APEC announces new US accountability agent for CBPR certifications

June 26, 2019 Debbie Zaller

The Asia-Pacific Economic Cooperation is set to boost the status of its Cross-Border Privacy Rules program in the U.S.

APEC has announced that certification firm Schellman & Company is the newest CBPR accountability agent in the U.S. following approval from a joint oversight panel. Accountability agents work to ensure companies operating within the 21 APEC member economies have compliant privacy practices and policies in place.

Schellman joins TrustArc subsidiary TRUSTe as the only U.S.-based accountability agent for the CBPR program while it’s just the third agent worldwide.

“It has always been our hope in the U.S. market to have multiple options,” said a representative from the U.S. Department of Commerce’s International Trade Administration. “Speaking from a programmatic perspective, having multiple service providers is ideal. Participation resting on one provider does, quite frankly, leave some vulnerabilities. Having multiple options really shores up the strength and foundation of U.S. participation in the system.”

The CBPR system is a government-supported certification that companies within the 21 APEC member economies can obtain to demonstrate compliance with internationally recognized data privacy protections. The U.S. adopted the rules in 2012 and added TRUSTe as the country’s first accountability agent in 2013.

The ITA representative added that while TrustArc has been a prominent and essential player for U.S. participation in the CBPR system, companies were looking for diversity and alternatives in terms of providers, packages and services. Schellman Principal Debbie Zaller, CIPP/US, believes her company is prepared to present consumers with the luxury of choice that they’ve been seeking.

“It fits right in with our other services,” Zaller said. “What we do with privacy is really served on that external audit side."

“It fits right in with our other services,” Zaller said. “What we do with privacy is really served on that external audit side. We’re also a certification body for other frameworks like ISO, HiTrust and FedRAMP.

“Becoming another certification body and staying along the same external audit lines is something we’ve been doing for a long time, so it’s just a natural fit within our current service line. We think it will be a huge need for a lot of our clients.”

Zaller said Schellman began toying with the idea of becoming an accountability agent at the IAPP’s Privacy. Security. Risk. event last year, as it began exploratory talks with International Trade Administration Policy Advisor Michael Rose. Schellman applied to be an accountability agent on its own accord, as the U.S. abides by an open-application process and then reviews prospective agents against an established list of requirements. The characteristics being assessed include a company’s enforcement tactics, the ability to manage conflicts of interest and being capable of explaining programming and certification processes.

“Whatever jurisdiction you’re in, you have to meet all the requirements we’ve listed,” the ITA representative said. “On the U.S. side, we work with organizations that are interested in this role. We help them understand the requirements and go as far as advising on how to meet them."

“We really provide that single-vendor approach to organizations, and that allows us to do a lot of different certification or compliance for an organization."

Read full article at iapp.org >>

About the Author

Debbie Zaller

Debbie is Principal and co-owner at Schellman & Company, LLC. She began her career in 2000 while working at Arthur Andersen in their Technology Risk Assurance practice. Debbie now leads the Midwest Region along with the Privacy, SOC 2 and SOC 3 service lines and is also on the AICPA’s SOC Specialist Task Force. She is responsible for internal training, methodology creation, and quality reporting. Debbie was a past member of the Florida Institute of Certified Public Accountants’ Board of Governors and served on the Finance and Office Advisory Committee. She also served on the AICPA’s Advanced SOC for Service Organizations Certificate Task Force.

More Content by Debbie Zaller
Previous Article
Cross-Border Privacy System Gains Second U.S. Compliance Agent
Cross-Border Privacy System Gains Second U.S. Compliance Agent

(Article originally published on BloombergLaw.com)

Next Flipbook
A Little Privacy Please
A Little Privacy Please

Why ISO 27018 can benefit organizations seeking to comply with the GDPR

Current or aspiring Microsoft vendor?

We're now providing assessments for the Microsoft SSPA Program Attestation

Learn More