Independent Privacy Certifications: The Scalable Solution for Vendor Due Diligence

Aug 5, 2021 by Cobun Zweifel-Keegan, Deputy Director, Privacy Initiatives, BBB National Programs

Every procurement department understands that a core part of the job includes measuring and mitigating vendor risk. And in the age of constant data sharing, one of the fastest growing risks is a data breach.

Although recent news has been filled with stories about ransomware attacks, data breaches involving customers’ personal information remain an ever-present compliance and reputational risk—and one that grows with each new privacy law on the books. Whether you are a data controller or data processor, when your vendors have access to personal information the risk is magnified exponentially.

As a responsible business, you have an obligation to properly vet and monitor the privacy practices of your suppliers and vendors. The reason is simple: you could be held legally and financially liable for their improper data protection practices. 

Good privacy governance requires not only that your vendors agree to match your privacy practices, but also that they implement robust security practices over any system where personal information will be stored. The complexity of vendors’ security practices should be proportional to the sensitivity of the data that they process. This means completing lengthy checklists and detailed back and forth with each supplier to ensure that their practices are keyed to the ever-evolving “reasonable security” standard. Your inquiries into their policies and procedures should be repeated on a routine basis. When gaps are identified, you should work with your vendors to remediate them.

While vendor privacy due diligence can be a Herculean task, it doesn’t have to be this way. Instead, start by asking your vendors for evidence of independent privacy certifications such as the Privacy Recognition for Processors (PRP) or Vendor Privacy Program (VPP) from BBB National Programs. 

Independent certifications allow you to jump straight to the important questions, knowing that your vendors’ security practices for personal information are resting on a strong foundation. Rather than starting your privacy due diligence from scratch, certifications like PRP and VPP allow your procurement team to focus only on vetting vendors on commercial terms (such as price and services or products) and known pain points, instead of spending time assisting vendors in navigating your in-house privacy information requests. Through our preferred controller program, we can even work with you to provide individualized information to your suppliers on obtaining independent certification of their privacy practices.

How do you know if a business has received a privacy certification?

For PRP and VPP, it is as easy as checking its privacy policy, where a prominent seal will be displayed if the business has qualified for a privacy certification. Our team provides tailored support to our participants to help them identify gaps in their policies and achieve recognized standards. After each annual certification, BBB National Programs also goes one step farther to help facilitate privacy due diligence. The certified business, after addressing any gaps in its practices, receives a Findings Report that describes why its security and accountability policies and procedures meet industry standards for the protection of personal information. Importantly, this means that certification of your vendors can provide you with evidence—documentation of accountability—that you engaged in due diligence of the privacy practices of your vendors.

The security and accountability standards incorporated into PRP and VPP certifications are tied to globally recognized best practices. Designed by the economies of the Asia Pacific Economic Cooperation (APEC), PRP is meant to serve as a uniform standard for processors to demonstrate that they will keep data within the requirements of the gold-standard Cross-Border Privacy Rules (CBPR). BBB National Programs, as a recognized accountability agent under the APEC CBPR system, is responsible for ensuring that reasonable security safeguards are baked into the written policies and procedures of participating businesses.

PRP and VPP certifications are also backed by BBB National Programs’ dispute resolution procedures. All certified businesses are required to respond to inquiries from data subjects and address any necessary remedial actions that may arise during a dispute. Knowing that your vendors are part of this standard bolsters your reputation with consumers and customers.

When it comes to reliably evaluating vendor data practices, independent assessment of a processor’s privacy practices takes weight off the data controller’s shoulders. This makes it a valuable tool that provides a way for procurement departments to identify trustworthy and accountable processors. Examination and monitoring of your vendors’ privacy practices by an independent organization such as BBB National Programs minimizes risk, produces efficiencies, and establishes impartial, verifiable evidence of your due diligence efforts.

We help make privacy achievable and accountable for businesses of all sizes. Reach out to to get started.

Suggested Articles


Enhancing Brand Safety: Understanding Self-Regulation vs. Independent Industry Self-Regulation

With copious amounts of content proliferating across a growing number of platforms and websites, it is an ongoing challenge for advertisers and platforms to ensure that digital ads are not placed next to harmful content. In this conversation, there is a key distinction few are making — the difference between ‘self-regulation’ and ‘independent, industry-wide self-regulation.’
Read more

CFBAI and CCAI Published the 2020 Annual Report on Participant Compliance and Program Progress

BBB National Programs has released the CFBAI and CCAI 2020 Annual Report, which includes findings on CFBAI and CCAI participant compliance with their commitment to advertise only foods that meet CFBAI’s strict Uniform Nutrition Criteria or to not engage in advertising primarily directed to children under age 12. The Report indicates excellent compliance by the 19 CFBAI participants and the eight CCAI participants in 2020.
Read more

What Do You Need to Know about the Florida Lemon Law?

If you have ever purchased or leased a car or SUV that you consider a lemon, you may have questions about the myriad of federal and state laws that govern your vehicle and the remedies available to you. Each state also has their own statute governing vehicles sold and leased in that state for personal use. Today, we look at the lemon law in Florida, one of the fastest-growing states in the U.S.
Read more

AI Can Be A Force For Good In Recruiting And Hiring New Employees

A challenge for rapid innovation in any industry is the ability for legal and regulatory requirements to keep pace. In the recruiting and hiring process, where AI provides aid to human decision-making and a welcome relief to managing a deluge of data, company leaders are asking themselves: How can we combine important technological innovation with a proactive approach to employment law requirements?
Read more