From privacy-audit-skills
Guides APEC CBPR certification: self-assessment against privacy framework principles, accountability agent selection, intake questionnaire, decision, recertification, Global CBPR transition.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-audit-skillsThis skill uses the workspace's default tool permissions.
The APEC Cross-Border Privacy Rules (CBPR) system is a government-backed data privacy certification that enables the free flow of personal information across APEC economies while ensuring effective protection of that information. Established in 2011, the CBPR system implements the nine APEC Privacy Framework principles (updated in 2015) through a certifiable set of program requirements that org...
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Generates original PNG/PDF visual art via design philosophy manifestos for posters, graphics, and static designs on user request.
The APEC Cross-Border Privacy Rules (CBPR) system is a government-backed data privacy certification that enables the free flow of personal information across APEC economies while ensuring effective protection of that information. Established in 2011, the CBPR system implements the nine APEC Privacy Framework principles (updated in 2015) through a certifiable set of program requirements that organizations self-assess against and submit to an APEC-recognized Accountability Agent for review and certification.
As of 2024, the CBPR system has evolved into the Global Cross-Border Privacy Rules (Global CBPR) Forum, expanding beyond APEC member economies. The Global CBPR Forum was established in April 2022 by Canada, Japan, the Republic of Korea, the Philippines, Singapore, Chinese Taipei, and the United States, with additional economies joining subsequently. Organizations certified under the APEC CBPR system are transitioning to Global CBPR certification.
Sentinel Compliance Group holds CBPR certification through TRUSTe (TrustArc), the US-recognized Accountability Agent, covering its customer data processing operations across APEC economies.
The CBPR system is built on the nine principles of the APEC Privacy Framework (2015 revision):
The organization develops policies and procedures to prevent misuse of personal information and to mitigate the risk of harm to individuals. Harm includes physical, financial, reputational, psychological, and other forms of damage arising from the collection, use, or disclosure of personal information.
CBPR Requirements:
The organization provides clear, conspicuous, and accessible notice of its privacy practices.
CBPR Requirements:
Personal information collection is limited to that which is relevant to the purposes of collection and obtained by lawful and fair means with the knowledge or consent of the individual.
CBPR Requirements:
Personal information is used only to fulfill the purposes of collection and other compatible purposes.
CBPR Requirements:
Individuals are provided with choice regarding the collection, use, and disclosure of their personal information.
CBPR Requirements:
Personal information is accurate, complete, and kept up-to-date to the extent necessary for the purposes of use.
CBPR Requirements:
Personal information is protected by reasonable security safeguards against unauthorized access, use, modification, disclosure, or destruction.
CBPR Requirements:
Individuals have the ability to access and correct their personal information.
CBPR Requirements:
The organization is accountable for complying with measures that give effect to the above principles.
CBPR Requirements:
Determine eligibility for CBPR certification:
Participating Economies (APEC CBPR as of 2024): United States, Mexico, Japan, Canada, Republic of Korea, Singapore, Chinese Taipei, Philippines, Australia
Global CBPR Forum Members (expanding): United States, Canada, Japan, Republic of Korea, Philippines, Singapore, Chinese Taipei, Bermuda, Jersey, United Kingdom (observer)
Select an APEC-recognized Accountability Agent for the relevant economy:
| Economy | Accountability Agent | Website |
|---|---|---|
| United States | TRUSTe (TrustArc) | truste.com |
| United States | BBB National Programs | bbbprograms.org |
| Japan | JIPDEC (Japan Institute for Promotion of Digital Economy and Community) | jipdec.or.jp |
| Republic of Korea | Korea Internet & Security Agency (KISA) | kisa.or.kr |
| Singapore | Infocomm Media Development Authority (IMDA) | imda.gov.sg |
| Philippines | National Privacy Commission (NPC) | privacy.gov.ph |
| Chinese Taipei | Institute for Information Industry (III) | iii.org.tw |
| Mexico | Autoridad Nacional de Protección de Datos (INAI) | inai.org.mx |
The Accountability Agent provides an intake questionnaire based on the APEC CBPR Program Requirements. The questionnaire maps to the nine Privacy Framework principles and requires the organization to:
Section A: Organization Information
Section B: Privacy Practices Self-Assessment
For each of the 50 CBPR program requirements, the organization must:
Key Self-Assessment Questions (representative subset):
| Requirement ID | Principle | Requirement | Evidence Type |
|---|---|---|---|
| CBPR-1 | Preventing Harm | Does the organization conduct privacy risk assessments? | Risk assessment methodology, completed assessments |
| CBPR-5 | Notice | Does the organization provide clear and conspicuous notice of its privacy practices? | Privacy policy, collection point notices |
| CBPR-12 | Collection Limitation | Does the organization limit collection to personal information relevant to identified purposes? | Data inventory, purpose-to-data mapping |
| CBPR-18 | Uses | Does the organization limit use to purposes identified in the notice? | Purpose limitation controls, audit results |
| CBPR-23 | Choice | Does the organization provide opt-out mechanisms for marketing? | Opt-out mechanism screenshots, preference records |
| CBPR-30 | Integrity | Does the organization maintain data accuracy? | Data quality processes, correction mechanisms |
| CBPR-35 | Security | Does the organization implement security safeguards proportionate to data sensitivity? | Security assessment results, encryption evidence |
| CBPR-42 | Access | Does the organization provide access to personal information upon request? | Access request process, response records |
| CBPR-48 | Accountability | Does the organization have a designated privacy contact? | Privacy contact information, organizational chart |
The Accountability Agent reviews the self-assessment:
The Accountability Agent makes a certification decision:
| Decision | Criteria | Next Steps |
|---|---|---|
| Certified | All 50 program requirements substantially met | Issue certification, add to CBPR directory |
| Conditionally Certified | Minor gaps with committed remediation plan | Issue certification with conditions, follow-up within 90 days |
| Not Certified | Material gaps in multiple principles | Provide detailed feedback, applicant may reapply after remediation |
Upon certification:
The organization must notify the Accountability Agent and may be subject to interim review when:
Organizations certified under the APEC CBPR system are transitioning to the Global CBPR Framework:
| Aspect | APEC CBPR | Global CBPR |
|---|---|---|
| Governance | APEC Electronic Commerce Steering Group | Global CBPR Forum (independent body) |
| Membership | 9 APEC economies | Open to non-APEC economies |
| Standards | APEC Privacy Framework (2015) | Global CBPR Framework (based on APEC, updated) |
| Certification Mark | APEC Privacy CBPR mark | Global CBPR mark |
| PRP Component | Privacy Recognition for Processors (PRP) | Integrated into Global CBPR |
The CBPR system leverages the APEC Cross-Border Privacy Enforcement Arrangement (CPEA) for cross-border enforcement cooperation. When a privacy complaint involves cross-border data flows: