The deadline for compliance with the EU’s General Data Protection Regulation (GDPR)—May 25, 2018—is rapidly approaching. With so much focus on GDPR, it’s easy to forget that making data privacy a fundamental legal right is not just a European priority. As companies put together their data governance and compliance strategies, it’s crucial that they do so with a global perspective. Now and in the future, companies need to ensure their strategies are flexible enough to satisfy a growing list of international compliance requirements.
Several legal jurisdictions throughout the world have data privacy and protection laws in place, and more are on the way. Although there are differences in these laws, there is a consistent foundation of principles in place: transparency, accountability, security, and fairness.
A prominent example comes from APEC (the Asia Pacific Economic Cooperation). With 21 member countries, APEC is a very important trading bloc. Countries such as the United States, Australia, Canada, Japan, China, and Singapore are members—some of the leading powerhouse economies of the world.
The APEC member countries have adopted the APEC Privacy Framework for the purposes of encouraging electronic commerce and business opportunities while ensuring that effective data privacy protections are in place. An important principal underlying the APEC Privacy Framework is that these protections improve the overall quality of life of residents of member countries.
The APEC Privacy Framework has nine privacy principles, which align with internationally recognized privacy guidelines/frameworks and laws such as the OECD Guidelines, EU Privacy Shield, the EU’s Binding Corporate Rules (BCRs), and regional laws in place in Asian countries. The principles are:
- Preventing Harm
- Notice
- Collection Limitations
- Uses of Personal Information
- Choice
- Integrity of Personal Information
- Security Safeguards
- Access and Correction
- Accountability
To allow for a consistent baseline of privacy protection when data processing crosses borders, APEC created the Cross-Border Privacy Rules system (CBPRs). Like the EU’s BCRs and Privacy Shield, companies can certify under the CBPRs and publicly commit to honoring the principles of the CBPRs no matter where data processing takes place.
An APEC-approved, independent third party, called an Accountability Agent, reviews the company’s policies and practices to verify compliance and issues the certification. A CBPRs-certified company is permitted to transfer and receive personal data collected in an APEC member country across borders (i.e., the certification satisfies Japan’s new cross-border restrictions).
The CBPRs is a relatively new certification that is now beginning to gain traction. More and more countries are beginning to join the system, and countries like the U.S. and Canada are fully participating. The CBPRs certification will be an important mechanism for countries to show compliance with the principles and gain an economic advantage.
Ventiv Technology is committed to providing for the most secure operating environment for our customers’ data. As part of that commitment, we understand the need to have a strong privacy and security program in place and we will be certifying under the CBPRs so that our customers can have a high level of confidence in our overall data privacy program.
Scott Wilson is Chief Information Security Officer & Privacy Officer for Ventiv Technology. Contact Scott at scott.wilson@ventivtech.com. Connect with Scott at LinkedIn.
