momentum Z, one of IMDA’s approved DPE service providers. According to Momentum Z’s Co-founder and Chief Executive Officer Mr Shane Chiang, what made the DPE attractive was that “it was developed by a government agency, and therefore IQRate was assured that it would be credible”.
While IQRate believes that they have the right data protection practices in place, they were unsure if that was sufficient. They saw potential in documenting their practices in a systematic way to ensure they do not miss out any critical steps that would put their clients’ personal data and their reputation at risk. “We are just not sure how to do this and needed someone with the right expertise to guide us,” explained Ms Angeline Eng, who double-hats as IQRate’s Data Protection Officer (DPO).
“One of IQRate’s biggest concerns was, should IQRate suffer a data breach, would we be ready to respond? We recognise that no organisation is immune from data breaches. Thus, having a response plan in place and with the Personal Data Protection Act (PDPA) training received as part of the DPE implementation, it gives our staff clarity on the necessary actions needed, providing us with greater peace of mind.” - Mr Jasper Eng, IQRate’s Chief Business Solutions.
As part of the DPE one-time setup, IQRate worked with Momentum Z to co-develop their data protection and security policies and processes using various templates provided by the Infocomm Media Development Authority (IMDA). They developed a Data Inventory Map (DIM) to track the various personal data under IQRate’s possession, their purposes of collection, where they are stored, and the retention periods for each data. As a final step, Momentum Z also helped IQRate put in place an incident response and data breach management plan.
It was also an eye-opener for IQRate to undergo a phishing exercise conducted by Momentum Z, which saw a huge improvement in its staff’s capability in identifying and preventing phishing attacks.
In recognising the importance of basic data protection, IQRate completed the DPE one-time setup within just 4 weeks. Ms Eng’s role as the DPO was also crucial in facilitating the process, sharing “we were very serious about DPE! For example, we locked down a date where all our staff would need to attend PCPC’s e-learning course together, and everyone had to complete the online PDPA assessment by a certain date”.
BUILDING TRUST
Beyond accountability, the other driving force for IQRate was their dedication to their clients.
Due to the sensitive nature of the data being collected, IQRate often receives queries from their clients on how their data is being protected. IQRate could now inform their clients that they had undergone the DPE and have put in place basic data protection and security measures to safeguard their personal data, instead of having to go into details on the various data protection practices they have.
Their clients stay happy as well. According to Mr Koh, “this is important to them – they would tell us that they are happy that IQRate took the effort to protect their personal data, and that they feel safer using IQRate”. This has helped to build the trust between IQRate and their clients, providing them an additional edge over their competitors.
Having undergone the DPE also provided a form of assurance to their bank partners. It sends a signal that IQRate has a high level of professionalism, and this creates more business opportunities and fosters partnerships with other banks.
DATA PROTECTION AS AN ONGOING EFFORT
As digitalisation continues to accelerate globally, there will be greater attention and demand for data protection. IQRate believes that taking on the DPE is the right step forward. While they are happy with the outcomes of the DPE, they are choosing not to rest on their laurels and are gearing up for the Data Protection Trustmark (DPTM) certification to achieve even stronger standards of data protection.
“We see data protection as a journey, with the DPE as a stepping stone towards the DPTM. As we continue to grow our business, we expect to collect and handle more and more personal data, and therefore we cannot stop at something basic, but would need to mature and grow our data protection practices.” - Ms Angeline Eng
As one of the early adopters of the DPE in the mortgage fintech sector, IQRate has found that they have gotten a first-mover advantage and secured its position as a trailblazer in setting a trend of accountability in the sector. Following its business philosophy, they believe in “always doing the right thing” and that the DPE is the right first step that all SMEs should take.
To find out more about IMDA’s Data Protection Essentials (DPE) programme, visit www.imda.gov.sg/dpe.
(From L-R) Mr Shane Chiang, Momentum Z's Co-founder and CEO, pictured with IQRate's Founder and Director, Ms Angeline Eng, Chief Business Solution, Mr Jasper Eng and Chief Marketing Officer, Mr Roy Koh