Independent Privacy Certifications: The Scalable Solution for Vendor Due Diligence

Aug 5, 2021, 09:24 AM by Cobun Zweifel-Keegan, Deputy Director, Privacy Initiatives, BBB National Programs

Every procurement department understands that a core part of the job includes measuring and mitigating vendor risk. And in the age of constant data sharing, one of the fastest growing risks is a data breach.

Although recent news has been filled with stories about ransomware attacks, data breaches involving customers’ personal information remain an ever-present compliance and reputational risk—and one that grows with each new privacy law on the books. Whether you are a data controller or data processor, when your vendors have access to personal information the risk is magnified exponentially.

As a responsible business, you have an obligation to properly vet and monitor the privacy practices of your suppliers and vendors. The reason is simple: you could be held legally and financially liable for their improper data protection practices. 

Good privacy governance requires not only that your vendors agree to match your privacy practices, but also that they implement robust security practices over any system where personal information will be stored. The complexity of vendors’ security practices should be proportional to the sensitivity of the data that they process. This means completing lengthy checklists and detailed back and forth with each supplier to ensure that their practices are keyed to the ever-evolving “reasonable security” standard. Your inquiries into their policies and procedures should be repeated on a routine basis. When gaps are identified, you should work with your vendors to remediate them.

While vendor privacy due diligence can be a Herculean task, it doesn’t have to be this way. Instead, start by asking your vendors for evidence of independent privacy certifications such as the Privacy Recognition for Processors (PRP) or Vendor Privacy Program (VPP) from BBB National Programs. 

Independent certifications allow you to jump straight to the important questions, knowing that your vendors’ security practices for personal information are resting on a strong foundation. Rather than starting your privacy due diligence from scratch, certifications like PRP and VPP allow your procurement team to focus only on vetting vendors on commercial terms (such as price and services or products) and known pain points, instead of spending time assisting vendors in navigating your in-house privacy information requests. Through our preferred controller program, we can even work with you to provide individualized information to your suppliers on obtaining independent certification of their privacy practices.

How do you know if a business has received a privacy certification?

For PRP and VPP, it is as easy as checking its privacy policy, where a prominent seal will be displayed if the business has qualified for a privacy certification. Our team provides tailored support to our participants to help them identify gaps in their policies and achieve recognized standards. After each annual certification, BBB National Programs also goes one step farther to help facilitate privacy due diligence. The certified business, after addressing any gaps in its practices, receives a Findings Report that describes why its security and accountability policies and procedures meet industry standards for the protection of personal information. Importantly, this means that certification of your vendors can provide you with evidence—documentation of accountability—that you engaged in due diligence of the privacy practices of your vendors.

The security and accountability standards incorporated into PRP and VPP certifications are tied to globally recognized best practices. Designed by the economies of the Asia Pacific Economic Cooperation (APEC), PRP is meant to serve as a uniform standard for processors to demonstrate that they will keep data within the requirements of the gold-standard Cross-Border Privacy Rules (CBPR). BBB National Programs, as a recognized accountability agent under the APEC CBPR system, is responsible for ensuring that reasonable security safeguards are baked into the written policies and procedures of participating businesses.

PRP and VPP certifications are also backed by BBB National Programs’ dispute resolution procedures. All certified businesses are required to respond to inquiries from data subjects and address any necessary remedial actions that may arise during a dispute. Knowing that your vendors are part of this standard bolsters your reputation with consumers and customers.

When it comes to reliably evaluating vendor data practices, independent assessment of a processor’s privacy practices takes weight off the data controller’s shoulders. This makes it a valuable tool that provides a way for procurement departments to identify trustworthy and accountable processors. Examination and monitoring of your vendors’ privacy practices by an independent organization such as BBB National Programs minimizes risk, produces efficiencies, and establishes impartial, verifiable evidence of your due diligence efforts.

We help make privacy achievable and accountable for businesses of all sizes. Reach out to to get started.

Suggested Articles


The 2000s Introduced the Internet and Influencers to Ad Law

The 2000s was a decade of change as online advertising exploded and, as a harbinger of things to come, the online environment became fertile ground for innovative ways to both communicate with consumers or, for the unscrupulous, take advantage of unwary consumers. The low barriers to entry allowed disrupters to enter the digital space and forced traditional marketers to compete in this space or be left behind.
Read more

For Developers: Get to Know the CARU Advertising Guidelines

The CARU Advertising Guidelines are widely recognized industry standards that help ensure advertising directed to children is fair and appropriate for its intended audience across any form of child-directed media. The CARU team outlines some key revisions to the Guidelines to which mobile developers should pay heed.
Read more

Getting Certified: Cisco Demonstrates Dedication to Customer Success through APEC Privacy Compliance

Cisco is an example of how a global company must navigate a variety of legal privacy regimes, while also being dedicated to leading the way on data privacy to maintain and further enhance a trusted relationship with its customers. To thread this needle, Cisco has chosen to rely on a third-party privacy certification offered by our team at BBB National Programs.
Read more

Lemon Law 101: Understanding the Law and Your Rights

If your vehicle is under warranty, lemon laws require your vehicle manufacturer to repair your vehicle. The federal lemon law, known as the Magnusson-Moss Warranty Act (“Mag-Moss”), and state lemon laws are in place to protect consumers from getting stuck with “lemons.” It is important to understand the difference between state and federal lemon laws as well as how you and your vehicle are covered under each.
Read more