Key areas of focus for privacy management programs are shifting due to continual evolution in the privacy landscape. In turn, privacy teams must consider both regulations (e.g. Schrems IIGDPRCCPA & CPRA, LGPD , etc.) and the intricacies of cross-border data transfers. With so much for teams to consider, enterprises must showcase both legal and customer credibility, which starts by implementing a healthy privacy management program — A key part of which can be addressed through the APEC CBPR certification. 


Learn more about data transfers: Privacy 101: Data Transfers 

What is the APEC CBPR Certification? 

The APEC CBPR is a voluntary, accountability-based system created by the Asia-Pacific Economic Cooperation (APEC) to facilitate the flow of data among participating APEC economies. Simultaneously, the APEC Cross-Border Privacy Rules System (CBPR) is intended to benefit organizations by providing a secure, trusted, and efficient means of transferring personal information across jurisdictions. Ultimately, the certification establishes companies as having a working knowledge of internationally recognized data privacy protections and allows them to provide evidence proving so.   

What does the APEC CBPR Require? 

The APEC CBPR system is voluntary, and participating economies must initially satisfy certain conditions which are set out in the Charter of the APEC Cross-Border Privacy Rules and Privacy Recognition for Processors Systems Joint Oversight Panel. The APEC CBPR system consists of four elements: 

  1. Self-assessment 
  2. Compliance review 
  3. Recognition (acceptance) 
  4. Dispute resolution and enforcement 

The first three stages are conducted by applicant organizations and accountability agents. The final stage is managed by the participating economy’s privacy enforcement authority. Currently, nine economies participate in the APEC CBPR system: Australia, Canada, Taiwan, Japan, Mexico, Singapore, South Korea, the Philippines, and US. 

Applicant organizations wishing to take part in the APEC CBPR system can apply to an Accountability Agent in order to become certified. The Accountability Agents then inspect the privacy policies and practices of the applicant organization. Following certification, the organization is entered into a compliance directory. 

The CBPR System implements the APEC Privacy Framework, established in 2005 and updated in 2015. APEC reports that the CBPR System protects personal data by requiring: 

Having a certification that addresses all the above can benefit your organization by ensuring that it can do the following: limit threats, decrease risk, maintain trust and brand loyalty, build a positive reputation, provide continuity, and demonstrate compliance with global data protection laws. 


Learn more about data transfers: Privacy 101: Data Transfers 

How Can OneTrust Help? 

OneTrust DataGuidance announced the addition of its APEC CBPR Comparison to its Data Transfer module. This provides a means of monitoring and understanding the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules system (APEC CBPR). 

The APEC CBPR system is meant to simplify personal data flows across jurisdictions. With this comparison, users can now: 


The OneTrust platform leverages expertise in Vendor Risk Management, Privacy, GRC, and many other categories to deliver an immersive experience. Learn more: Request a demo 


Further APEC CBPR certification reading:  

Blog: In the Know: OneTrust Updates for March 2020  

APEC Website: What is the Cross-Border Privacy Rules System? 


Next steps on APEC CBPR certification:  

DataGuidance: Request a Trial 


Follow OneTrust on LinkedInTwitter, or YouTube for the latest on APEC CBPR certification.