Unlock open data with CDR access

Achieve Consumer Data Right accreditation or sponsorship to unlock consumer data under the Australian Consumer Data Rights


Is this the year you grow with SOC 2?

There’s no better standard to baseline your information security and earn trust with a broad customer base.

AssuranceLab is a registered CPA and CA firm ready to help you earn trust with SOC 2 in the US and globally.

We provide end-to-end readiness and audit services, with a cloud-native and agile approach that enables you to work at your own pace.


You’re in great company. We work with hundreds of fast-growing software companies across 13 countries, ranging in size from 2 to 26,000 employees.


We work with more than 500 fast-growing companies across 20+ countries, ranging in size from 2 to 26,000+ employees.


Is this the year you

grow with CDR?

The Consumer Data Right (CDR) is an Australian Government initiative that empowers organisations to securely access and utilise valuable consumer data.

By achieving CDR compliance, your organisation can access this data to offer more competitive products and services, enhance customer engagement and drive innovation to stay ahead in a competitive market.

As a registered CPA and CA firm ready to help you earn trust with CDR globally, we provide complete audit services, with a cloud-native and agile approach. This enables you to work at a pace that suits you rather than navigate the traditional complex audit model. 

Ready to get started with CDR?



Four steps to CDR access

left arrow right arrow
CDR Readiness Assessment

CDR Readiness Assessment

Integrating with many compliance platforms, we provide a tailored view of your controls and any gaps to help you prepare for your audit.

Remediation Support

Remediation Support

We guide you as you address any gaps and implement fit-for-purpose processes that align with your company and the Consumer Data Right requirements. Our flexible and responsive team helps you work through it at your own pace.

CDR Type 1 Audit

CDR Type 1 Report

We conduct the Type 1 audit at your pace to help you minimise disruption and learn through the process. Our iterative reviews and feedback helps you stay on track and achieve real operational benefits for your company. The Type 1 is used for your initial unrestricted accreditation.

CDR Type 2 Audit

CDR Type 2 Report

Type 2 audits are conducted every second year to maintain accreditation. We conduct the Type 2 audits either at your own pace within a defined timeline or incrementally throughout the year to minimise disruption and increase confidence in your compliance. 

Ready to get started on your compliance journey?


Clear reasons to act


Accreditation to unlock
CDR access

ASAE 3150 reports recognised by the ACCC to achieve unrestricted accreditation


Customer comfort and trust

Give your customers peace of mind with secure and reliable CDR data sharing


Minimal business disruption

Agile and flexible audits that help minimise the disruption while fast-tracking your access


Choice of goalposts

Choose between unrestricted, sponsored or representative access to fit your goals


Multi-standard compliance

Audits that can combine multiple related frameworks, standards and certifications


Get started with a baseline

The ability to access data with ongoing process improvements to fast-track your access


Your questions answered

What is Consumer Data Right?

The Consumer Data Right (CDR) is an Australian Government initiative that empowers organisations to securely access and utilise valuable consumer data. By achieving CDR compliance, your organisation can access this data to offer more competitive products and services, enhance customer engagement and drive innovation. CDR enables data-driven decisions, helping your business stay ahead in a competitive market.


Which of the five Consumer Data Right access models is best for my business?

Since the legislative updates in October 2021, there are now five access models for the CDR. If you qualify as a 'Trusted Advisor', or only need to use 'CDR Insights', then you do not require any accreditation to access CDR data within that scope. However, CDR Insights is very limited.

There are three models that allow complete data access; Unrestricted, Sponsored, and Representative. Unrestricted provides the most flexibility; you do not need to rely on another third party for your access and with full accreditation you can provide access to others using the sponsored or representative models.

Representative access is appealing for faster access when you opt to use a third party to collect the data for you; usually a data intermediary. They can act as your Principal which means they are liable for your compliance and you don't need to be assessed by the ACCC directly. AssuranceLab works with these Principals as a partner to assess compliance and support the onboarding process.

Sponsored access is similar to unrestricted but does not rely on a formal ASAE 3150 report. It still requires assessment by the ACCC so it is slower than representatives but may be lower cost than unrestricted by saving on external audit costs. This model has not been broadly adopted.

We recommend either Unrestricted to have complete flexibility and safeguard your business continuity, or Representatives access if you want to fast-track your access.

What is required to be compliant with the Consumer Data Right rules?

The CDR legislation includes a broad set of rules that apply to those accessing the CDR data. There are general compliance requirements around obtaining, tracking and updating consent from consumers, making available a public CDR policy for them to understand their rights and the use of data, and who and how the data can be shared with third parties.

A big part of the rules is the information security requirements that are prescribed in Schedule 2, Part 1 and Part 2. Part 1 requires that you implement an effective information capability and governance, that you define the boundaries of your CDR Data Environment, assess your risks and controls in that environment, and test your incident response capability. 

Part 2 then goes into greater detail on specific expected information security controls including access control, network security, data loss prevention, managing information assets through their lifecycle, anti-malware protections and human resources security. These areas very closely relate to many other global standards like SOC 2 and ISO 27001, that can be effectively combined to achieve multiple compliance goals without duplicating the efforts.

What are Type 1 and Type 2 ASAE 3150 reports?

Unrestricted accreditation requires an ASAE 3150 report, that is similar to the more globally prevalent SOC 2 report. A Type 1 report is sufficient for initial accreditation, and then a Type 2 report is required every two years thereafter to maintain accreditation.

A Type 1 report attests to your compliance by design. It’s a snapshot in time that can be achieved by showing you have the right systems and processes in place to satisfy the CDR criteria.

A Type 2 report attests to your compliance by both design and operation over a period of time. It covers a period of 12 months to show your systems and processes have been operating consistently to satisfy the CDR criteria.

How long does it take to get access to CDR data?

The timeframe to access CDR data can vary a lot based on the access models described above. The two most common access models are Unrestricted and Representative.

Unrestricted access typically takes 4-9 months. This is made up of a period to implement and achieve compliance with the information security requirements (1-3 months), the ACCC's assessment and granting accreditation (3-5 months), and then a period to test and go live with CDR data (~1 month).

Representative access can be much faster than Unrestricted but still relies on achieving a level of compliance that satisfies the CDR Principal's requirements. We see as little as a few weeks to access CDR data under this model when compliance automation is used combined with a well-defined approach from our intermediary partners. 

Can we do it faster by using a compliance automation platform?

Yes. Compliance automation platforms offer various out-of-the-box policies, controls and automated verifications to fast-track your compliance. We have built two CDR frameworks that automatically map and verify the right controls for CDR compliance. One of those is for Representative access with a scaled-down set of requirements, whereas the other is for Unrestricted access with the complete requirements.


A checklist of requirements for your environment

The Consumer Data Right requires information security controls to be implemented at four levels; organisational, infrastructure, software, and endpoint devices. Our white papers provide a checklist to address each layer as it relates to your cloud environment.

Google Security  CDR White paper (2)

Google CDR Security White Paper

Download now

AWS Security  CDR White paper

AWS CDR Security White Paper

Download now


Earn trust with other leading standards


Blended Audits

Combine two or more compliance frameworks into a single blended audit process without duplication to scale trust, not costs and effort.



The de facto global and best practice standard for proving secure handling of electronic protected health information (ePHI).


Custom Frameworks

Manage any compliance obligations from customers, regulators or your own internal risk requirements with custom frameworks.


ISO 27001

An international framework to apply a structured and best practice methodology for managing information security.


CSA Star

A comprehensive, best practice standard for cloud security to achieve Level Two accreditation in the security, trust and risk (STAR) register.


Consumer Data Right

Access consumer data in Australia’s economy-wide open data regime with Consumer Data Right accreditation.


ESG Reporting

A flexible and lightweight framework to report up to 500+ positive impact activities supporting environmental, social and governance (ESG) objectives.



The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.



Trust services criteria to satisfy a broad customer base globally for security, availability, confidentiality, privacy and processing integrity.



The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.

Get started your way

We’re ready when you are