What are the Benefits of an APEC CBPR/PRP Certification?

Jamaican political activist, publisher, journalist, entrepreneur, and orator, Marcus Garvey, once said, “look for me in the whirlwind or the storm.”

His life’s work may have preceded data privacy concerns by decades, but the sentiment might still feel familiar when in light of the current privacy landscape. When you consider all the different privacy regulations and laws flying around, it can feel a bit like you too are in the middle of a whirlwind, and—like anyone in a hurricane—you’d love to find a port in the storm.

When we say “port,” we mean a viable way to prove your privacy protections are adequate so that your customers can rest a bit easier. An APEC CBPR / PRP certification may be just the way to do that.

In April 2022, the USA and 7 other economies from the APEC region announced the launch of a global privacy forum to lead a new framework that will be applicable worldwide. Some may already be familiar with this framework, which was previously only open to APEC-participating economies, and if you are, don’t worry—certified companies and the accountability agents that certified them will automatically be approved as part of this expansion.

But for those of you unfamiliar with the APEC framework and its privacy regulations, we’re here to help you understand. As an accredited accountability agent for both APEC certifications, we’re going to break down what APEC CBPR/PRP stands for, as well as what the two related certifications are and how they can benefit your organization.

APEC CBPR/PRP may or may not be your “port in a [privacy] storm,” but after reading this article, you’ll know better how it can work for you.

What is an APEC CBPR/PRP Certification?

The new, aforementioned global forum is new, but the APEC CBPR framework has actually been around for a while. Before you can understand the certifications’ benefits, you need to understand how we got to this point. So, let’s break down the big pieces and their related acronyms:

Asian Pacific Economic Cooperation

Year Established: 1989
What Is It? An economic cooperation forum intended to ease business between its members after the rise of the internet and electronic commerce in the global economy. More recently, APEC has started work on topics related to international data exchange focused on privacy matters.
Who’s Involved? Originally formed by Pacific-bordering countries and “economies”—a term used to admit Taiwan and Hong Kong—it now features a total of 21 members that include the USA, China, Japan, Singapore, and Australia .

Cross Border Privacy Rules

Year Established: 2005
What Is It? A set of requirements applicable to controllers that’s based on a privacy framework inspired by the Organization for Economic Cooperation and Development (OECD) guidelines on the Protection of Privacy and Transborder Flows of Personal Data: 

  • Set up as a flexible method to protect personal information, these guidelines are divided into nine main principles:
    • Preventing harm;
    • Notice;
    • Collection limitations;
    • Uses or personal information;
    • Choice;
    • Integrity;
    • Security safeguards;
    • Access and correction; and
    • Accountability.

As of today, 9 of the 21 APEC economies have joined the CBPR system : the USA, Mexico, Japan, Canada, Singapore, Republic of Korea, Australia,  Chinese Taipei/Taiwan, and the Philippines.
Is There an Assessment? Five of them—Japan, Korea, Singapore, Chinese Taipei/Taiwan, and the USA—have implemented a certification mechanism that allows accredited accountability agents to assess and certify organizations that comply with the CBPR set of requirements.

Privacy Recognition for Processors

Year Established: 2015
What Is It? A set of rules for processors created by APEC that is based on two main principles: security safeguards and accountability.
Is There an Assessment? These PRP requirements are integrated with the CBPR system, so accredited accountability agents can also certify organizations for their compliance with them.

Knowing all that, the most important thing to understand is that the APEC CBPR and APEC PRP certifications are two different things:

  • APEC CBPR certification is for controllers.
  • APEC PRP certification is for processors.

Both—assuming your organization conforms to the respective requirements and passes the assessment—are issued by an accountability agent, and it is possible to be certified under both frameworks, should your organization operate as a controller as well as a processor.

5 Benefits of APEC CBPR/PRP Certification

But why should you consider getting certified at all? Several different privacy assessments might suit your organization, so let’s go over the benefits of this one in particular.

1. Competitive Advantage

If you were to check active certifications within the compliance directory of the CBPR system for processors, you’d see that some of the biggest names in the IT world are already certified—maybe even some of your competitors.

In our experience, not only has certification within the CBPR system granted some of our clients a competitive edge in the APEC region but it’s also lowered barriers for them in setting up offices and beginning data processing in some of those member economies.

2. Easier International Development and Data Transfer

As we mentioned before, APEC certification and its underlying framework are on the brink of becoming even more relevant worldwide with the launch of the CBPR Global Forum, but even now they can be used to facilitate compliance with data transfer requirements while also expanding your activities in participating countries:

  • In the Pacific: Countries like Japan and Singapore have specifically approved the use of the CBPR system as a basis for data transfers.
    • Japan, which has implemented particularly strict data protection rules, has signaled that authorized personal data can be transferred outside of Japan to an organization certified under the CBPR system.
    • Based on Singapore’s data protection legislation (the Personal Data Protection Act, or PDPA), the Singapore government explicitly promotes the CBPR system as a means for organizations in Singapore to easily transfer personal data to overseas certified recipients without meeting other requirements.
  • In North America: The recent United States-Mexico-Canada agreement cited the CBPR as a valid mechanism to facilitate cross-border information transfers while protecting personal information.
  • In Europe: Our APEC-certified clients have reported that their CBPR certification helped them in the approval process for their Binding Corporate Rules – BCRs – by European institutions.
  • Bermuda: Though not an APEC member, the island recognizes the certificate as a compliance mechanism for international data transfers. 

3. Improved Reputation and Reassured Customers

For those organizations charged with protecting personal data, it’s important to demonstrate to customers that you’re taking their privacy and related rights seriously. Holding a CBPR certificate can help you to demonstrate your organization’s privacy compliance posture—here’s how:

  • You’d be respecting a set of requirements that mandates you inform customers about your practices and procedures related to privacy matters.
  • You’d have mechanisms in place to allow individuals to contact you and exercise their data privacy rights.
  • You’d hold a certificate seal showing customers that your organization is respecting a high standard of privacy rules, backed by the government. 

In the United States, accountability agents are authorized by the U.S. Department of Commerce to issue CBPR and PRP certifications. Such respected support, plus the aforementioned transparency and communication requirements, will go a long way with customers.

4. Efficient Vendor Due Diligence Tool

Vendor due diligence can be a full-time job for growing organizations, and privacy concerns can complicate that. Sure, you may have protections in place, but can your customers trust your vendors to maintain a high standard for them as well?

It would certainly help if you—and they knew—that your third-party providers held an APEC PRP certification, which includes requirements related to implemented security safeguards and accountability measures.

5. Complementary to Other Compliance Initiatives

…particularly ISO certifications, and the mappings are advantageous in both directions.

If you were to achieve APEC CBPR/PRP certification, that could be the first step towards implementing further controls to be later used in becoming ISO 27701 certified—a lengthy process that also includes certification against the ISO 27001 information security standard.

On the other hand, if you already hold an ISO certification, you could use CBPR/PRP certification to improve your privacy information management system while also adding a legal basis for data transfers.

Moving Forward with APEC CBPR/PRP Certification

Right now, 8 economies have joined the new global forum—Japan, Canada, Singapore, the Republic of Korea, Australia, Chinese Taipei/Taiwan, the Philippines, and the United States. As it continues to expand beyond the Pacific and gain ground globally, either APEC certification can help you demonstrate to your customers that your organization follows a multi-jurisdictional data transfer privacy standard, evidenced by holding a certification given—after an independent assessment—by a third party accredited by the U.S. government.

It may be just the right corroboration you need to satisfy your customers’ privacy concerns, though you may still want to explore other options in the privacy space. If so, read our other articles on different assessments and certifications that may serve you better:

But if you find you have persisting questions—on APEC CBPR/PRP or anything else privacy-related—we’d encourage you to reach out to our team so that we can have a conversation to help you feel more comfortable with whichever assessment you’d like to pursue.

About the Author

Mathieu Legendre

Mathieu is a Senior Associate with Schellman, based in New York City, NY. Prior to joining Schellman in 2021, Mathieu worked for an accounting company, specializing in compliance and anti-corruption regulations. Before arriving in the US in 2016, Mathieu worked as an attorney in France, specializing in public law and consumer law-related matters. Mathieu also led and supported various other projects, including real estate projects and writing a World War I non-fiction book. Mathieu has over 15 years of experience comprised of serving clients in various industries, including financial services, construction, and government. Mathieu is now focused primarily on privacy for organizations across various industries.

More Content by Mathieu Legendre
Previous Video
The Cost of a Privacy Program Assessment
The Cost of a Privacy Program Assessment

Next Video
The Cost of an MS DPR Assessment
The Cost of an MS DPR Assessment