In all the talk and commentary about the EU-US Privacy Shield, what often gets lost is the one issue that is of primary importance to US businesses – what do US companies actually need to do to self-certify to the Shield?
With that in mind, we have sought to digest the 128 pages of Privacy Shield documentation and produce a condensed checklist of what the Shield requires from a practical standpoint.
On a related note, my colleagues and I recently gave a live webinar on "Privacy Shield – to certify or not to certify? That is the question" which considers the other all-important question of whether the Shield is right for your organization. Our webinar is now available for viewing online here. Enjoy!
Here, are the 8 key steps for Privacy Shield compliance:
1. Update your Privacy Policies
The "Notice" Principle requires organizations to include certain information in their privacy policies. Amongst other things, your privacy policy should reflect your data-handling practices and the ways in which you share personal data with third parties. You must make specific reference to your commitment to the Privacy Shield Framework and your adherence to the Shield's Principles and include detailed information about how individuals can exercise their rights to access, correct and delete data, and to make complaints through different channels.
Although it is the first principle, this will probably be one of the final steps you'll carry out before certification given that you won't be able to describe much of this information until your other Privacy Shield ducks are in a row first.
2. Provide users with means of opting out / opting in
Similar to Safe Harbor, the "Choice" Principle requires companies to provide users with a way of opting out of: (a) disclosures of their personal data to independent third parties (not agents); and (b) when data is used for a "materially different" purpose for which it was originally collected.
For example, you'll need to provide an opt-out if you share a user's email address with a third-party partner who wants to market their own products or services; or if you want to use a user's website activity data for targeted advertising purposes but didn't mention this when you first collected it.
There needs to be a "conspicuous" and "readily available" mechanism for opting out - for example, an opt-out link in your privacy policy, or a toggle button within an app's settings.
If doing either of these things for sensitive personal data, organizations need to seek express, prior opt-in consent.
3. Revisit your third party contracts
Companies will need to revisit their contracts with third party controllers and processors to ensure they contain the following terms – (a) that the data only be processed for limited, specified purposes consistent with the original consent; (b) that they provide the same level of protection as the Shield's Principles; and (iii) to notify the company if they can no longer meet this obligation and if so, to either cease processing or take other reasonable and appropriate steps to remediate.
In addition, the onus is placed on companies to take steps themselves to ensure that a processor handles the data in a way that meets the Principles. Doing some due diligence, and seeking assurances around your processor's data handling, data retention and security measures, will be a good idea.
One sweetener offered by the Department of Commerce is that companies signing up to the Shield within the first two months will be given a further nine months (from the date of certification) to comply with this Principle. So companies will at least have that extension of time to carry out those contract negotiations and re-procurements.
4. Pick your independent recourse mechanism
Companies will need to sign up to a third-party dispute resolution provider or commit to cooperate with the European DPAs.
There are a number of private sector dispute resolution providers on the market who will provide such services for a fee. The cheaper option is to sign up to the panel of European DPAs (around $50-$500 per year), but this potentially entails greater EU regulatory oversight.
On top of that, remember that companies will need to respond quickly and appropriately to inquiries and investigations by the Federal Trade Commission, the Department of Commerce and, for disputes that can't be resolved in any other way, the Shield's binding arbitration panel.
5. Get your internal policies in order
Companies will ideally have internal policies in place to deal with the following:
-
Subject access requests policy: Employees will need to be able to recognise and deal with (or refer up) subject access requests.
-
Complaints handling policy: Companies should have a transparent and clear procedure in place for dealing with complaints from individuals. Where complaints are made to the organization itself, they must be responded to within 45 days of receipt. You should designate a particular person to handle questions and complaints arising under the Shield. Individuals will also be able to complain through other channels (see step 4 above) – so there should be clear procedures in place to ensure your staff can deal swiftly and appropriately with approaches from third party dispute resolution bodies and/or regulators.
-
Data handling policies: Companies should ensure their data-handling policies are up-to-date, state-of-the-art, and completed implemented. This includes information security policies, access controls, and procedures for investigating data breaches.
-
Also, make sure your systems are set up so you are able to correct, amend and delete personal data on request.
6. Set up procedures for annual assessments and re-certifications
Under the 'verification' requirement, organizations will need to ensure they remain certified to the Shield in years to come and carry out annual assessments of their compliance to the Principles.
Annual assessments can be carried out in-house (e.g. a signed evaluation by a corporate officer) or through a third-party compliance review (which might involve audits, random reviews, use of decoys and other technology).
7. HR data - further steps
If you are certifying for human resources data, then you'll need to apply the same Principles equally to that data. For example, you'll need to draft a separate employee privacy policy that meets the requirements of the Notice Principle. You'll also need to amend your vendor contracts where they relate to HR data.
With HR data, companies must commit to cooperate with the panel of European DPAs as their independent recourse mechanism. That's compulsory under the Shield, no third party mechanisms allowed.
8. You're ready to self-certify!
Once you have those steps in place, you'll hopefully be ready to certify. Self-certification commences on August 1, 2016. Companies will need to fill out a self-certification profile here and pay a small fee.
Good luck to all the companies out there signing up to the Shield. These are still uncertain times, but hopefully this framework will see you through for the next few years.
(This is intended to be an abridged guide only. Please make sure you've read the Privacy Shield documents yourself to check you've met all the relevant requirements.)