SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

APEC Privacy Recognition for Processors (PRP)

Certification Process and Minimum Requirements

Audit and Certification Process

Schellman provides audit and certification services in full accordance with all relevant standards. Our audit and certification process is provided to prospective clients and addresses each major stage of the audit and certification processes. Prospective clients are also informe

APEC Certification Overview

The Asia-Pacific member economies developed a privacy framework as a volunteer system that outlines standards relating to personal information protection as the data moves across borders. Controllers that volunteer in the program are assessed by an Accountability Agent against the Cross Border Privacy Rules (CBPR) and if compliant, receive a certification. Processors are assessed against the Privacy Recognition for Processors and would also receive a certification if compliant with the program.

Program Requirements

As an APEC Accountability Agent, Schellman’s APEC Privacy Certification program evaluates a United States based organization’s privacy practices against the certification minimum requirements included below.  These certification standards follow the APEC’s Privacy Recognition for Processors (PRP) Program Requirements.

The Schellman certification seal is a service mark of Schellman. The Schellman certification seal may not be used in connection with any product or service that was not within the scope of the CBPR certification review, or in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Schellman. The certification seal should be used only upon the granting or extending of a CBPR certification.

Certification Process

Below is the process for the APEC Cross Border Privacy Rules (CBPR)

Initial Certification Assessment

Planning

Fieldwork Process

Ongoing Monitoring and Compliance Review

Re-Certification and Annual Attestation

Schellman will communicate to the client the suspension status along with the remediation requirements. Under suspension, the client's certification is temporarily invalid. Included within the JAL are the enforceable arrangements regarding the suspension of the certification, including additional agreed upon fees for the additional compliance review, to help ensure, that in case of suspension, the client refrains from further promotion of its certification and use of the Schellman certification seal. Schellman is required to make publicly accessible, on the company website, the suspended status of the certification.

The certificate is suspended until the Participant has provided sufficient evidence of the remediation within the required timeframe, which shall not exceed a period of six (6) months or upon the due date of the annual recertification.  Upon receipt of sufficient evidence of remediation within the required timeframe, Schellman will perform a review of the evidence to determine if the certificate should be reinstated.  The results are communicated to the client via an audit report.  Failure to resolve the issues that have resulted in the suspension in the time established by Schellman will result in withdrawal or reduction of the scope of certification, if applicable.

A reduction in the scope of the certification may be applicable and would exclude the parts not meeting the requirements, when the client has persistently or seriously failed to meet the program requirements for those parts of the scope of certification.

Certification Minimum Requirements

Clients must meet the following minimum certification requirements before certification is granted.

Security Safeguards

  1. Implement an information security policy that covers personal information processed on behalf of a controller.
  2. Implement physical, technical and administrative safeguards that may include the following and periodically review and reassess the implemented measures to evaluate their relevance and effectiveness:
    • Authentication and access control (e.g. password protections)
    • Encryption
    • Boundary protection (e.g. firewalls, intrusion detection)
    • Audit logging
    • Monitoring (e.g. external and internal audits, vulnerability scans)
  3. Implement regular training and oversight of employees to ensure they are aware of the importance of, and obligations for, respecting and maintaining the security of personal information. Procedures may include the following:
    • Documented training program for employees
    • Regular staff meetings or other documented communications
    • Security policy signed by employees
  4. Implement measures to detect, prevent, and respond to attacks, intrusions, or other security failures related to personal information. The measures implemented should be tested on a periodic basis and measures should be adjusted to reflect the results of the tests.
  5. Implement a notification process to notify the controller of occurrences of a breach of the privacy or security of their organization’s personal information.
  6. Implement procedures for the secure disposal or return of personal information when instructed by the controller or upon termination of the relationship with the controller.
  7. Perform periodic third-party certifications or other risk assessments and adjust the security safeguards to reflect the results of these certifications or risk assessments.

Accountability Measures

  1. Implement policies to ensure that processing of personal information is limited to the purposes specified by the controller.
  2. Implement procedures to delete, update, and correct information upon request from the controller where necessary and appropriate.
  3. Implement measures to ensure compliance with the controller’s instructions related to the activities of personal information processing.
  4. Appoint an individual(s) to be responsible for the overall compliance with the requirements of the PRP.
  5. Implement procedures to forward privacy-related individual requests or complaints to the controller or to handle them when instructed by the controller.
  6. Implement procedures to notify controllers, except where prohibited by law, of judicial or other government subpoenas, warrants or orders that require the disclosure of personal information.
  7. Notify the controller of your engagement of subprocessors.
  8. Implement mechanisms with subprocessors to ensure that personal information is processed in accordance with your obligations under the PRP. Mechanisms should require subprocessors to perform the following:
    • Follow-instructions provided by your organization relating to the manner in which personal information must be handled
    • Impose restrictions on further subprocessing
    • Have their PRP recognized by an APEC Accountability Agent in their jurisdiction
    • Provide your organization with self-assessments or other evidence of compliance with your instructions and/or agreements/contracts
    • Allow your organization to carry out regular spot checking or other monitoring activities
  9. Regularly train employees on the organization’s privacy policies and procedures and related client instructions.
Don't see a service you're interested in? 

Talk to a Practice Leader