APEC announces new US accountability agent for CBPR certifications
The Asia-Pacific Economic Cooperation is set to boost the status of its Cross-Border Privacy Rules program in the U.S.
APEC has announced that certification firm Schellman & Company is the newest CBPR accountability agent in the U.S. following approval from a joint oversight panel. Accountability agents work to ensure companies operating within the 21 APEC member economies have compliant privacy practices and policies in place.
Schellman joins TrustArc subsidiary TRUSTe as the only U.S.-based accountability agent for the CBPR program while it’s just the third agent worldwide.
“It has always been our hope in the U.S. market to have multiple options,” said a representative from the U.S. Department of Commerce’s International Trade Administration. “Speaking from a programmatic perspective, having multiple service providers is ideal. Participation resting on one provider does, quite frankly, leave some vulnerabilities. Having multiple options really shores up the strength and foundation of U.S. participation in the system.”
The CBPR system is a government-supported certification that companies within the 21 APEC member economies can obtain to demonstrate compliance with internationally recognized data privacy protections. The U.S. adopted the rules in 2012 and added TRUSTe as the country’s first accountability agent in 2013.
The ITA representative added that while TrustArc has been a prominent and essential player for U.S. participation in the CBPR system, companies were looking for diversity and alternatives in terms of providers, packages and services. Schellman Principal Debbie Zaller, CIPP/US, believes her company is prepared to present consumers with the luxury of choice that they’ve been seeking.
“It fits right in with our other services,” Zaller said. “What we do with privacy is really served on that external audit side."
“It fits right in with our other services,” Zaller said. “What we do with privacy is really served on that external audit side. We’re also a certification body for other frameworks like ISO, HiTrust and FedRAMP.
“Becoming another certification body and staying along the same external audit lines is something we’ve been doing for a long time, so it’s just a natural fit within our current service line. We think it will be a huge need for a lot of our clients.”
Zaller said Schellman began toying with the idea of becoming an accountability agent at the IAPP’s Privacy. Security. Risk. event last year, as it began exploratory talks with International Trade Administration Policy Advisor Michael Rose. Schellman applied to be an accountability agent on its own accord, as the U.S. abides by an open-application process and then reviews prospective agents against an established list of requirements. The characteristics being assessed include a company’s enforcement tactics, the ability to manage conflicts of interest and being capable of explaining programming and certification processes.
“Whatever jurisdiction you’re in, you have to meet all the requirements we’ve listed,” the ITA representative said. “On the U.S. side, we work with organizations that are interested in this role. We help them understand the requirements and go as far as advising on how to meet them."
“We really provide that single-vendor approach to organizations, and that allows us to do a lot of different certification or compliance for an organization."
About DEBBIE ZALLER
Debbie Zaller is a Principal at Schellman & Company, LLC. Debbie leads the SOC 2, SOC 3 and Privacy service lines and is also an AICPA-approved and nationally listed SOC Specialist. As practice leader she is responsible for internal training, methodology creation and quality reporting. Debbie also leads the firm’s Midwest market. Debbie has over 20 years of IT compliance and attestation experience. Debbie was on the AICPA Task Force for the Advanced SOC for Certification Exam, was a member of the Florida Institute of Certified Public Accountants Board of Governors and served on the Finance and Office Advisory Committee.