How CBPR Certification Builds Trust and Enables Global Scale, with Charmian Aw
January 20, 2026
In this episode of Privacy in Practice, hosts Kellie du Preez and Danie Strachan welcome Charmian Aw, Partner at Hogan Lovells, to examine the growing relevance of the Cross-Border Privacy Rules (CBPR) System in an increasingly global data economy. Learn why organizations such as Cisco, Mastercard, and Alibaba have obtained certification, why the framework is gaining renewed attention among multinational organizations, and how it complements existing transfer mechanisms such as Standard Contractual Clauses (SCCs). The conversation also explores how CBPR certification plays a role in procurement, regulatory cooperation, and the evolution of responsible data processing.
In this episode of Privacy in Practice, hosts Kellie du Preez and Danie Strachan welcome Charmian Aw, Partner at Hogan Lovells, to examine the growing relevance of the Cross-Border Privacy Rules (CBPR) System in an increasingly global data economy. Learn why organizations such as Cisco, Mastercard, and Alibaba have obtained certification, why the framework is gaining renewed attention among multinational organizations, and how it complements existing transfer mechanisms such as Standard Contractual Clauses (SCCs). The conversation also explores how CBPR certification plays a role in procurement, regulatory cooperation, and the evolution of responsible data processing.
What You'll Learn:
- Why the CBPR System is gaining momentum globally beyond APEC
- The commercial case for pursuing both PRP and CBPR certification
- How certification actually works
- The competitive advantage hiding in your procurement checklist
- Why AI and healthcare use cases are accelerating CBPR adoption
- How the Global Cross-Border Privacy Enforcement Arrangement (Global CAPE) enables regulators to share information and coordinate cross-border investigations
- Why regulatory recognition matters and how it may evolve as more jurisdictions join
- And so much more!
Charmian Aw is a leading privacy and cybersecurity advisor with deep knowledge of frontier technologies, including AI, data protection frameworks, and international compliance strategy. In this episode, she shares insights from the recent Global CBPR forum, which she attended alongside VeraSafe, a recognized CBPR Accountability Agent. The discussion offers a practical and engaging look at how regulatory developments translate into real-world operations and commercial outcomes. Together we discuss how organizations can move beyond compliance as a checkbox to use accountability frameworks such as the CBPR and PRP Systems to support trust, scalability, and business value.
If you enjoyed this episode, make sure to subscribe, rate, and review it.
Episode Highlights:
- [04:45] Why the CBPR Deserves More Attention
The CBPR is widely underhyped because many organizations still approach it with the wrong mindset, treating it as a nice-to-have rather than a strategic, regulator-backed tool. As data flows across borders faster than regulation can keep up, relying on fragmented, country-by-country compliance is neither scalable nor sustainable. CBPR reframes that conversation by offering a unified, multi-stakeholder framework that is designed to support continuous, compliant data transfers across diverse jurisdictions with visible regulatory participation and endorsement
- [17:40] How Certification Actually Works
To earn CBPR certification, organizations must apply in their home country through an approved accountability agent, an auditor-like partner who evaluates whether your privacy program meets the framework’s principles. The process involves completing a structured assessment, closing identified gaps, and maintaining ongoing compliance through annual renewals. Importantly, certification requires core privacy practices to already be in place and encourages a truly holistic privacy program.
- [23:51] Overlap With ISO, SOC 2, and GDPR
CBPR certification strategically aligns with existing frameworks, such as GDPR, ISO 27001, SOC 2, and the Data Privacy Framework (DPF). Many of the same controls already exist in your privacy and security programs, making CBPR a natural next step rather than a reinvention of the wheel. More importantly, its value isn’t measured by the cost of certification but rather by the trust signal it sends to customers, regulators, and procurement teams. As more organizations add CBPR certification to procurement and vendor risk checklists, failing to adopt it risks becoming a competitive disadvantage. The true ROI lies in regulatory endorsement, market confidence, and being positioned ahead of the compliance curve.
- [28:51] Practical Business Benefits
Organizations relying solely on adequacy decisions or SCCs are betting their compliance on paperwork that few people truly understand or can operationalize. Global CBPR certification flips that dynamic: instead of signing complex, non-negotiable contracts and hoping the business can keep up, it delivers a regulator-endorsed, trusted compliance stamp. By requiring real assessments, cross-functional involvement, and evidence-based governance, Global CBPR transforms data transfer compliance from a legal checkbox into a practical, scalable framework that reduces contract risk, builds customer trust, and future-proofs operations in a fragmented regulatory world.