The Benefits of an APEC CBPR/PRP Certification for Your Organization
Jamaican political activist, publisher, journalist, entrepreneur, and orator, Marcus Garvey, once said, “look for me in the whirlwind or the storm.”
His life’s work may have preceded data privacy concerns by decades, but the sentiment might still feel familiar when in light of the current privacy landscape. When you consider all the different privacy regulations and laws flying around, it can feel a bit like you too are in the middle of a whirlwind, and—like anyone in a hurricane—you’d love to find a port in the storm.
When we say “port,” we mean a viable way to prove your privacy protections are adequate so that your customers can rest a bit easier. An APEC CBPR / PRP certification may be just the way to do that.
In April 2022, the USA and 7 other economies from the APEC region announced the launch of a global privacy forum to lead a new framework that will be applicable worldwide. Some may already be familiar with this framework, which was previously only open to APEC-participating economies, and if you are, don’t worry—certified companies and the accountability agents that certified them will automatically be approved as part of this expansion.
But for those of you unfamiliar with the APEC framework and its privacy regulations, we’re here to help you understand. As an accredited accountability agent for both APEC certifications, we’re going to break down what APEC CBPR/PRP stands for, as well as what the two related certifications are and how they can benefit your organization.
APEC CBPR/PRP may or may not be your “port in a [privacy] storm,” but after reading this article, you’ll know better how it can work for you.
What is an APEC CBPR/PRP Certification?
The new, aforementioned global forum is new, but the APEC CBPR framework has actually been around for a while. Before you can understand the certifications’ benefits, you need to understand how we got to this point. So, let’s break down the big pieces and their related acronyms:
Year Established: 1989
Year Established: 2005
As of today, 9 of the 21 APEC economies have joined the CBPR system: the USA, Mexico, Japan, Canada, Singapore, Republic of Korea, Australia, Chinese Taipei/Taiwan, and the Philippines.
Year Established: 2015
Knowing all that, the most important thing to understand is that the APEC CBPR and APEC PRP certifications are two different things:
- APEC CBPR certification is for controllers.
- APEC PRP certification is for processors.
Both—assuming your organization conforms to the respective requirements and passes the assessment—are issued by an accountability agent, and it is possible to be certified under both frameworks, should your organization operate as a controller as well as a processor.
5 Benefits of APEC CBPR/PRP Certification
But why should you consider getting certified at all? Several different privacy assessments might suit your organization, so let’s go over the benefits of this one in particular.
1. Competitive Advantage
If you were to check active certifications within the compliance directory of the CBPR system for processors, you’d see that some of the biggest names in the IT world are already certified—maybe even some of your competitors.
In our experience, not only has certification within the CBPR system granted some of our clients a competitive edge in the APEC region but it’s also lowered barriers for them in setting up offices and beginning data processing in some of those member economies.
2. Easier International Development and Data Transfer
As we mentioned before, APEC certification and its underlying framework are on the brink of becoming even more relevant worldwide with the launch of the CBPR Global Forum, but even now they can be used to facilitate compliance with data transfer requirements while also expanding your activities in participating countries:
- In the Pacific: Countries like Japan and Singapore have specifically approved the use of the CBPR system as a basis for data transfers.
- Japan, which has implemented particularly strict data protection rules, has signaled that authorized personal data can be transferred outside of Japan to an organization certified under the CBPR system.
- Based on Singapore’s data protection legislation (the Personal Data Protection Act, or PDPA), the Singapore government explicitly promotes the CBPR system as a means for organizations in Singapore to easily transfer personal data to overseas certified recipients without meeting other requirements.
- In North America: The recent United States-Mexico-Canada agreement cited the CBPR as a valid mechanism to facilitate cross-border information transfers while protecting personal information.
- In Europe: Our APEC-certified clients have reported that their CBPR certification helped them in the approval process for their Binding Corporate Rules – BCRs – by European institutions.
- Bermuda: Though not an APEC member, the island recognizes the certificate as a compliance mechanism for international data transfers.
3. Improved Reputation and Reassured Customers
For those organizations charged with protecting personal data, it’s important to demonstrate to customers that you’re taking their privacy and related rights seriously. Holding a CBPR certificate can help you to demonstrate your organization’s privacy compliance posture—here’s how:
- You’d be respecting a set of requirements that mandates you inform customers about your practices and procedures related to privacy matters.
- You’d have mechanisms in place to allow individuals to contact you and exercise their data privacy rights.
- You’d hold a certificate seal showing customers that your organization is respecting a high standard of privacy rules, backed by the government.
In the United States, accountability agents are authorized by the U.S. Department of Commerce to issue CBPR and PRP certifications. Such respected support, plus the aforementioned transparency and communication requirements, will go a long way with customers.
4. Efficient Vendor Due Diligence Tool
Vendor due diligence can be a full-time job for growing organizations, and privacy concerns can complicate that. Sure, you may have protections in place, but can your customers trust your vendors to maintain a high standard for them as well?
It would certainly help if you—and they knew—that your third-party providers held an APEC PRP certification, which includes requirements related to implemented security safeguards and accountability measures.
5. Complementary to Other Compliance Initiatives
…particularly ISO certifications, and the mappings are advantageous in both directions.
If you were to achieve APEC CBPR/PRP certification, that could be the first step towards implementing further controls to be later used in becoming ISO 27701 certified—a lengthy process that also includes certification against the ISO 27001 information security standard.
On the other hand, if you already hold an ISO certification, you could use CBPR/PRP certification to improve your privacy information management system while also adding a legal basis for data transfers.
Moving Forward with APEC CBPR/PRP Certification
Right now, 8 economies have joined the new global forum—Japan, Canada, Singapore, the Republic of Korea, Australia, Chinese Taipei/Taiwan, the Philippines, and the United States. As it continues to expand beyond the Pacific and gain ground globally, either APEC certification can help you demonstrate to your customers that your organization follows a multi-jurisdictional data transfer privacy standard, evidenced by holding a certification given—after an independent assessment—by a third party accredited by the U.S. government.
It may be just the right corroboration you need to satisfy your customers’ privacy concerns, though you may still want to explore other options in the privacy space. If so, read our other articles on different assessments and certifications that may serve you better:
- Your Guide To ISO 27701
- ISO 27018 vs. ISO 27701
- GDPR vs. Existing Frameworks: Overlaps, Differences, and Filling the Gaps
But if you find you have persisting questions—on APEC CBPR/PRP or anything else privacy-related—we’d encourage you to reach out to our team so that we can have a conversation to help you feel more comfortable with whichever assessment you’d like to pursue.
About Mathieu Legendre
Mathieu is a Manager with Schellman, based in New York City, NY. Prior to joining Schellman in 2021, Mathieu worked for an accounting company, specializing in compliance and anti-corruption regulations. Before arriving in the US in 2016, Mathieu worked as an attorney in France, specializing in public law and consumer law-related matters. Mathieu also led and supported various other projects, including real estate projects and writing a World War I non-fiction book. Mathieu has over 15 years of experience comprised of serving clients in various industries, including financial services, construction, and government. Mathieu is now focused primarily on privacy for organizations across various industries.