Independent Privacy Certifications: The Scalable Solution for Vendor Due Diligence

Every procurement department understands that a core part of the job includes measuring and mitigating vendor risk. And in the age of constant data sharing, one of the fastest growing risks is a data breach.

Although recent news has been filled with stories about ransomware attacks, data breaches involving customers’ personal information remain an ever-present compliance and reputational risk—and one that grows with each new privacy law on the books. Whether you are a data controller or data processor, when your vendors have access to personal information the risk is magnified exponentially.

As a responsible business, you have an obligation to properly vet and monitor the privacy practices of your suppliers and vendors. The reason is simple: you could be held legally and financially liable for their improper data protection practices. 

Good privacy governance requires not only that your vendors agree to match your privacy practices, but also that they implement robust security practices over any system where personal information will be stored. The complexity of vendors’ security practices should be proportional to the sensitivity of the data that they process. This means completing lengthy checklists and detailed back and forth with each supplier to ensure that their practices are keyed to the ever-evolving “reasonable security” standard. Your inquiries into their policies and procedures should be repeated on a routine basis. When gaps are identified, you should work with your vendors to remediate them.

While vendor privacy due diligence can be a Herculean task, it doesn’t have to be this way. Instead, start by asking your vendors for evidence of independent privacy certifications such as the Privacy Recognition for Processors (PRP) or Vendor Privacy Program (VPP) from BBB National Programs. 

Independent certifications allow you to jump straight to the important questions, knowing that your vendors’ security practices for personal information are resting on a strong foundation. Rather than starting your privacy due diligence from scratch, certifications like PRP and VPP allow your procurement team to focus only on vetting vendors on commercial terms (such as price and services or products) and known pain points, instead of spending time assisting vendors in navigating your in-house privacy information requests. Through our preferred controller program, we can even work with you to provide individualized information to your suppliers on obtaining independent certification of their privacy practices.

How do you know if a business has received a privacy certification?

For PRP and VPP, it is as easy as checking its privacy policy, where a prominent seal will be displayed if the business has qualified for a privacy certification. Our team provides tailored support to our participants to help them identify gaps in their policies and achieve recognized standards. After each annual certification, BBB National Programs also goes one step farther to help facilitate privacy due diligence. The certified business, after addressing any gaps in its practices, receives a Findings Report that describes why its security and accountability policies and procedures meet industry standards for the protection of personal information. Importantly, this means that certification of your vendors can provide you with evidence—documentation of accountability—that you engaged in due diligence of the privacy practices of your vendors.

The security and accountability standards incorporated into PRP and VPP certifications are tied to globally recognized best practices. Designed by the economies of the Asia Pacific Economic Cooperation (APEC), PRP is meant to serve as a uniform standard for processors to demonstrate that they will keep data within the requirements of the gold-standard Cross-Border Privacy Rules (CBPR). BBB National Programs, as a recognized accountability agent under the APEC CBPR system, is responsible for ensuring that reasonable security safeguards are baked into the written policies and procedures of participating businesses.

PRP and VPP certifications are also backed by BBB National Programs’ dispute resolution procedures. All certified businesses are required to respond to inquiries from data subjects and address any necessary remedial actions that may arise during a dispute. Knowing that your vendors are part of this standard bolsters your reputation with consumers and customers.

When it comes to reliably evaluating vendor data practices, independent assessment of a processor’s privacy practices takes weight off the data controller’s shoulders. This makes it a valuable tool that provides a way for procurement departments to identify trustworthy and accountable processors. Examination and monitoring of your vendors’ privacy practices by an independent organization such as BBB National Programs minimizes risk, produces efficiencies, and establishes impartial, verifiable evidence of your due diligence efforts.

We help make privacy achievable and accountable for businesses of all sizes. Reach out to GlobalPrivacy@bbbnp.org to get started.