Global Privacy Recognition for Processors (PRP) Certification

In 2022, the Global CBPR Forum was established to develop an international certification system which promotes interoperability between different regulatory approaches to data protection and privacy. The Global CBPR Framework (2023) explains what this means in principle and practice. Its nine guiding principles reference the OECD’s Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data, and it includes guidance to assist Global CBPR Forum Members (“Members”) in implementing the framework in domestic approaches to data protection and privacy, as well as forum-wide arrangements for interpreting its cross-border elements.

The Global PRP certification was designed to help personal information processors demonstrate their ability to provide effective implementation of a controller’s data protection and privacy requirements. It also provides assurance that processing is consistent with a controller’s applicable requirements for processing under the Global CBPR System.

To become Global PRP certified, organisations must implement data protection, privacy policies and practices which meet the Program Requirements for all data collected or received that is within the scope of its certification.

The intake questionnaire for organisations considering certification and detailed program requirements are available here:

• Global PRP Intake Questionnaire
• Global PRP Program Requirements

Interested organisations (i.e. data intermediaries) that process data on behalf of the data controllers and which are subject to the laws of Singapore can apply for Global PRP certification. To be eligible, they must either be (1) formed or recognised under the laws of Singapore, or (2) resident, or having an office or a place of business, in Singapore, and in any case, not a public agency (as defined in the Personal Data Protection Act 2012). Certification is also subject to organisations’ acceptance of the terms of agreement (448.16KB) of the Global PRP scheme.

Organisations seeking certification are to complete the PRP self-assessment form (347.54KB) and then submit the form to any of the following IMDA appointed assessment bodies listed below.

The assessment body* acts as an independent body to assess that an organisation’s data protection practices conform to the Global PRP requirements.

The assessment fee, payable to the assessment body, ranges and depends on the size of the organisation (e.g. annual sales turnover, no. of sites, etc) and the assessment body engaged. For a more accurate cost, approach any of the assessment bodies listed above for a quotation.

*For more information on how to be an Assessment Body, please refer to our information kit (337.90KB).

To learn more, explore the following resources:

• The directory of Global PRP-certified organisations
• Global / APEC PRP Information Kit (325.07KB)
• IMDA’s Accountability Agent Participation Documents
• Other IMDA Data Protection Certifications:
• Data Protection Trustmark
• APEC Cross-Border Privacy Rules System
• APEC Privacy Recognition for Processors System
• Global Cross-Border Privacy Rules System

Funding support:

Eligible organisations can consider applying to Enterprise Singapore (ESG) to seek support for some of the costs for Global PRP certification and consultancy services. Details on the criteria and application process can be found below:

• ESG Enterprise Development Grant

Interested organisations may refer to this Quick Guide on Enterprise Development Grant Application (256.46KB).

Professional consultancy services:

Organisations can refer to the list of Consultancy Service Providers (under DPTM Requirements and Resources section) if they wish to engage professional consultancy services to prepare them for the Global PRP certification.

For questions, please refer to our FAQs or contact us at Data_Protection_Certifications@imda.gov.sg or 6377 3800.