As our global business landscape grows ever more complex, privacy and data protection have moved from the background to the forefront of consumer and business conversations. Data privacy certifications are increasingly vital to demonstrate commitment to regulatory compliance, build trust, and differentiate in a crowded marketplace.

For businesses operating in today’s data-rich environment, privacy certifications are no longer optional. They represent a proactive approach to managing data responsibly and mitigating risk while serving as a critical competitive advantage.

Why do data privacy certifications matter?

Privacy certifications act as independent verification of a company’s adherence to global privacy standards, achieved through rigorous, technology-driven audits. They serve as a powerful testament to a business’s commitment to upholding data privacy and security, reducing legal and financial risks, and protecting an organization’s reputation.

When businesses display a data privacy certification, they signal to customers, partners, and regulators alike that data protection is a priority and not merely a compliance checkbox.

In an era where privacy is a default consumer expectation, companies are tasked with managing a myriad of complex regulations, from GDPR and CCPA to frameworks specific to regions or industries. Privacy certifications help enterprises demonstrate compliance in a trusted, standardized way that builds confidence among stakeholders and positions them as leaders in privacy and security.

Key benefits of privacy certifications

Demonstrate compliance

Privacy certifications, such as those offered by TRUSTe, validate that an organization’s practices meet the requirements of specific privacy regulations and frameworks. This is increasingly essential in today’s regulatory landscape, where failure to comply can result in hefty fines and legal repercussions.

Certifications offer organizations a clear, structured path to compliance, making it easier to meet regulatory demands and proactively address evolving privacy laws.

Risk mitigation

Data protection bad practices and non-compliance with privacy laws can be devastating to an organization. Certifications reduce the risk of such incidents by ensuring that robust data protection practices are in place and providing organizations with a cross-border data transfer mechanism that meets global standards, including the new Global Cross-Border Privacy Rules (CBPR) framework.

Additionally, the certification process itself helps ensure legal compliance by highlighting specific areas that need attention and offering actionable insights to close any compliance gaps. This proactive approach allows companies to safeguard sensitive data, reduce exposure to legal liability, and avoid costly non-compliance penalties.

Interoperability across privacy and security standards

One of the unique advantages of TRUSTe certifications is their interoperability across multiple privacy and security standards. TrustArc’s certifications align with regulations and frameworks such as GDPR, CCPA, HIPAA, and ISO 27001, providing a seamless solution for organizations that need to comply with multiple regulations simultaneously.

This interoperability not only simplifies compliance efforts across different jurisdictions but also reduces operational complexity, allowing organizations to focus on strategic objectives while maintaining a consistent approach to data privacy.

Build trust and enhance reputation

Organizations that achieve privacy certifications benefit from the TRUSTe Certified Privacy Seal, a recognized symbol of trust and commitment to data protection. Displayed on digital properties, this seal—viewed billions of times globally—provides consumers, partners, and regulatory bodies with assurance that the organization adheres to privacy best practices. As an internationally respected mark of compliance, the TRUSTe seal elevates an organization’s reputation, increasing customer confidence and fostering brand loyalty.

Streamline data transfers across borders

Certain privacy certifications (Data Privacy Framework Verification and the APEC/Global CBPR & PRP Certifications) simplify international data transfers by establishing a compliant mechanism for moving data across borders. Programs like TRUSTe’s Data Privacy Framework Verification streamline adherence to cross-border data transfer regulations, ensuring compliance with various jurisdictional requirements. These certifications empower businesses to operate smoothly on a global scale by eliminating the complexity and risk of international data transfers.

TRUSTe Certifications

TRUSTe provides a suite of privacy certifications tailored to meet diverse business needs across sectors and regions. Here’s an overview of some of the most popular certifications:

Responsible AI Certification:

This certification ensures that your organization’s AI data governance is fair, transparent, and accountable, aligned with industry-leading AI standards and regulations.

• Showcase responsible AI practices: The certification incorporates standards from the NIST and OECD, as well as regulatory frameworks such as the EU AI Act, demonstrating to partners and consumers that your AI implementations prioritize privacy and ethical data usage.
• Future-proof AI compliance: With rapid advancements in AI regulations, the Responsible AI Certification helps your organization navigate new compliance requirements and fosters trust by showing a commitment to responsible AI data governance.

Discover how Responsible AI Certification can future-proof your AI governance.

Is your AI governance program ready for rapidly evolving AI technologies? Take a brief quiz to find out!

APEC and Global CBPR & PRP Certification:

The Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) certifications are internationally recognized frameworks for managing secure cross-border data flows. Soon to expand as the Global CBPR Forum, this certification facilitates compliant data transfer across major economies, including the USA, Canada, Japan, Korea, Singapore, Mexico, Philippines, Chinese Taipei, and Australia.

• Vendor management: CBPR’s principles align closely with vendor management practices across jurisdictions, making it easier for organizations to onboard and manage vendors in compliance with international privacy standards.
• Cross-border data transfer risk: CBPR certification includes a rigorous assessment of data processing purposes and third-party risk management practices, enhancing security in data transfer scenarios.
• Dispute resolution: As a designated Accountability Agent, TrustArc provides oversight on privacy complaints and offers a structured approach to dispute resolution.
• International recognition: The CBPR system is one of the few privacy frameworks recognized internationally. With enforcement requirements across jurisdictions, it supports global trade while demonstrating an organization’s commitment to protecting customer data.
• Robust certification standards: CBPR compliance includes security safeguards, data access rights, and ethical data use requirements. Notably, CBPR requires third-party Accountability Agent oversight, adding an independent verification layer that strengthens credibility.
• Industry-leading Accountability Agent: TRUSTe was the first designated Accountability Agent in the USA and the world and remains a leader in CBPR certifications. As a key stakeholder in the CBPR system, TRUSTe collaborates with industry leaders and government bodies to drive the ongoing growth and evolution of this internationally recognized framework.

Learn how CBPR & PRP Certifications simplify global data transfers and vendor management.

Data Privacy Framework Verification:

Covering the EU-U.S. Data Privacy Framework (DPF), Swiss-U.S. Data Privacy Framework, and UK extension to the EU-U.S. Data Privacy Framework, this verification supports compliant data transfers across borders.

• Comprehensive compliance for data transfers: DPF participation provides a straightforward, reliable, and cost-effective solution for data transfers between the U.S. and the EU. Recognized as an Adequacy Decision, DPF allows personal data transfer without supplementary safeguards, offering businesses a significant compliance advantage.
• Robust demonstration of compliance: DPF verification by TrustArc ensures that organizations meet the obligations of the DPF, which is backed by both the U.S. government and the EU Commission. This allows organizations to demonstrate trusted compliance in cross-border data handling.
• Versatile approach to data transfers: Unlike other mechanisms such as SCCs, which require separate agreements for each individual data flow, DPF participation provides businesses with the flexibility to cover all their data flows under a single framework. Whether addressing enterprise-wide data transfers or focusing on a specific data flow, the DPF streamlines compliance and eliminates the need for multiple, redundant agreements.

Streamline cross-border compliance with Data Privacy Framework Verification.

TRUSTe Enterprise Privacy Certification:

This certification aligns your organization with a range of international privacy standards, offering a trusted foundation for comprehensive data privacy compliance.

• Global standards alignment: TRUSTe Enterprise Privacy Certification incorporates standards from the OECD Privacy Guidelines, APEC Privacy Framework, GDPR, HIPAA, and ISO 27001, aligning your organization with major privacy and security regulations worldwide.
• Data privacy risk management: Through a detailed assessment, TrustArc identifies privacy compliance risks and provides tailored recommendations to close any gaps, helping reduce compliance costs and risks.
• Expert guidance and continuous compliance: TrustArc’s global privacy experts support your organization with operational solutions, curated templates, and ongoing compliance guidance, including annual reviews to ensure standards are consistently met.

Build a privacy-first organization with the TRUSTe Enterprise Privacy Certification.

TRUSTe GDPR Validation:

This certification provides independent validation that your organization’s practices meet GDPR requirements, building trust with customers, partners, and regulators.

• Proof of compliance and risk mitigation: Through a third-party assessment, TrustArc offers a comprehensive review of GDPR compliance, saving time and resources by providing detailed action plans to address any gaps.
• Flexible validation options: TrustArc offers two types of GDPR validations: the GDPR Practice Validation for specific departments or practices and the GDPR Program Validation, which includes a Privacy Notice review for a company-wide approach.
• Enhanced brand trust: The GDPR Validation Letter of Validation can be shared on your website or in vendor assessments, demonstrating a robust compliance program to stakeholders.

Validate your GDPR compliance and build stakeholder trust.

TRUSTe certifications are designed to simplify complex compliance requirements, offering a proactive approach to privacy risk management that demonstrates your commitment to privacy, security, and regulatory compliance on a global scale.

The TRUSTe Certification Process

Achieving a TRUSTe certification involves a structured yet accessible process that includes:

1. Discovery and evaluation: An expert privacy solutions manager conducts an assessment to understand the organization’s current practices and identify any gaps.
2. Gap analysis: Organizations receive a detailed report with actionable recommendations, enabling them to strengthen their privacy practices in alignment with regulatory requirements.
3. Remediation insights: Gain remediation insights and access to operational templates that support your certification journey.
4. Accessible audit trail: Use TrustArc’s platform for a comprehensive audit trail, streamlining compliance and audit responses.
5. Certification and continuous compliance: Once compliance is confirmed, companies receive a letter of attestation, a public-facing TRUSTe seal, and are listed in TrustArc’s Compliance Directory. TRUSTe also provides ongoing compliance monitoring and dispute resolution services, offering long-term support to uphold certification standards.

The TRUSTe advantage

With over 25 years at the intersection of privacy and technology, TrustArc has become a leader in privacy assurance solutions. The TRUSTe team consists of global experts in law, business operations, and regulatory policy, delivering certifications that align with standards from GDPR and CCPA to FIPPs and APEC CBPR.

Leveraging the TRUSTe advantage helps organizations demonstrate a serious commitment to data protection and stay ahead in today’s privacy-conscious world.

Turning privacy into business power

As businesses navigate a landscape rich with privacy concerns and regulatory complexities, privacy certifications have become essential. They offer companies a clear path to compliance, risk mitigation, and competitive advantage by demonstrating a verifiable commitment to privacy.

For enterprises looking to build trust and operate responsibly on a global scale, privacy certifications provide not only a robust compliance strategy but also a meaningful way to assure stakeholders and customers that data privacy is a priority.

When you invest in a privacy certification with TrustArc, you’re not just meeting a requirement—you’re making a proactive business decision that builds trust and sets your company apart as a leader in data privacy and protection.

Take the first step toward robust privacy compliance—get started today.

From Safe Harbor to Privacy Shield to what is now known as the EU-US Data Privacy Framework, personal data transfers between the European Union and the United States have been on a decades-long rollercoaster.

Transferring personal data from the EU to the US has been more complicated and expensive since Schrems II. A data transfer agreement to restore personal data flows between these economic regions is critical for healthy commerce, trade, and investment. Privacy professionals have been waiting patiently for an adequacy decision since March 2022, when a new agreement was announced.

EU-US Data Privacy Framework adequacy decision announced

Now that the European Commission has adopted a positive adequacy decision for the EU-US Data Privacy Framework, companies can self-certify their participation in the data transfer mechanism as of Monday, July 17, 2023. The EU-US Data Privacy Framework (and UK extension) replaces Privacy Shield and regulates transatlantic data flow starting in July 2023.

European entities that participate in the new framework are able to transfer personal data to participating companies in the United States without having to put in place additional data protection safeguards. If your company has been using another data transfer mechanism such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), there are still benefits to participating in the Data Privacy Framework.

For example, SCCs:

• Require Transfer Impact Assessments (TIA)
• May require supplementary measures
• Have to be negotiated in every contract
• Have to be updated for every new transfer

The Data Privacy Framework will require no TIA or supplementary measures and will only need to be certified/verified/renewed once a year. New transfers will qualify under the existing mechanism. As a data transfer mechanism, the Data Privacy Framework will require fewer internal resources and is more affordable for small and medium businesses when compared to SCCs.

How is the EU-US Data Privacy Framework different from Privacy Shield?

The Court of Justice of the European Union (CJEU) overturned Privacy Shield due to U.S. government access to data, not because of commercial protection concerns.

From a business perspective, the Data Privacy Framework is similar in many ways to the former agreement. But it addresses the surveillance concerns raised in the Schrems II decision as outlined in Executive Order 14086 “Enhancing Safeguards for United States Signals Intelligence Activities.”

Additionally, the U.S. has established a Data Protection Review Court (DPRC) to provide European individuals with a proper redress mechanism for qualifying complaints of violations of the United States law in relation to its intelligence activities.

Therefore obligations for businesses that were previously Privacy Shield verified will be minimal. The Data Privacy Framework Program FAQ explains, “the EU-U.S. DPF does not create new substantive obligations for participating organizations with regards to protecting EU personal data. The privacy principles and the process to initially self-certify and annually re-certify remain substantively the same.“

The primary action for organizations will be to clarify privacy notices for EU individuals and to confirm notices contain all disclosures required under the Data Privacy Framework notice principle.

If your data processing agreements with third parties reference Privacy Shield, these agreements should be updated to instead reference the Data Privacy Framework.

What about Schrems?

As many have suspected, Max Schrems and the NOYB aren’t satisfied with the new agreement for EU-US data transfers.

“We now had ‘Harbors’, ‘Umbrellas’, ‘Shields’ and ‘Frameworks’ – but no substantial change in US surveillance law. The press statements of today are almost a literal copy of the ones from the past 23 years. Just announcing that something is ‘new’, ‘robust’ or ‘effective’ does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work – and we simply don’t have it.”

Max Schrems, NYOB

Schrems also explains there are various options for a challenge to the new framework and expects that it will be back at the Court of Justice “by the beginning of next year.”

Yet, when Alex Greenstein, Director of Privacy Shield | Data Privacy Framework at the FTC was asked about another Schrems court challenge, he expressed that the FTC and the European Commission believe they’ve addressed those concerns raised in the Schrems II decision.

For now, this current framework restores an important legal basis for transatlantic data flows and participation in the digital economy to expand economic opportunities. And in case the past is any indication, it took four years for the CJEU to examine the Privacy Shield challenge. Experts expect it will take two to three years before an EU-U.S. Data Privacy Framework CJEU examination.

Getting a Data Privacy Framework Verification

Companies must meet strict requirements to protect Europeans’ personal data under the new framework.

A Summary of Key Requirements for Participating Organizations:

• Inform individuals about data processing
• Provide free and accessible dispute resolution
• Cooperate with the U.S. Department of Commerce (DoC)
• Maintain data integrity and purpose limitation
• Ensure accountability for data transferred to third parties
• Transparency related to enforcement actions
• Ensure commitments are kept as long as data is held

For organizations that didn’t withdraw from Privacy Shield, there’s a three month grace period to update company policies to reflect the new Data

Privacy Framework. This grace period provides the FTC with continuous coverage to enforce companies’ commitments to Privacy Shield. Your Privacy Shield and Data Privacy Framework certification renewal date won’t change.

Review the complete EU-U.S. and Swiss-U.S. Privacy Framework and UK Extension to the EU-U.S. and/or the Swiss-U.S. Data Privacy Framework Verification Program Assessment Criteria: Review the criteria

Swiss-U.S. Data Privacy Framework and The UK Extension

Participation in either the EU-U.S. or Swiss-U.S. Data Privacy Frameworks also enables participating organizations to participate in the UK Extension to the EU-U.S. Data Privacy Framework to enable data transfers from the UK to the U.S.

While organizations can prepare for the Swiss-U.S. Data Privacy Framework and the UK extension now, data transfer benefits under those frameworks aren’t available until each country presents an adequacy decision for the U.S.

TrustArc makes our Privacy Shield compliance process easy and straightforward.

Darren D., Chief Information Security Officer

Why use TRUSTe vs. self-certification?

A Data Privacy Framework Verification and seal is the simplest, most reliable, and cost-effective way to ensure EU-U.S. personal data transfer compliance. The verification provides a robust demonstration that you’ve met the obligations of the DoC and European Commission.

The public seal shows consumers and trade partners your standard of compliance. Meaning you will not need to implement complicated supplementary measures.

Certification is administered by the U.S. DoC, which processes applications for certifications and monitors whether participating companies continue to meet the certification requirements. Compliance with the framework will be enforced by the U.S. FTC.

The TRUSTe verification process helps companies prepare for self-certification with the DoC and provides accountability oversight. Your company can self-certify with confidence knowing TRUSTe, as an Accountability Agent, has verified that your organization meets the Data Privacy Framework principles with the appropriate data protection measures in place.

Optionally companies can also use TRUSTe services for dispute resolution (independent redress mechanism).

The TRUSTe Assurance process

• Conduct privacy review: Understand your data policies and practices through a privacy analysis.
• Demonstrate compliance: Answer questions aligned with the requirements to ensure compliance with the framework principles.
• Customized action plan: Receive a gap analysis and action plan including written guidance on compliance posture and remediation recommendations to achieve compliance.
• Remediation and verification: Collect, compile, or generate documents or processes to demonstrate compliance.
• Privacy notice review and seal assurance: TRUSTe serves as your verification agent for your U.S. Department of Commerce filing, including a TRUSTe-reviewed Privacy Notice, Letter of Attestation, and a seal for public posting.
• Ongoing monitoring and guidance: Ongoing compliance monitoring and dispute resolution provide privacy expertise for your business. Documentation and an audit trail are available in case it’s needed.

As privacy concerns continue to grow, businesses are under increased pressure to demonstrate their commitment to protecting personal data. Privacy certifications are emerging as a way for organizations to demonstrate they are taking privacy seriously and following best practices.

Whether you are a small business or a large corporation, understanding the value of privacy certifications and how they can help you demonstrate your commitment to protecting personal data is important.

Join our experts in this webinar as they go over the importance of how privacy certifications can unlock business value and help you stay ahead of the competition in today’s privacy-conscious landscape.

Join the TrustArc privacy experts to learn:

• The rise of privacy certifications
• Different types of available privacy certifications
• The benefits of obtaining certifications
• How to leverage privacy certifications to unlock business value

You’ve heard about the APEC CBPR Certification, but what is it? How does it help your business? What are the benefits of APEC CBPR Certification? And is it worth it?

Let’s start with the basics.

What is APEC?

Established in 1989, APEC stands for Asia-Pacific Economic Cooperation. It’s a forum for 21 Pacific Rim member economies that promotes trade, investment, and economic growth throughout the region.

Members include all countries with a coastline along the Pacific Ocean, including China, Japan, and the United States.

The 21 APEC members represent over 40% of the world’s population and over 60% of global GDP. Which is significant if you’re operating a global business.

• Australia
• Brunei Darussalam
• Canada; Chile
• People’s Republic of China
• Hong Kong
• China
• Indonesia
• Japan
• Republic of Korea
• Malaysia
• Mexico
• New Zealand
• Papua New Guinea
• Peru
• the Philippines
• the Russian Federation
• Singapore
• Chinese Taipei
• Thailand
• the United States of America
• Vietnam

APEC members work together to improve the business operating environment and reduce red tape between these economies.

Some of the ways members achieve this include faster customs procedures at borders, more favorable business climates behind the border, and aligning regulations and standards across the region.

All economies have an equal say and decision-making is reached by consensus. There are no binding commitments or treaty obligations and commitments are undertaken on a voluntary basis.

APEC also supports the multilateral trade negotiations underway in the World Trade Organization and complements the goals of the G20.

What is APEC CBPR System?

CBPR stands for Cross-Border Privacy Rules. And as you may be guessing, the APEC CBPR system seeks to facilitate compliant and safe cross-border data transfers between participating economies.

The system is administered by the Joint Oversight Panel and assisted by the CBPR Secretariat to consult with prospective APEC CBPR economies and determine whether an economy satisfies the participation requirements.

They also consult with and review applications for prospective Accountability Agents and handle Accountability Agent complaints.

The goal of the CBPR system is protect personal information while ensuring the delivery of innovative products without the barriers of different economy’s regulations through voluntary accountability.

This system helps establish standards for transferring data cross-border so that personal information is protected, and that the requirements are enforceable if violated in those jurisdictions.

It also sets the criteria for bodies to become recognized as CBPR system Accountability Agents, and a process for information controllers to be certified as compliant APEC CBPR system.

The CBPR system works to protect personal data by requiring:

• Enforceable standards – economies must demonstrate that CBPR program requirements will be legally enforceable against certified companies.
• Accountability – a company must demonstrate to an Accountability Agent that they meet the CBPR program requirements
• Risk based protections – companies must implement security safeguards for personal data
• Consumer friendly compliant handling – collaboration with Accountability Agents to resolve disputes between consumers and certified companies
• Consumer empowerment – companies must provide consumers with the opportunity to access or correct their personal data
• Consistent protections – all participants must agree to abide by the 50 CBPR program requirements
• Cross-border enforcement cooperation – regulatory authority cooperation on the enforcement of program requirements

An APEC economy must demonstrate that it can enforce compliance with the CBPR System’s requirements before joining.

There are currently nine participating APEC CBPR System economies: United States, Mexico, Japan, Canada, the Republic of Korea, Australia, Chinese Taipei, and the Philippines.

The APEC Privacy Framework

Created in 2005 and updated in 2015, the APEC Privacy Framework was designed to provide an accountable approach to managing data privacy protection and the flow of personal information across borders.

The APEC CBPR system requires participating businesses to implement data privacy policies consistent with the APEC Privacy Framework.

The preamble of the updated APEC Privacy Framework states,

”APEC economies realize that a key part of efforts to improve consumer confidence and ensure the growth of electronic commerce and innovation must be cooperation to promote both effective information privacy protection and the free flow of information in the Asia Pacific region, while respecting domestic laws and regulations, applicable international frameworks for information privacy protection, and strengthening information security in the Asia Pacific region.”

This framework is based on the OECD’s Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, which are recognized as the global minimum standard for privacy and data protection.

The APEC Privacy Framework establishes a multilateral mechanism that enables Privacy Enforcement Authorities to cooperate in cross-border privacy law enforcement.

This mechanism is the Cross-border Privacy Enforcement Arrangement (CPEA).

Any Privacy Enforcement Authority in any APEC member economy can participate.

Any public body that is responsible for enforcing Privacy Law, and has the power to conduct investigations or pursue enforcement proceedings is a Privacy Enforcement Authority.

Businesses can demonstrate their adherence to the APEC Privacy Framework by certifying their privacy practices to the following standards:

• Cross Border Privacy Rules (CBPR) System – which governs “data controller” privacy practices
• Privacy Recognition for Processors (PRP) System – which governs “data processor” privacy practices

You’ll notice the certifications differ based on whether the entity is a data controller or data processor.

APEC CBPR Certification

CBPR certification is currently available to companies headquartered in Japan, Korea, Singapore, and the United States. An independent Accountability Agent is needed to certify your organization’s compliance with the CBPR Program Requirements.

Applications are sent to APEC-recognized Accountability Agents who will begin the compliance review process to verify compliance with the CBPR system.

If an applicant meets the minimum criteria required, the Accountability Agent will be responsible for monitoring its compliance with the CBPR system criteria.

This criteria assesses an applicants:

• Notice of personal information and privacy policies
• Collection limitations to specific purposes stated at time of collection
• Use, transfer, and disclosure of personal information
• Choice for individuals in relation to the collection, use, and disclosure of their personal information
• Integrity of personal information maintained by the controller
• Security safeguards to protect individuals’ personal information from loss, unauthorized access or disclosure, or other misuses
• Access and correction for individuals to update their information when reasonable
• Accountability to complying with measures that make the other criteria operational

While this is just intended to be a summary, you can review the complete APEC Cross-Border Privacy Rules System Program Requirements.

Five benefits of APEC CBPR Certification

Alignment with global frameworks and global trade facilitation

An APEC CBPR certification is based on the same principles that inform the OECD Guidelines, the Fair Information Practice Principles, the EU-U.S. Privacy Shield, and the General Data Protection Regulation.

As such, a CBPR certification will help align your organization’s policies to various international privacy frameworks.

This will lower the compliance burden and save your employees time to implement a patchwork of privacy regulations.

If you haven’t started a privacy program yet, completing the necessary actions within the CBPR certification process will create a data privacy roadmap for your business.

Using a baseline of standard privacy protections for personal information, businesses can become a trusted entity for protecting consumer data.

An APEC CBPR certification makes conducting business in participating economies easier and helps to facilitate the increasing trade relationship between APEC economies.

The United States, Mexico, Canada Agreement, which substituted the North America Free Trade Agreement to mutually benefit employees and businesses and grow the North American Economy, also formally recognizes the APEC CBPR System to further facilitate global trade.

Using vendors, outsourcing operations, or partnering with APEC economies can reduce your business costs through access to labor, materials, and new supply chains. All of which is beneficial to the growing global economy.

Jurisdiction-specific data transfer benefits

This cohesive set of privacy rules allows the responsible transfer of data between participating economies. Rather than spending time and money sorting every individual jurisdiction, participants have an approved network for cross-border transfers.

The CBPR certification gives companies and employees confidence that the transaction will adhere to data protection standards while eliminating unnecessary burdens.

In Japan, companies that have a CBPR certification do not have to obtain consent to transfer data to another country, which is otherwise required under Japanese law.

An APEC CBPR certification may also make it easier for an organization to obtain approval for its Binding Corporate Rules in the European Union.

Since 2013, APEC member Economies and EU officials have been collaborating to promote interoperability between the two regional transfer mechanisms.

In-network transactional streamlining

If you have an APEC CBPR certification, the privacy practices of your organization will be in line with other CBPR-certified organizations, thereby facilitating transactions between participants.

The certification opens businesses up to a wide range of partners and new locations to support your business growth goals.

Some of the companies included in the CBPR certification are:

• Apple Inc
• Asurion LLC
• Electronic Arts
• Expedia Inc
• General Electric Company
• Hewlett Packard Enterprise Company
• International Business Machines Corporation
• Johnson Controls Inc
• Mastercard
• PGA Tour Inc
• Rackspace Technology Global Inc
• Workday Inc

Create competitive differentiation and increase consumer trust

Consumers globally are standing up to companies that don’t establish transparent data practices, or adhere to privacy regulations such as GDPR. Alignment with global privacy frameworks and a certification seal demonstrate that a business values consumer privacy.

People still want a relationship with businesses, they just want more control over how their data is collected, used, and shared. Enabling this control generates consumer trust in your business.

It helps your marketing and communications teams as well. If consumers can better communicate their preferences to businesses, you can respond with more relevant messages to better meet their needs.

Rather than spending time and effort on mass promotions, messages can be more personalized and generate a better ROI.

And because not every business has been forced to catch on (through regulations in their region), consumer first data practices can set you apart from your competition. At least, it’s worked for Apple, anyway.

Compliance and resolution efforts

Part of maintaining consumer trust is giving data subjects a method for resolving disputes with your organization.

Obtaining a CBPR certification means your Accountability Agent will handle the frontline consumer complaints and dispute resolution. This helps to ensure key issues are addressed before they become larger problems.

Facilitate the compliant transfer of data among participating APEC economies

TRUSTe, a subsidiary of TrustArc, was unanimously approved to be the first Accountability Agent to certify data transfer practices under the CBPR framework for data controllers and the APEC PRP framework for data processors.

First, TrustArc will assess your privacy program’s operations to understand and work with you to remediate any compliance risks. You’ll receive expert guidance through the process with our powerful technology.

Based on the information gathered from the assessment, you’ll be guided through the remediation process with support to ensure the required changes are complete.

As proof of the TRUSTe Certification, an official Letter of Attestation can be shared with your business partners, providing your organization with competitive differentiation.

Xiaomi scores big on user data privacy protection

User privacy has become front and center for organizations across the globe – and for a good reason. More data is being collected than ever before.

Trends, such as big data and analytics and the Internet of Things, have accelerated how data is collected, stored, and used. This acceleration has also inspired a flurry of user privacy laws, leaving teams scrambling to keep up.

Although this is a time-consuming task, respecting user privacy and achieving GDPR compliance have their benefits. Organizations that prioritize user privacy effectively build trust with consumers.

Whether your organization’s consumers are other businesses or the general population, privacy management is becoming a differentiator.

People and organizations are putting more weight on user privacy as a factor in their decision making.

In fact, Forrester’s research revealed that three-quarters (75%) of organizations say they consider the safeguarding of customers’ privacy to be a competitive differentiator.

Your customers want to do business with organizations they can trust.

For that reason, it’s easy to see why Xiaomi, a consumer electronics company, upholds the highest standards of user privacy policies and practices.

Exciting products without sacrificing user privacy

Xiaomi is a Global Fortune 500 company founded on the core value of privacy. They manufacture consumer electronics such as smartphones and smart hardware connected by an IoT platform.

As one of the world’s leading smartphone companies, Xiaomi’s IoT platform has over 400 million connected smart devices. Or in other words, a plethora of data.

Rather than profit from its user data, Xiaomi took the path less traveled. From its inception in 2010, it has adopted the concept of privacy by design in its product development process.

Xiaomi is constantly seeking innovative technologies to protect user privacy.

By following 5 privacy principles, Xiaomi embraces its vision to make friends with users and be the coolest company in the users’ hearts.

Friends are transparent. Friends aren’t out there selling your stuff behind your back or sending you spammy messages. Friends have your back. Just like Xiaomi has their customer’s backs.

Before GDPR was passed, Xiaomi established its Security and Privacy Committee in 2014. Two years later, Xiaomi became the first Chinese enterprise to receive TrustArc’s Enterprise Privacy certification.

After adopting the GDPR of the EU compliance assessment in 2018, Xiaomi has continued to improve data protection and user privacy through assessments and certification.

How Xiaomi’s user data privacy protection keeps improving

Staying true to its values, Xiaomi wanted to ensure that its processing of personal information is performed in compliance with the General Data Protection Regulation.

To do so, Xiaomi decided to conduct an independent audit of its data protection and security management through TrustArc.

Cui Baoqiu, Xiaomi Vice President and Chairman of the Security and Privacy Committee, explains in a press release, “the GDPR Validation Assessment is an important step in continuously enhancing the company’s data and security compliance. 

We regularly engage with TRUSTe, as well as other credible institutions globally to warrant that Xiaomi’s user privacy protection, including GDPR compliance, keeps improving and perfecting its practices to offer our users reliable and trustworthy products and services.

I’m very pleased to see that Xiaomi has completed TRUSTe’s annual audit of GDPR privacy compliance, which demonstrates our commitment to privacy protection.” 

The TrustArc GDPR Validation Requirements focus on privacy program level measures in eight areas:

1. Integrated Governance
2. Risk Management
3. Resource Allocation
4. Policies and Standards
5. Processes
6. Awareness and Training
7. Monitoring and Assurance
8. Reporting and Certification

The measures in this assessment are designed to provide reasonable assurance that all 40 GDPR Validation Requirements are met.

Due to Xiaomi’s commitment to user privacy at its core, it has met the applicable validation requirements for processing personal information.

Compliance inspires brand loyalty

An organization with as much data as Xiaomi can’t risk the consequences of violating GDPR or the loss of customer trust. Meeting the GDPR validation requirements gives Xiaomi executives peace of mind when it comes to user privacy and data security.

While some organizations are just starting to comply with privacy regulations, Xiaomi has embraced user privacy from the beginning. This demonstrated commitment to privacy protection sets Xiaomi apart from its competitors and inspires a friendship with its customers.

No matter the size of the organization, user data privacy is no longer a “nice to have” – it’s a “must have” to stay competitive in today’s market. Don’t treat customer privacy as just another thing to do. Embrace user privacy to build consumer trust and loyalty to your brand.

How did Merck successfully achieve the first APEC-based BCR approval?

On March 1^st, Merck & Co. Inc. formally concluded their Binding Corporate Rules (BCR) approval process with the Belgian Data Protection Authority, becoming the 82^nd company to achieve the compliance landmark. But in a global first, Merck based its BCR application on its APEC Cross Border Privacy Rules (CBPR) certification.

This work was facilitated by Merck’s use of a common referential developed by the Article 29 Working Party and APEC’s Data Privacy Sub Group in 2014 to facilitate interoperability between companies seeking certification under both systems.

In October 2013, TRUSTe certified Merck as the first healthcare company and the second multinational company under the CBPR system.

“The value of this approach is that we obtained both CBPR and BCR approvals while maintaining the substance and structure of our existing global privacy program.

The practical effect is that we gained greater efficiency in how we manage cross-border data transfer and global data processing without adding complexity to how we operate,” said Hilary Wandall, Chief Privacy Officer.

A faster BCR approval process

As was reported in a recent review of CBPR benefits by Information Integrity Solutions, the first phase of Merck’s BCR approval took less than three months. In comparison, the mutual recognition phase took an additional nine months.

In addition to the time to complete the EU cooperation procedure and transition between the approval phases, the entire approval process was approximately three months faster than the 18-month average.

Most importantly, because Merck based its BCR approval on its previously-approved CBPR certification, a broadly BCR-compliant global privacy program was already in place. As a result, according to Merck’s internal estimates, the total cost of its BCR was approximately 90% less than it would have otherwise been.

Future BCR-CBPR project

When announcing the referential’s endorsement in March 2014, Isabelle Falque-Pierrotin, Chairwoman of the French Data Protection Authority (CNIL) and president of the Article 29 Working Party called it a “very political and symbolic act” for companies seeking to obtain both BCR and CBPR certification.

FTC Chairwoman Edith Ramirez noted that “[i]nteroperability is absolutely critical,” adding that “[w]ithout the ability to work across systems, we simply can’t effectively protect the privacy of consumer data, and that’s why as part of the U.S. delegation to the APEC data privacy subgroup, the FTC has been actively involved, along with the Department of Commerce, in developing the CBPRs and also working on this referential.”

Earlier this month, Article 29 affirmed that work on the BCR-CBPR project would be a key component of its 2016-2018 work plan.

The CBPR system was endorsed by APEC member economies in 2012 for businesses established in the APEC region that collect and transfer personally identifiable information from consumers.

TrustArc TRUSTe was named the first accountability agent for the system in June 2013.

Gain trust and credibility with leading privacy certifications from unbiased experts, backed by technology for unmatched privacy compliance assurance.

Assurance Services Overview

Last week, a globally recognized brand approached us to advise on a Letter of Inquiry from the Council of Better Business Bureau (CBBB) regarding compliance with OBA principles. TRUSTe welcomed the opportunity to help jump in and advise on a corrective course of action, including immediate next steps.

We all know the CBBB, in its role as a consumer advocate, helps consumers resolve service disputes with companies that they have purchased products from, but did you know that the CBBB also administers the Online Interest-Based Advertising (OBA) Accountability Program, under the policy guidance of the Advertising Self-Regulatory Council? The Accountability Program is the independent enforcement agent of the Digital Advertising Alliance (DAA).

The mission of the Accountability Program is to build consumer trust in Online Behavioral Advertising (OBA) by ensuring that companies engaged in OBA comply with the OBA Principles.

Do the OBA Principles Apply to Non-Members?

As a business, you may be thinking, “I am not a member of the Advertising Self-Regulatory Council or the Digital Advertising Alliance (DAA), so these principles do not apply to me and my website.”

Not so, it would seem. If your website allows the collection of information by third parties for interest-based ads, or allows the serving of interest-based ads then you are considered a “covered entity” by the Accountability Program and are required to comply with OBA Principles.

We understand that several websites have received Inquiry Letters regarding Online Behavioral Advertising Practices from the Accountability Program recently. The inquiry process is confidential so it is unclear how many letters have gone out in this most recent wave of mailings from the Accountability Program. A Letter of Inquiry is sent when the Accountability Program has reason to believe that the company may not be in compliance with some aspect of the OBA Principles.

Once a company receives a Letter of Inquiry, the Accountability Program works with the company through the inquiry process to determine if there is an issue of non-compliance and, if so, helps the company come into compliance. At the end of the process, the Accountability Program issues a published decision along with an accompanying press release. To date, there have been 19 public decisions.

If your site allows interest-based advertising or third-party data collection, chances are that the CBBB will be assessing your OBA compliance in the near future. My advice to large ecommerce and publisher websites – make things easier on yourselves by proactively assessing your OBA exposure and implement simple OBA compliance mechanisms on your site.

Chat with us before the CBBB chats with you.