Earlier this month, TrustArc announced the launch of a certification for data processors operating with the new Asia-Pacific Economic Cooperation Privacy Recognition for Processors framework. TrustArc — via its TRUSTe subsidiary — is the only company authorized as an accountability agent to offer the new certification for the PRP program, which complements the Cross Border Privacy Rules program for data controllers.
To date, 21 economies participate in APEC (APEC is officially a collection of economies, not "countries"), though fewer have signed on for CBPRs and PRP. However, there has been a great deal of activity in the last year, with notable additions of South Korea and Singapore and talk of Australia coming on board shortly. The list of participating companies has been growing slowly, with 23 companies certified to the CBPRs program as of August 2018.
Hilary Wandall, general counsel and chief data governance officer at TrustArc, said the new offering caters to a specific need identified in the market and addressed by the PRP program.
"In the last couple of years," she said, "there've been a number of organizations that said, 'Yes, the cross-border system as a whole is great, but I want to focus on the parts relevant to me and the services that I provide to others, and can we have a subcomponent that focuses specifically on processors."
The certification is available now and is relevant for companies who offer a cloud or SaaS platform or other technology solutions for customers in Asia and across regions. Wandall said the certification process varies by company size and business complexity, but can often be completed in 30 to 60 days. And for companies required to prepare themselves for Article 28 of the GDPR, on data processing, the APEC certification for processors will be very analogue, she added.
That said, "if you're a brand new data processor and just setting up a platform you're going to provide to customers and don't have a privacy program to support it, it'll probably take you a good half-year to get ready" for the certification.
Because it relies on accountability agents for approval and not regulatory bodies, it's a shorter process than getting certified under something like binding corporate rules, for example.
"The whole process behind accountability agents provides scale and speed in the process, which is why people liked the idea of setting up the CBPR system," Wandall said.
For TrustArc to have its program approved, it had to demonstrate to a joint oversight committee under APEC the policies in place to ensure an independent review, the specific requirements it would hold companies to, what its program looked like and how it would meet the 18 program requirements that had been pre-approved as APEC program requirements for processors.
More broadly, Wandall points to what she sees as the next generation of interoperability and convergence around varying regional requirements. In the Asia-Pacific region, at least half a dozen countries have had laws come into effect and therefore have begun engaging on an international scale and aiming to align with the GDPR, including requiring organizations to appoint data protection officers and creating international-minded regulators to cooperate and coordinate across borders.
"I think part of why we're hearing so much more about Asia is not only because of laws being adopted but because they're not being insular in their approach," Wandall said. "They're really collaborating across the region, much of that spurred by APEC and the work done in the APEC region."
She notes that while many countries in the region have nuances to each of their laws, "and really hold strongly to the importance of that," the APEC system allows local norms to be complied with locally while still facilitating data transfers across the region.
Wandall says cooperation and interoperability has particularly increased since the APEC-EU Referential of 2014.
"That was the first time that APEC and the EU cooperated to show the commonalities between the BCR system in the EU and the APEC CBPR system on the other hand. A lot of work has been done since then to continue to drive interoperability between the two regions," she said, adding she especially anticipates watching GDPR certification take off and how that will work in conjunction with the CBPR system, including TrustArc's new processor certification scheme, and how "companies that have global systems can show to regulators in each of the different regions how they're meeting their requirements, looking at ways they are consistent with each other."