Independent Privacy Certifications: The Scalable Solution for Vendor Due Diligence

Aug 5, 2021 by Cobun Zweifel-Keegan, Deputy Director, Privacy Initiatives, BBB National Programs

Every procurement department understands that a core part of the job includes measuring and mitigating vendor risk. And in the age of constant data sharing, one of the fastest growing risks is a data breach.

Although recent news has been filled with stories about ransomware attacks, data breaches involving customers’ personal information remain an ever-present compliance and reputational risk—and one that grows with each new privacy law on the books. Whether you are a data controller or data processor, when your vendors have access to personal information the risk is magnified exponentially.

As a responsible business, you have an obligation to properly vet and monitor the privacy practices of your suppliers and vendors. The reason is simple: you could be held legally and financially liable for their improper data protection practices. 

Good privacy governance requires not only that your vendors agree to match your privacy practices, but also that they implement robust security practices over any system where personal information will be stored. The complexity of vendors’ security practices should be proportional to the sensitivity of the data that they process. This means completing lengthy checklists and detailed back and forth with each supplier to ensure that their practices are keyed to the ever-evolving “reasonable security” standard. Your inquiries into their policies and procedures should be repeated on a routine basis. When gaps are identified, you should work with your vendors to remediate them.

While vendor privacy due diligence can be a Herculean task, it doesn’t have to be this way. Instead, start by asking your vendors for evidence of independent privacy certifications such as the Privacy Recognition for Processors (PRP) or Vendor Privacy Program (VPP) from BBB National Programs. 

Independent certifications allow you to jump straight to the important questions, knowing that your vendors’ security practices for personal information are resting on a strong foundation. Rather than starting your privacy due diligence from scratch, certifications like PRP and VPP allow your procurement team to focus only on vetting vendors on commercial terms (such as price and services or products) and known pain points, instead of spending time assisting vendors in navigating your in-house privacy information requests. Through our preferred controller program, we can even work with you to provide individualized information to your suppliers on obtaining independent certification of their privacy practices.

How do you know if a business has received a privacy certification?

For PRP and VPP, it is as easy as checking its privacy policy, where a prominent seal will be displayed if the business has qualified for a privacy certification. Our team provides tailored support to our participants to help them identify gaps in their policies and achieve recognized standards. After each annual certification, BBB National Programs also goes one step farther to help facilitate privacy due diligence. The certified business, after addressing any gaps in its practices, receives a Findings Report that describes why its security and accountability policies and procedures meet industry standards for the protection of personal information. Importantly, this means that certification of your vendors can provide you with evidence—documentation of accountability—that you engaged in due diligence of the privacy practices of your vendors.

The security and accountability standards incorporated into PRP and VPP certifications are tied to globally recognized best practices. Designed by the economies of the Asia Pacific Economic Cooperation (APEC), PRP is meant to serve as a uniform standard for processors to demonstrate that they will keep data within the requirements of the gold-standard Cross-Border Privacy Rules (CBPR). BBB National Programs, as a recognized accountability agent under the APEC CBPR system, is responsible for ensuring that reasonable security safeguards are baked into the written policies and procedures of participating businesses.

PRP and VPP certifications are also backed by BBB National Programs’ dispute resolution procedures. All certified businesses are required to respond to inquiries from data subjects and address any necessary remedial actions that may arise during a dispute. Knowing that your vendors are part of this standard bolsters your reputation with consumers and customers.

When it comes to reliably evaluating vendor data practices, independent assessment of a processor’s privacy practices takes weight off the data controller’s shoulders. This makes it a valuable tool that provides a way for procurement departments to identify trustworthy and accountable processors. Examination and monitoring of your vendors’ privacy practices by an independent organization such as BBB National Programs minimizes risk, produces efficiencies, and establishes impartial, verifiable evidence of your due diligence efforts.

We help make privacy achievable and accountable for businesses of all sizes. Reach out to to get started.

Suggested Articles


Case Study: Getting to Compliance with CARU and COPPA

In a recent case, CARU worked with TickTalk to help them achieve compliance with CARU’s Privacy Guidelines and the Children’s Online Privacy Protection Act (COPPA). CARU sat down with TickTalk once the case had closed to discuss their experience as well as some of the privacy challenges many companies face in the children’s space.
Read more

What to Know About the Georgia Lemon Law

BBB AUTO LINE provides an overview of each state’s lemon laws. In our ongoing blog series, we offer further insights on the laws for select states, and how BBB AUTO LINE can support consumers with lemon law disputes. Florida, California, and Texas have been covered. This post reviews the nuances of the lemon law in the Peachtree State – Georgia.
Read more

The TAPP Roadmap: Helping U.S. Companies Responsibly Collect and Manage Teenager Data

Even as data privacy and safety practices that work for adult consumers provide a firm foundation for teens, they simultaneously run the risk of being insufficient to respond to the unique needs of teens. The TeenAge Privacy Program (TAPP) Roadmap was designed to assist any business that wishes to engage proactively with teen consumers, providing an operational framework to map the broad spectrum of potential harms impacting teens onto a concrete set of operational considerations.
Read more

Pursuing Best Practices For Representation In Advertising

As advertising volume increases, so too do people’s expectations of representation in advertising. Unfortunately, advertising collectively is still falling short, and consumer perceptions reflect that. Why answer this call from consumers? And what is being done about it?
Read more