APEC CBPR and PRP Certification 

NCC Group Security Services Inc. is approved through the US Department of Commerce Accountability Agent program for the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP).  

From this position, we are able to assess the privacy programs of US companies and certify their alignment with the comprehensive APEC CBPR and PRP compliance requirements.  

APEC CBPR & PRP: Overview and comparison

The Asia‑Pacific Economic Cooperation created the Cross‑Border Privacy Rules System and the Privacy Recognition for Processors System to support trusted, accountable cross‑border data flows across APEC economies.

These programs operationalize the APEC Privacy Framework, offering a consistent, enforceable approach for companies to demonstrate privacy compliance and reduce friction in international commerce.

APEC CBPR System

The CBPR System is a voluntary, certification‑based framework for personal information controllers (organizations that determine purposes and means of processing). It allows organizations to demonstrate compliance with the nine APEC Privacy Framework principles and is implemented through accredited Accountability Agents.

CBPR program requirements (aligned to APEC principles):

• Notice
• Collection Limitation
• Uses of Personal Information
• Choice
• Integrity of Personal Information
• Security Safeguards
• Access and Correction
• Accountability

APEC PRP System

The PRP System is designed for personal information processors—organizations that process data on behalf of controllers. Introduced in 2015, PRP helps processors demonstrate the capacity to implement a controller’s privacy obligations and robust security and operational controls.

PRP focus areas:

• Data security and incident management
• Operational capacity to implement controller instructions
• Support for controller compliance obligations (e.g., access requests)
• Organizational accountability and oversight

CBPR vs. PRP side-by-side

Key Obligations for Potential Program Members

For CBPR (Controllers):

• Publish transparent privacy notices and define purposes of processing.
• Limit collection and use to what is necessary and compatible with purposes.
• Provide choice mechanisms where required (e.g., opt‑out/opt‑in).
• Implement security safeguards proportionate to risk and data sensitivity.
• Offer individual access and correction.
• Establish internal accountability (governance, training, oversight).
• Manage onward transfers to ensure comparable protections by recipients.

Read the official requirements from APEC

For PRP (Processors):

• Maintain robust security and incident response.
• Document and implement controller instructions and data handling playbooks.
• Support controller compliance (e.g., access, correction, deletion support).
• Demonstrate operational readiness, record‑keeping, and auditability.

Learn more about the APEC PRP system

Key steps 

1.  Apply through an APEC‑recognized Accountability Agent such as NCC Group
2. Undergo assessment of policies, practices, and technical/organizational measures against program requirements.
3. Implement corrective actions to close gaps identified by the Accountability Agent.
4. Maintain ongoing compliance via periodic reviews and monitoring; certification may be suspended or revoked for non‑compliance.
   
   

Key benefits

Certification strengthens global interoperability, reduces barriers to data transfers within participating economies, supports due diligence expectations, and aligns with other global privacy standards.

There are forms which organizations are required to complete prior to being assessed by an Accountability Agent:

APEC CROSS-BORDER PRIVACY RULES SYSTEM INTAKE QUESTIONNAIRE

GLOBAL PRIVACY RECOGNITION FOR PROCESSORS INTAKE QUESTIONNAIRE