The Asia-Pacific Economic Cooperation is set to boost the status of its Cross-Border Privacy Rules program in the U.S.
APEC has announced that certification firm Schellman & Company is the newest CBPR Accountability Agent in the U.S. following approval from a joint oversight panel. Accountability Agents work to ensure companies operating within the 21 APEC member economies have compliant privacy practices and policies in place.
Schellman joins TrustArc subsidiary TRUSTe as the only U.S.-based Accountability Agent for the CBPR program while it’s just the third agent worldwide.
“It has always been our hope in the U.S. market to have multiple options,” said a representative from the U.S. Department of Commerce’s International Trade Administration. “Speaking from a programmatic perspective, having multiple service providers is ideal. Participation resting on one provider does, quite frankly, leave some vulnerabilities. Having multiple options really shores up the strength and foundation of U.S. participation in the system.”
The CBPR system is a government-supported certification that companies within the 21 APEC member economies can obtain to demonstrate compliance with internationally recognized data privacy protections. The U.S. adopted the rules in 2012 and added TRUSTe as the country’s first Accountability Agent in 2013.
The ITA representative added that while TrustArc has been a prominent and essential player for U.S. participation in the CBPR system, companies were looking for diversity and alternatives in terms of providers, packages and services. Schellman Principal Debbie Zaller, CIPP/US, believes her company is prepared to present consumers with the luxury of choice that they’ve been seeking.
“It fits right in with our other services,” Zaller said. “What we do with privacy is really served on that external audit side. We’re also a certification body for other frameworks like ISO, HiTrust and FedRAMP.
“Becoming another certification body and staying along the same external audit lines is something we’ve been doing for a long time, so it’s just a natural fit within our current service line. We think it will be a huge need for a lot of our clients.”
Zaller said Schellman began toying with the idea of becoming an Accountability Agent at the IAPP’s Privacy. Security. Risk. event last year, as it began exploratory talks with International Trade Administration Policy Advisor Michael Rose. Schellman applied to be an Accountability Agent on its own accord, as the U.S. abides by an open-application process and then reviews prospective agents against an established list of requirements. The characteristics being assessed include a company’s enforcement tactics, the ability to manage conflicts of interest and being capable of explaining programming and certification processes.
“Whatever jurisdiction you’re in, you have to meet all the requirements we’ve listed,” the ITA representative said. “On the U.S. side, we work with organizations that are interested in this role. We help them understand the requirements and go as far as advising on how to meet them."
Schellman’s addition brings competition to a market TrustArc has cornered since joining the CBPR system. However, the competition isn’t being viewed in a negative light for either Schellman or TrustArc.
“I think it creates a lot of opportunity for all,” Zaller said. “I was just speaking with TrustArc and they’re very excited about us joining as well. They didn’t look at it as any sort of competitive advantage. They looked at it more from the point of view of getting the word out in the world about APEC and what the certification can do for organizations.”
In terms of pricing, the ITA representative said Schellman has presented initial figures on certification costs and that the final numbers will be up to the company. Schellman also has a plan in place for bundling and packaging its services.
“All of that will really fall on our current methodology,” Zaller said. “We really provide that single-vendor approach to organizations, and that allows us to do a lot of different certification or compliance for an organization. We always approach pricing by looking at what the scope is. Size of organization and bundling services are factors and provide flexibility."
With Schellman jumping on board and more companies beginning to show interest in becoming an Accountability Agent, the prospects of CBPR becoming more commonly known and subsequently adopted are growing.
"The more uptake the better," the ITA representative said. "It shores up a critical piece of the CBPR’s foundation, without which we could not function. We cannot serve companies if these Accountability Agents aren’t in place to certify them."
Photo by Aaron Burden on Unsplash