Schellman Announces Strategic Partnership with Goldman Sachs Alternatives

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Services
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
MTCS Certification
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
Certificate Directory
Contact Us

«  View All Posts

The Global CBPR Forum Announces CBPR 2.0 Blog Feature
Emily Heintz

By: Emily Heintz

Print/Save as PDF

The Global CBPR Forum Announces CBPR 2.0

Privacy Assessments

Published: Mar 24, 2026

On March 23, 2026, the Global CBPR Forum announced the release of CBPR 2.0 during its biannual Forum workshop. The refresh of the original System requirements, now referred to as CBPR 1.0, is a significant step in aligning with the privacy laws in new participating economies and opening the door for other interested economies in joining as member or associate jurisdictions.

The updated framework has expanded from 50 requirements to 57 requirements, including modification to 3 requirements. Emily Heintz, Privacy Technical Fellow at Schellman, outlines what companies certified against the Cross Border Privacy Rules (CBPR) or Privacy Recognition for Processors (PRP) frameworks need to know to transition to the revised framework.

What is the Global CBPR?

To understand the recent requirement updates, we must first understand how we got here. The Asia Pacific Economic Cooperation (AEPC) endorsed the APEC CBPR System in 2011 to build trust in cross border flows of personal information. The APEC CBPR System established the APEC CBPR and APEC PRP frameworks to enable participating businesses to demonstrate that their operations align with a baseline of privacy and information security requirements.

The Global CBPR Forum was established in 2022 by Australia, Canada, Japan, the Republic of Korea, Mexico, the Philippines, Singapore, Chinese Taipei, and the United States. In 2025, the Forum transitioned the prior framework into a broader, international system to increase support for the free flow of data and effective data protection and privacy globally. The Global CBPR Forum has since welcomed Dubai International Financial Centre as a member economy and Bermuda, Nigeria, Mauritius, and the United Kingdom as associate economies.

What’s changing in CBPR 2.0?

While most of the requirements are staying the same, there are a few key updates companies should be aware of, including:

Preventing Harm

The biggest modification to the CBPRs is the introduction of a new domain centered around preventing the misuse of personal information and consequent harm to individuals.

The domain includes five requirements listed below:

  • Determining whether sensitive personal information, including children’s personal information, is processed and if so, what safeguards are necessary to protect it
  • Obtaining parental consent
  • Assessing the risks of misuse of personal information, evaluating the potential harm to individuals, and implementing mitigation measures
  • Formalizing and implementing breach notification procedures

This new domain reflects some key issues in the privacy compliance arena today: the processing of children’s data and corporate accountability of personal data processing through documented privacy impact assessments justifying what, why, and how personal information is being processed, and how privacy is being upheld throughout the processing.

Expanding Requirements Around Choice

While not a new domain, the requirements around choice are being fortified through the addition of new requirements:

  • Enabling individuals to choose whether to receive direct marketing
  • Recording individuals’ choices
  • Providing mechanisms for individuals to withdraw consent for the processing of personal data when the data is no longer needed for the purposes for which consent was provided

Most businesses that rely on consent for processing personal data should have a formal consent management record as well as functionality for individuals to revoke their consent at any time, making the lift to meet these new demands lighter.

However, the addition of choice around direct marketing may rebalance the workload especially for businesses based in the United States where opt-out is the current default setting for marketing activities and consumers are only opted out for a period of time.

Revising Accountability Requirements

Two requirements in the accountability domain were revised to include new criteria:

  • Maintaining a record of processing activities (ROPA)
  • Appointing a qualified individual to be responsible for overall compliance with the data protection program as well as the Global CBPR privacy principles

The emphasis on designating a qualified individual to lead compliance with the overall data protection program and maintaining a ROPA for an overall view of processing activities that involve personal data, strengthens the positioning of the framework to speak to the need for corporate accountability.

The data protection program should be led by an individual that has relevant experience, education, and training to assess and monitor processing activities and implemented controls for their conformance with applicable privacy legislation, regulation, and frameworks.

CBPR 2.0 Transition Timeline

While CBPR 2.0 has already been announced, businesses do not certify against the new requirements until after April 1, 2027. This means if a business conducts their annual certification review in October, they would not be assessed against the new requirements until October 2027.

Newly certified businesses also need to assess against CBPR 1.0 until April 1, 2027, when new participants would be required to certify against the new framework. This transition timeline provides ample time for businesses to review their current processes and implement new controls to comply with the new requirements.

Why is CBPR 2.0 Important?

As noted in our previous blog highlighting the benefits of Global CBPR/PRP certification, the establishment of the Global CBPR Forum has increased the exposure and applicability of the framework on a global scale. The addition of the new and modified requirements aligns the System with best practice.

The connection in particular to the General Data Protection Regulation (GDPR) by requiring businesses to draft and maintain ROPAs, appoint qualified data protection officers, honor choice, and consider the implications to individuals when processing sensitive data may signal that more European jurisdictions have expressed interest in participating in the Forum.

The investment from more Western economies in the System benefits participating businesses by enabling more cross-border data transfers in an era where data localization is becoming more common. To learn more about how to prepare for compliance with CBPR 2.0, contact us today.

About Emily Heintz

Emily Heintz is a technical fellow with Schellman based in New Orleans, Louisiana. She currently manages privacy assessments and certifications across the full suite of offerings, including CBPR / PRP, ISO 27701, EU Cloud Code of Conduct, and Microsoft SSPA. Prior to joining Schellman in 2020, Emily worked as a Project Manager on the U.S. Privacy team at a Fortune 50 retailer focusing on designing controls to comply with the CCPA and conducting privacy reviews of emerging technology solutions. She also has experience implementing a privacy impact assessment and artificial intelligence impact assessment process at a Future 50 recognized company. She is an active member of the International Association of Privacy Professionals (IAPP), is a Fellow of Information Privacy (FIP), holding both the CIPP/US and CIPM certifications, and has obtained her CISSP.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.