Independent Privacy Certifications: The Scalable Solution for Vendor Due Diligence

Aug 5, 2021 by Cobun Zweifel-Keegan, Deputy Director, Privacy Initiatives, BBB National Programs

Every procurement department understands that a core part of the job includes measuring and mitigating vendor risk. And in the age of constant data sharing, one of the fastest growing risks is a data breach.

Although recent news has been filled with stories about ransomware attacks, data breaches involving customers’ personal information remain an ever-present compliance and reputational risk—and one that grows with each new privacy law on the books. Whether you are a data controller or data processor, when your vendors have access to personal information the risk is magnified exponentially.

As a responsible business, you have an obligation to properly vet and monitor the privacy practices of your suppliers and vendors. The reason is simple: you could be held legally and financially liable for their improper data protection practices. 

Good privacy governance requires not only that your vendors agree to match your privacy practices, but also that they implement robust security practices over any system where personal information will be stored. The complexity of vendors’ security practices should be proportional to the sensitivity of the data that they process. This means completing lengthy checklists and detailed back and forth with each supplier to ensure that their practices are keyed to the ever-evolving “reasonable security” standard. Your inquiries into their policies and procedures should be repeated on a routine basis. When gaps are identified, you should work with your vendors to remediate them.

While vendor privacy due diligence can be a Herculean task, it doesn’t have to be this way. Instead, start by asking your vendors for evidence of independent privacy certifications such as the Privacy Recognition for Processors (PRP) or Vendor Privacy Program (VPP) from BBB National Programs. 

Independent certifications allow you to jump straight to the important questions, knowing that your vendors’ security practices for personal information are resting on a strong foundation. Rather than starting your privacy due diligence from scratch, certifications like PRP and VPP allow your procurement team to focus only on vetting vendors on commercial terms (such as price and services or products) and known pain points, instead of spending time assisting vendors in navigating your in-house privacy information requests. Through our preferred controller program, we can even work with you to provide individualized information to your suppliers on obtaining independent certification of their privacy practices.

How do you know if a business has received a privacy certification?

For PRP and VPP, it is as easy as checking its privacy policy, where a prominent seal will be displayed if the business has qualified for a privacy certification. Our team provides tailored support to our participants to help them identify gaps in their policies and achieve recognized standards. After each annual certification, BBB National Programs also goes one step farther to help facilitate privacy due diligence. The certified business, after addressing any gaps in its practices, receives a Findings Report that describes why its security and accountability policies and procedures meet industry standards for the protection of personal information. Importantly, this means that certification of your vendors can provide you with evidence—documentation of accountability—that you engaged in due diligence of the privacy practices of your vendors.

The security and accountability standards incorporated into PRP and VPP certifications are tied to globally recognized best practices. Designed by the economies of the Asia Pacific Economic Cooperation (APEC), PRP is meant to serve as a uniform standard for processors to demonstrate that they will keep data within the requirements of the gold-standard Cross-Border Privacy Rules (CBPR). BBB National Programs, as a recognized accountability agent under the APEC CBPR system, is responsible for ensuring that reasonable security safeguards are baked into the written policies and procedures of participating businesses.

PRP and VPP certifications are also backed by BBB National Programs’ dispute resolution procedures. All certified businesses are required to respond to inquiries from data subjects and address any necessary remedial actions that may arise during a dispute. Knowing that your vendors are part of this standard bolsters your reputation with consumers and customers.

When it comes to reliably evaluating vendor data practices, independent assessment of a processor’s privacy practices takes weight off the data controller’s shoulders. This makes it a valuable tool that provides a way for procurement departments to identify trustworthy and accountable processors. Examination and monitoring of your vendors’ privacy practices by an independent organization such as BBB National Programs minimizes risk, produces efficiencies, and establishes impartial, verifiable evidence of your due diligence efforts.

We help make privacy achievable and accountable for businesses of all sizes. Reach out to to get started.

Suggested Articles


What to Know About the North Carolina Lemon Law

Next in our blog series reviewing the state lemon laws is the Tarheel State – North Carolina. In this series, we break down what the lemon law does and does not cover in each state because although there is a federal lemon law, called the Magnuson-Moss Warranty Act, states also have their own laws to help consumers who purchase defective vehicles.
Read more

Top 10 Reasons to Resolve Lemon Law Disputes with BBB AUTO LINE

If your vehicle is still under warranty and you have an issue that the dealership has been unable to resolve, you may be able to reach a resolution directly with the manufacturer – at no cost to you - through BBB AUTO LINE. We have assembled a list of ten ways BBB AUTO LINE provides optimal resolution solutions.
Read more

What to Know About the New York Lemon Law

As we continue our blog series reviewing state lemon laws, we turn our attention to New York State. True to its reputation for making its own rules, New York includes some distinctive aspects within its lemon laws.
Read more

Defining The 'S' In ESG And Navigating Disclosures

For businesses interested in making robust ESG disclosures, not only can the sheer number of frameworks and standards make ESG performance reporting seem overwhelming, the frameworks themselves can be a bit fuzzy on how they define and measure the "S" of ESG.
Read more