Global Cross-Border Privacy Rules (Global CBPR) Certification

In 2022 the Global CBPR Forum was established to develop an international certification system which promotes interoperability between different regulatory approaches to data protection and privacy. The Global CBPR Framework (2023) explains what this means in principle and practice. Its nine guiding principles reference the OECD’s Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data, and it includes guidance to assist Global CBPR Forum Members (“Members”) in implementing the framework in domestic approaches to data protection and privacy, as well as forum-wide arrangements for interpreting its cross-border elements.

Global CBPR certification provides a simple and transparent way for organisations to demonstrate their commitment to data protection by showcasing their compliance with internationally-recognized data protection standards. It applies to organisations who are data controllers managing the collection, holding, processing and/or use of personal data.

To become Global CBPR certified, organisations must implement data protection, privacy policies and practices which meet the Program Requirements for all data collected or received that is within the scope of its certification.

The intake questionnaire for organisations considering certification and detailed program requirements are available here:

• Global CBPR Intake Questionnaire
• Global CBPR Program Requirements

Data controllers which are subject to the laws of Singapore can apply for Global CBPR certification. To be eligible, they must either be (1) formed or recognised under the laws of Singapore, or (2) resident, or having an office or a place of business, in Singapore, and in any case, not a public agency (as defined in the Personal Data Protection Act 2012). Certification is also subject to organisations’ acceptance of the terms of agreement (448.16KB) of the Global CBPR scheme.

Organisations seeking certification are to complete the CBPR self-assessment form (415.44KB) and then submit the form to any of the following IMDA appointed assessment bodies listed below.

The assessment body* acts as an independent body to assess that an organisation’s data protection practices conform to the Global CBPR requirements.

The assessment fee, payable to the assessment body, ranges and depends on the size of the organisation (e.g. annual sales turnover, no. of sites, etc) and the assessment body engaged. For a more accurate cost, approach any of the assessment bodies listed above for a quotation.

*For more information on how to be an Assessment Body, please refer to our information kit (337.90KB).

To learn more, explore the following resources:

• The directory of Global CBPR-certified organisations
• Global / APEC CBPR Information Kit (308.25KB)
• IMDA’s Accountability Agent Participation Documents
• Other IMDA Data Protection Certifications:
• Data Protection Trustmark
• APEC Cross-Border Privacy Rules System
• APEC Privacy Recognition for Processors System
• Global Privacy Recognition for Processors System

Funding support:

Eligible organisations can consider applying to Enterprise Singapore (ESG) to seek support for some of the costs for Global CBPR certification and consultancy services. Details on the criteria and application process can be found below:

• ESG Enterprise Development Grant

Interested organisations may refer to this Quick Guide on Enterprise Development Grant Application (256.46KB).

Professional consultancy services:

Organisations can refer to the list of Consultancy Service Providers (under DPTM Requirements and Resources section) if they wish to engage professional consultancy services to prepare them for the Global CBPR certification.

For questions, please refer to our FAQs or contact us at Data_Protection_Certifications@imda.gov.sg or 6377 3800.