The EU US Privacy Shield is the latest in data protection frameworks to manifest since the implementation of the GDPR. In an agreement between Europe and the United States, to foster positive transatlantic trade, the framework has been developed to facilitate the easier transfer of personal data from the EU to the US.
The EU US Privacy Shield framework is not just another regulatory measure for your organization to follow, in fact, adopted correctly the framework can do a lot to protect your brand. Furthermore, it has some hidden marketing potential for those who can be a bit more creative with its implementation.
However, there are two key areas in which Privacy Shield certification can protect your brand: Legal Compliance and Reputational integrity.
Legal Compliance
The EU-U.S. Privacy Shield was created by the U.S. Department of Commerce (DOC), and the European Commission to provide organizations in both the U.S. and the EU with a mechanism to legally comply with data protection requirements arising from the General Data Protection Regulation (GDPR). Privacy Shield was created to assist in cross-Atlantic commerce where the transfer of personal data from the European Union to the U.S. is involved.
Adequacy Determination
Every member state of the European Union is required to ascertain that all transfers of personal data relating to European Union citizens and residents are done under adequate privacy protection. This ‘adequacy’ is a legal requirement without which any transfer of personal data will be deemed illegal and could then expose the brand to the enforcement actions of either the Department Of Transport (DOT) or the Federal Trade Commission (FTC) depending on the jurisdictional authority in the case.
One of the benefits of Privacy Shield certification is that all compliant participants in the Privacy Shield are automatically considered to be fulfilling the ‘adequacy’ requirement.
Individual EU Member States have specific requirements for the prior approval of certain data transfers. These requirements are either waived or they will be approved automatically for Privacy Shield certified participants thus ensuring legal compliance for the ‘prior approval’ of the relevant data transfers.
Assess your GDPR compliance
Reputational Integrity
Organizations that are participants in the U.S. Privacy Shield and are found to be in compliance with the Privacy Shield Principles will be placed on a publicly available list on the privacy shield website. This Public List of compliant organizations allows potential and prospective clients to check your organization’s privacy protection status as it relates to the legal transfer of personal data from the EU to the U.S. Obviously this allows for greater trust between parties and for the strengthening of your brand’s reputation with regards to data protection.
Conversely, those organizations found to be illegally transferring the personal data of EU residents will be open to the many legal sanctions based on the GDPR, the most onerous of which comes in the form of a fine of up to 4 percent of global turnover or $22 million dollars. Other sanctions include forced erasure, destruction or return of the illegally obtained data, public naming and shaming of the non-compliant organization, and the possibility of criminal charges against the CEO or director.
The Privacy Shield list of compliant companies has its non-compliant counterpart in the form of a public list of no longer compliant or no longer certified brands and organizations who continue to claim that they are Privacy Shield certified.
How does Privacy Shield Certification Benefit your brand?
Benefits of Privacy Shield certification include easy-to-follow compliance which is achievable at a reasonable cost. The Department of Commerce has designed a self-certification process which clearly outlines the seven categories of information needed to fill out the self-certification application, namely;
- Valid U.S. mail contact details of the organization including the name, address, city, state and zip code.
- Office details and contact details of the person responsible for all inquiries relating to Privacy Shield compliance.
- The full contact details of the Corporate Officer who is authorized on behalf of the organization, to apply for the US Privacy Shield self-certification.
- A full description of the processing of personal data which provides details about the different types of data being processed, the method of processing, and the entities or third parties who will be involved.
- Identify the independent dispute resolution body which will be used in the case of an unresolved complaint arising from your organization’s participation in the U.S. Privacy Shield Framework.
- Identify the separate Privacy Policy requirements for Human Resources data, and Personal data which is not Human Resources data.
Identify the revenue band to which your organization belongs; this will help the Department of Commerce allocate the correct fee for the participation of your organization in the Privacy Shield. The Department of Commerce has stated its commitment to making participation in the U.S. Privacy Shield accessible to organizations of all sizes and as such one of the benefits of Privacy Shield Certification is the low cost of the yearly participation fee which is based on the annual turnover of the business.
The fee ranges from $250 to $4,875 per year to be paid on the same date, however, another of the benefits of Privacy Shield certification is the ability to change the annual recertification payment date by simply paying your next year’s membership fee at an earlier date (before the current year’s membership fee expires) on the date preferred by your organization.
Untapped Marketing Potential
Lastly, there is one benefit of Privacy Shield certification that may not at first seem obvious to many, and that is the marketing potential. Oftentimes cybersecurity, in general, is and can be viewed as a risk management tool.
Many organizations lament spending money on cybersecurity until they have suffered some kind of breach or security incident, and in light of certain regulations such as the GDPR, that can be viewed as negligent behavior and could cost the company not only fines but also heavy reputational damage.
In the latter case, it can be so detrimental that an organization may never recover. Building one’s reputation is an ongoing process, as the saying goes Rome wasn’t built in a day.
This is where the primary marketing potential of the EU US Privacy Shield enters. Your organization can use it as a tool that communicates to its customers that they care about how their data is handled, and that is it handled ethically.
The reality that organizations face today is that corporate social responsibility is a factor in buying habits among consumers. There may come a time where organizations have to move past data protection as a regulatory measure but rather a social responsibility for them. The higher dependency markets have on the digital world from e-commerce to digitalized social interaction the more reliance we will have on robust cybersecurity implementation.
It will be at this turning point that companies who do not engage with proper data protection frameworks and cybersecurity architecture will be viewed as socially irresponsible.
Opportunities like this allow your organization to be ahead of the curve, to show that you are willing to brave the regulatory environment and transform it into an asset.
Here at RSI Security, we can help you achieve your cybersecurity needs. We understand the challenges that organizations face in data-driven markets, let us help you turn your cyber weaknesses into marketing strengths.
Book a consultation today, for a wide range of cybersecurity services, become Privacy Shield, and GDPR compliant today!