5 ways US companies can prepare for the Privacy Shield
As covered in our recent alert (EU-U.S. Privacy Shield formally adopted, set to launch Aug. 1 for U.S. businesses) the European Commission formally adopted the EU-U.S. Privacy Shield, a framework designed to replace the previously-invalidated Safe Harbor program and to provide companies on both side of the Atlantic with a new mechanism to comply with EU data protection requirements when transferring personal data from the European Economic Area (comprised of all EU member states, plus Norway, Liechtenstein and Iceland) to the United States.
Companies that are considering joining the Privacy Shield should consider the following steps:
- Develop, maintain and follow a meaningful and compliant Privacy Shield policy. The policy will be based on the seven principles for certification. If you are currently or were a Safe Harbor company, your Safe Harbor policy can be easily leveraged and supplemented to meet Privacy Shield requirements. For other companies, this step simply means you need to review and update your current privacy policy to:
- Conform with the Privacy Shield principles
- State that the organization complies with the Privacy Shield principles
- Identify an independent recourse mechanism
- Ensure the privacy notice is publicly available
- Address onward transfers. Review existing data sharing agreements with vendors, partners and third parties to ensure that they limit data uses to specified purposes and that they apply the same level of protection as guaranteed by the privacy principles that your company has in place.
- Review internal training content to ensure that it reflects updated policy and procedures under the Privacy Shield program. Similar to the Safe Harbor, the Privacy Shield has a training requirement for employees and workers who have access to EU citizen data. For Safe Harbor companies, training can be quickly updated. For companies new to the process, certifying under Privacy Shield is an opportunity to create or update/enhance existing training to both satisfy Privacy Shield and develop a consistent baseline privacy and data protection/security training module for global use.
- Ensure the organization establishes effective procedures to verify and maintain compliance.
- Collect the full set of program documentation in preparation for a Privacy Shield application. Contrary to the Safe Harbor program, in which application-stage vetting was quite limited, Commerce has committed that it will be significantly more involved to ensure that applicants not only have documentation fulfilling the requirements, but that the applicant properly applies the relevant policies and procedures.
To learn more about the Privacy Shield framework, contact one of the data privacy attorneys listed below.