By Harvey Jang, Chief Privacy Officer & Counsel, Cisco
Cisco is now certified under the new Asia-Pacific Economic Cooperation (APEC) Privacy Recognition for Processors (PRP) System. Cisco has been an active supporter of the APEC Cross Border Privacy Rules system (CBPRs) and an advocate for safe and secure global data flows. We are an early adopter and the eighth company to be PRP certified.
The APEC Cross Border Privacy Rules (CBPR) and PRP systems are voluntary, enforceable (and independently verified) privacy certifications built upon the 9 Principles of the APEC Privacy Framework endorsed by the 21 APEC Member Economies (see www.cbprs.org). The CBPRs focus on controls and accountability for data controllers, while the PRP is targeted for data processors. PRP certification demonstrates a data processor’s ability to honor the obligations passed down from data controllers when handling data on another’s behalf. Cisco has chosen to certify under both CBPRs and PRP as part of our overall efforts to demonstrate compliance and accountability to globally recognized privacy standards. We are among just a handful of companies to have obtained APEC CBPRs, APEC PRP, EU/Swiss-US Privacy Shield, and EU Binding Corporate Rules certifications.
We’re seeing a clear trend towards people (data subjects) taking their privacy more seriously and companies (data controllers and processors) being called upon to honor privacy as a fundamental human right. PRP fits within the broader picture of emerging data privacy and security standards and is consistent with the current trend of stakeholders seeking external, independent program validation. PRP and all our privacy certifications underscore Cisco’s ongoing commitment to demonstrable transparency, fairness, and accountability when it comes to handling the personal data of our employees, customers, and all others.
Learn more about TrustArc solutions here.
By Kate Barecchia, Infor Associate General Counsel and Global Data Privacy Officer
In the modern economy, personal data is the currency that enables business to function. Personal data flies around the world at the speed of light with little physical restriction. Given how far and fast personal data can travel, it is important that people can trust the companies that are holding their personal data. Companies have an obligation to keep personal data private, safe, and secure. Frequently, we hear our customers voicing concerns about what might be happening to their personal data when they license our solutions.
We often say that respect for individuals’ privacy rights is a fundamental value at Infor. While the tone from the top is critically important, we also realize that words matter less than actions. Knowing that, Infor sought independent certification and verification that its privacy practices are meeting the highest global standards.
We are delighted to announce that TrustArc, a leader in data privacy compliance, has assessed Infor’s data privacy practices. After their in-depth review of Infor’s handling of personal data on behalf of its business partners and employees, TrustArc determined that Infor meets TrustArc certification and compliance verification program criteria in the following three areas:
- APEC Cross Border Privacy Rules System (CBPRs)
- GDPR Program Validation
- EU-US Privacy Shield and Swiss-US Privacy Shield Verification
APEC CBPR Certification
The Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules System (CBPRs) is the first framework to provide standards for the transfer of personal data between all 21 APEC member countries. Companies participating in the CBPR program do so by choice, after establishing that they provide meaningful protection for the privacy and security of personal data.
Not every company can achieve APEC CBPR Certification. Infor’s achievement of that milestone evidences our commitment to transferring personal data efficiently, securely, and safely, while respecting data privacy.
GDPR Program Validation
Although the EU General Data Protection Regulation (GDPR) was adopted in 2016, the European Commission and other EU regulators have not yet specified the criteria required to achieve GDPR certification under Articles 42 and 43. The purpose of that GDPR certification is to provide stakeholders with independent assurances that an organization is complying with the requirements of GDPR.
Until a formal certification process is established by the EU, companies must rely upon third-party assessments of their GDPR compliance. TrustArc’s GDPR Program Validation assessed 40 specific objective validation requirements, including whether Infor has established a governance strategy for our privacy program, whether we have appointed a privacy leader, how we vet our vendors, our security program, our ability to produce required records of processing, Infor’s preparedness for a data incident, as well as how we manage the rights of individuals.
After their review, TrustArc determined that Infor, as an organization, meets the TrustArc Program Validation requirements. This Validation is an important distinguisher between Infor and its competitors in the marketplace. Learn more about Infor’s GDPR Program Validation here: https://www.infor.com/about/gdpr-validation.
EU-US Privacy Shield and Swiss-US Privacy Shield Verification
The EU-US Privacy Shield and Swiss-US Privacy Shield Frameworks require that companies comply with a set of privacy principles to transfer data from the EU and Switzerland. After a comprehensive review of Infor’s practices, TrustArc has authorized Infor’s use of the TRUSTe Verified Privacy Seal, which provides real-time verification of Infor’s commitment to data privacy.
Sometimes, it can be easy to take data privacy for granted. In today’s world, with nearly daily reports of personal data being taken and used for unanticipated purposes, we can see the heavy price that lack of appreciation can cause.
At Infor, data privacy is always front of mind. From the early days of our product design to our day-to-day operations, privacy is at the forefront of everything we do. Our customers trust us with their most important assets—their personal data—and Infor’s successful achievement of these three assessments proves how seriously we take our commitment to data privacy.
Read the original post here.
Global companies are increasingly more concerned with ensuring the privacy and security of the information they hold. Not only is complying with international privacy regulations and frameworks important to avoid fines, but it is also critical for building trust with customers, mitigating risks, and protecting the company’s reputation. One way that companies can demonstrate compliance is by adhering to a recognized international privacy framework, such as the Asia-Pacific Economic Cooperation (APEC) framework as demonstrated by the APEC Privacy Recognition for Processors (PRP) certification.
Like the APEC Cross Border Privacy Rules (CBPR) system (which applies to data controllers), the APEC PRP system is a voluntary, enforceable program designed to ensure the continued free flow of personal information while maintaining meaningful protection for the privacy and security of personal information for data processors. The U.S. became the first formal participant in the PRP system with the Federal Trade Commission (FTC) serving as the first enforcement authority in 2018 with more expected to follow.
A significant portion of the world's economy is based in the region represented by the Asia-Pacific Economic Cooperation (APEC). Companies acting as data processors in the Asia Pacific region can comply with the PRP program requirements in order to process personal data efficiently, securely, and safely while respecting data privacy. In addition, the PRP system enables businesses that operate as data processors to demonstrate their commitment to global privacy standards.
Two examples of companies who have achieved this certification are Workday and Envestnet | Yodlee.
Workday and Envestnet | Yodlee have worked with TrustArc to demonstrate compliance with the APEC PRP certification standards.
Barbara Cosgrove, Chief Privacy Officer at Workday said: “Maintaining the privacy and security of customers’ data in compliance with privacy laws is of critical importance to our business. By partnering with TrustArc to achieve the APEC CBPR and APEC PRP certifications, we’ve been able to further demonstrate our commitment to privacy and qualifications to process data in compliance with the APEC privacy framework.”
“Envestnet | Yodlee wanted a way to demonstrate the rigor of our privacy programs to our clients, prospects and the market. Security-focused certifications, like the APEC PRP, provide objective reliable evidence that Envestnet | Yodlee adheres to applicable privacy standards,” said Brian Costello, Chief Information Security Officer at Envestnet | Yodlee. “TrustArc is a trusted advisor for our entire global privacy program – we leverage their expertise for general certification as well as the APEC certifications.”
To prepare companies for an APEC PRP (and/or CBPR) Certification, TrustArc works in partnership with clients following a three-phase process leveraging a combination of in-house privacy experts and proven assessment methodology powered by the TrustArc Privacy Platform that accelerates and assists in documenting compliance.
- Phase I – A review of the company’s privacy practices against the APEC requirements and creation of a detailed privacy findings report.
- Phase II – A collaborative review of the findings, implementation of remediation recommendations, and documentation of action item resolution.
- Phase III – Certification activation of the TRUSTe APEC PRP (and/or PRP) Privacy Seal and Dispute Resolution Services.
For more information about TrustArc privacy tools and solutions, click here.
TrustArc proudly participated at events co-sponsored by the Singapore Personal Data Protection Commission (PDPC) and the global privacy and security think-tank, Centre for Information Policy Leadership (CIPL), on November 15-16 in Singapore.
On topics ranging from certifications and the Asia-Pacific Economic Cooperation (APEC), to regulatory sandboxes, to artificial intelligence, TrustArc was honored to be invited to engage in terrific conversations and workshops with global thought-leaders in the public and private sectors.
Darren Abernethy, TrustArc Senior Counsel, spoke on a panel entitled “The Role of Certifications as Accountability and Compliance Tools.” This session focused on how certifications can serve accountability and compliance functions for organizations by facilitating achievement of a comprehensive privacy and data protection program; providing third party verification; offering oversight and dispute resolution; and, in some cases, supplying government backstop enforcement. There was also consensus that industry-recognized certifications are highly useful in the B2B vendor selection process for risk mitigation; act as a symbol of trust to the C-suite, consumers and partners; and are increasingly relevant in the mergers and acquisitions context.
Before the 200-plus audience members, special attention was given to the APEC Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) Systems, as these certifications meet the above criteria and have taken on new significance for multi-national corporations and small and medium-sized enterprises (SME) alike, with the certification systems’ recent and ongoing adoption in additional APEC member economies (including four of the top six U.S. trading partners), the extension to data processors through the PRP System, and the certification of SMEs. TRUSTe serves as the Accountability Agent for CBPR and PRP certifications in the U.S.
Darren moderated a second panel entitled “The Role of Certifications in Data Transfers and Global Interoperability.” This session focused on interoperability–which in addition to the possibility of mutual recognition, can also encompass scalably leveraging work done towards one certification or compliance framework in service of another–and began with an overview of different global data transfer mechanisms. The latter included discussion of EU binding corporate rules (BCRs), adequacy decisions, the up-to-the-minute status of GDPR certifications, codes of conduct, and the APEC CBPR/PRP Systems.
Discussion points on the panel included the heightened prevalence and significance of the APEC Privacy Framework in free trade agreements; the use of the BCR-CBPR “Referential” to interoperably achieve each transfer mechanism; how governments and regulators can incentivize certification participation; and examples of how regional transfer frameworks are expanding. A common view was that the APEC Systems have a foundational advantage over many others in that they offer an already-established infrastructure for enforceable, accountability-based mechanisms for intra- and inter-company cross-border transfers.
TrustArc also participated in a working session held in the Singapore offices of a leading technology company, wherein the diverse group of industry participants discussed the key features of the concept of a “regulatory sandbox.” This notion may be understood as a supervised safe space for piloting and testing innovative products, services, business models or delivery mechanisms in the real market, using the personal data of real individuals. The participants evaluated some of the hypothetical pros, cons and challenges of such an approach.
Lastly, TrustArc took part in an all-day interactive working session on accountable and responsible artificial intelligence, likewise co-sponsored by the Singapore PDPC and CIPL. This engaging series of sessions showcased current AI-related uses by varied companies, with an eye towards how to generate sufficiently robust and inclusive data sets, manage the “training” of such datasets, how best to address the issue of inherent bias and unintended discrimination, and industry approaches to demonstrating accountable and responsible AI in practice–from a regulatory and internal practices standpoint. The sessions were both informative and a great springboard for future developments.
To learn more about how TrustArc can assist your company with technology solutions, consulting services, and privacy assurance programs, contact TrustArc today for more information.