According to the Pew Research Center, half of Americans have decided not to use a product or service because of privacy concerns. Consumer data is collected and processed daily due to the increase of digitalization, globalization, and personalization, which puts consumer privacy rights at risk. Every interaction we have online, from banking to signing into a work or school portal, requires our information.
There are now so many platforms we use on a daily basis that use our identities; from social media platforms to loyalty schemes to location and psychographic-based advertising, it's impossible to keep track. Consumers are inundated with news of cybersecurity breaches, which makes them cautious about what they do with their data and who they can trust. Some large brands even sell our data for profit; all of this only serves to hurt consumers' trust in organizations that need consumer data to be more effective at expanding shareholder value.
Greater awareness of privacy issues amongst individuals and governments alike has led to growing concerns over how companies collect, use, and store personal data, especially the sensitive kind (such as names, social security numbers, credit card numbers, account numbers, medical information addresses, etc.). The need for a standard that can prove an organization's dedication to privacy, which is a basic human right, has not only become evident, but it's the direction the cyber security industry is beginning to take. Europe's General Data Protection Regulation (GDPR) laws are a prime example of international leaders recognizing the need for more stringent standards. Within GDPR, Article 42(1), stakeholders should establish certification mechanisms for demonstrating compliance and Article 42(3) specifies that certification is a voluntary process and should assist in demonstrating compliance.
This is where APEC CBPR comes in.
What is APEC CBPR?
The Cross-Border Privacy Rules (CBPR) System, endorsed by the Asia-Pacific Economic Cooperation (APEC) in 2004, is a unique framework with a significant number of controls, independent accountability oversight, and enforceability than is seen in other privacy standards. APEC CBPR provides a mechanism for businesses operating globally to demonstrate they have achieved a gold standard in privacy that was independently audited by a recognized accountability agent. The framework is voluntary but certifiable, making it a primary certification for demonstrating a commitment to privacy. To date, 21 member economies have adopted it.
The CBPR’s purpose, according to APEC, is to facilitate privacy-respecting data flows among APEC economies by providing a set of principles designed to enhance electronic performance, facilitate trade, economic growth, and strengthen consumer privacy protections.
Currently, CBPR is active between the USA, Mexico, Japan, Canada, Singapore, the Republic of Korea, Australia, Chinese Taipei, and the Philippines, with more expected to join soon.
What makes APEC CBPR enforceable?
Within the U.S., CBPR certification processes work in coordination with and under the enforcement authority of the Federal Trade Commission (FTC). The FTC enforces Section 5(a) (15 USC§45), which reviews “unfair or deceptive acts or practices in or affecting commerce.” The failure of organizations to abide by their own privacy policies can be enforced by the FTC under their Section 5 authority.
In this case, earning an APEC CBPR certification provides the recognition that your organization has been reviewed by an independent accountability agent and that your organization is abiding by privacy rules. The APEC CBPR may be seen by many as a government-approved seal on your privacy practices, where violating your policies may serve as an enforceable liability.
Moreover, CBPR's main components go above and beyond to ensure voluntary and continued accountability by recognizing Accountability Agents that must meet comply with several requirements. These Accountability Agents are recognized by APEC and go through a rigorous approval process. There are currently just eight recognized Accountability Agents globally and only four within the United States. NCC Group is proud and honored to be one of these recognized Accountability Agents.
Accountability Agents have the responsibility of reviewing CBPR applicants, making recommendations, and helping them develop data privacy protocols. Certification is good for one year and must be renewed annually. Accountability Agents also provide continued oversight during that year, take complaints, launch investigations, and are expected to facilitate dispute resolution activities. Because certified organizations are added to a public CBPR directory, anyone with concerns and complaints can find out what Accountability Agent certified the organization and contact the Accountability Agent directly.
Transparency is the name of the game with APEC CBPR and that is what makes companies who sport the certification trustworthy.
Why should my organization consider pursuing an APEC CBPR certification?
Demonstrate that privacy is a priority.
CBPR is currently one of the major frameworks for data controllers to certify against and can help establish an organization's position on how they address privacy. Not only could an organization demonstrate externally to customers that privacy is a top priority and differentiate themselves from the competition, but they could also use their certification to show a commitment to data protection internally to vendors, management, and investors.
APEC CBPR certification is affordable.
The CBPR framework is ready-built, internationally recognized, and more stringent than other existing privacy frameworks. It also requires governance mechanisms following: simplicity, transparency, low cost, and accountability to APEC Economies. Not only does your organization become a trusted member, but there are no surprises or hidden fees to the framework.
Helpful for existing international compliance requirements.
The APEC CBPR program reviews 50 program requirements across 9 privacy principles. Many of these overlap with existing GDPR requirements. GDPR suggests a voluntary certification and APEC CBPR is well positioned as that recognized privacy certification.
CBPR is one of the only privacy frameworks that include this certification element as an essential component of their privacy program. In short: being CBPR-certified lowers existing and future compliance burdens and reduces trade frictions. It will undoubtedly do so for GDPR. In fact, the EU’s Article 29 Working Party (now the European Data Protection Board (EDPB), already mapped the requirements of the EU Binding Corporate Rules (BCR) to the CBPR program. These common referential mappings identify several overlaps between accountability and transfer mechanisms.
Showcase that you practice good due diligence.
As mentioned above, CBPR has over 50 controls on collection limitations, uses of personal information, the integrity of personal data, choice, security safeguards, access and correction, and accountability. It also tends to be much stricter with ethics and guidelines for privacy than other frameworks and systems currently available. You can be sure all bases will be covered, especially across APEC member economies.
No more scrambling to juggle oversight with implementation.
Having an Accountability Agent is a great resource for your privacy team, who are probably spread pretty thin. Not only do they assist with road mapping, development, and give guidance on implementation, but they also provide a third-party assurance to customers that a resolution will be made in case a privacy complaint is raised.
Drive confidence (and potentially new business).
Having your organization's name added to the directory of certified brands is a fantastic consumer confidence booster and has the potential to drive more business your way. CBPR is a growing system, but recognition for processors is a huge added benefit. Companies have already been getting benefits from adding the certification seal to their sites and joining internationally-renowned brands in the directory listing.
APEC CBPR is flexible.
Not every organization will be able to (or need to) follow the controls the same way. CBPR is one of the few frameworks to take that into account. For more information, check out their self-assessment questionnaire.
What's the process for attaining an APEC CBPR certification for my organization?
First, organizations that are interested in attaining an APEC CBPR certification should contact one of the recognized Accountability Agents to get more information and determine their specific processes. For NCC Group, an organization will complete the self-assessment questionnaire to prepare for the process and submit this questionnaire for review.
From there, the assessor confirms relevant program requirements through:
- Examination of the provided documents
- Analysis and interviews with SMEs
- Testing and sampling
The assessor will provide Accountability Agent notes as needed and establish the applicant's status of compliance (Fully Compliant, Partially Compliant, or Not Compliant).
For any requirement that isn't fully compliant, recommendations will be issued to the client for the deficiencies that require mitigation. Once deficiencies are mitigated, these items will be retested to ensure compliance. Once the organization obtains full compliance on all controls, it will be granted certification. The organization will have the right to display the APEC CBPR Certification Mark on their websites (and other marketing material) as well as be added to NCC Group and CBPR Directories.
Still curious about APEC CBPR?
Learn how APEC CBPR compares to other standards like ISO 27701, or reach out to an NCC Group compliance expert to help determine if certification is right for you.