The latest in data privacy frameworks have come in the form of the EU US privacy shield. This framework has come about as a response to the EU General Data Protection Regulation (GDPR). The framework has been decided to meet the adequacy determination of the European commission, and now the transfer of personal data from the EU to the US can be made easier if US organizations choose to join the privacy shield framework.
In this blog, we will take you through the process of becoming EU US privacy shield self-certified, a complete privacy shield self-certification checklist
If you wish to know more about the EU US privacy shield framework check out our comprehensive blog article on what it is here.
Before You Start: Information You Will Need
Before beginning the journey to become EU US Privacy Shield certified it is helpful to know that your organization will be required to provide certain information in order to be considered for participation in Privacy Shield. There are several key pieces of information which your organization must provide:
- Contact details: Name, address, city, state, zip code. This must be a valid U.S. mailing address.
- Office & individual: full contact details of the person to whom all inquiries relating to Privacy Shield compliance can be addressed.
- Corporate Officer: full contact details of the individual authorized to apply for the US Privacy Shield self-certification on behalf of the organization.
- Description: Provide details about the processing of personal data by answering questions such as the following:
- Organizational Activities: what activities does your organization engage in regarding the personal data of EU citizens?
- Personal Data: what types of personal data does the organization handle; the HR data of employees past and present, client or customer data, guest or visitor data, research and clinical data?
- Human Resource Data: is it only HR data or also other personal data?
- Purpose: what is the purpose of the collection or processing of the data?
- Third Parties: what type of third parties will share or transfer the data?
- Entities and Subsidiaries: what entities and subsidiaries will be included in the self-certification?
Assess your cybersecurity
Investigating unresolved complaints
Identify the body which will provide an independent recourse mechanism when a complaint cannot be resolved using the organization’s own dispute resolution mechanisms. Where the EU Privacy Shield certification covers only HR data then the independent recourse mechanism must be the EU authority named in the US Privacy Shield and your organization must commit to working with, and abiding by, its decisions.
Where the data being processed is general personal data (other than HR data) then your organization must designate an independent private sector mechanism and provide its name and website address, or you can choose to work with the EU Data Protection Authorities (DPA’s).
Privacy policy
There are two separate requirements for the privacy policy information which you need to submit for EU privacy shield certification and these relate to;
- Human Resources data
- Personal data other than Human Resources data.
Both require you to state the date at which these policies come into effect and apply to the data covered by the US Privacy Shield self-certification.
Human Resources data requires the organization to make available the location of the privacy policy for employees to view and also a copy of the privacy policy statement to be sent to the Department of Commerce (DoC). The HR privacy policy does not need to be available to the general public.
The Personal data other than HR data privacy policy is required to be available to the general public, usually on the organization’s website. If you do not have a publicly accessible website then the location of where the privacy policy can be accessed must be provided. This policy will also be uploaded to the US Privacy Shield website where it can be viewed by the public.
What must the privacy policy include?
- You must name the statutory body which has the legal jurisdiction over the data processing activities of the organization; in this case it will be either the Federal Trade Commission (FTC) or the Department of Transportation (DoT). This is the body that will investigate any complaints against your organization relating to the Privacy Shield Principles.
- If your organization has membership in any privacy programs.
- State the verification method used by your organization: self-certified or externally verified. If you are verified by an external third party then their contact details must also be provided.
Revenue band
The fee for membership of the US Privacy Shield is calculated based on the revenue band into which your organization falls and you are required to choose one from the list below. This information is used only to calculate the fee and is not made public.
The Revenue Bands are as follows:
- Under $5 million
- Over $5-25 million
- Over $25-500 million
- Over $500 million – $5 billion
- Over $5 billion
Seven Steps to EU Privacy Shield Certification
Acquiring EU Privacy Shield Certification at first may seem complex, but in this blog we have outlined the seven main points that your organization will have to complete/review to become EU US Privacy Shield self-certified.
1. Eligibility to participate
Since participation in the US Privacy Shield is predicated on the ability of either the Federal Trade Commission or the Department of Transportation to exercise jurisdiction over the organization’s personal data processing activities it is important to correctly identify which one of the two bodies has the jurisdiction over your organization.
Federal Trade Commission: FTC
Broadly speaking the FTC has jurisdiction over activities involving commerce by people, partnerships, and corporations, so any activity involving the buying and selling of goods and services will generally fall under the remit of the FTC, including the marketing and sale of air transportation tickets. This last jurisdiction is shared with the Department of Transportation. There are certain ‘retail’ activities for which the FTC does not have jurisdiction, these are most, but not all, of the organizations which fall under the following categories:
- Banks
- Federal credit unions
- Savings and loans institutions
- Telecommunications
- Interstate transportation common carriers
- Air carriers
- Labor associations
- Non-profit organizations (most)
- Packer and stockyard activities (most)
- Insurance (except in limited circumstances)
The Department of Transportation: DOT
The activities of air carriers, both U.S. and non-US air carriers, fall exclusively under the DOT’s jurisdiction as do the activities of organizations that market tickets for air transportation; a jurisdiction shared with the FTC.
2. Privacy Shield Privacy Policy Statement
Before submitting your application for self-certification to the Department of Commerce you must develop a privacy policy that is compliant with the US Privacy Shield; it is very important that the privacy policy statement is written in simple, clear, and concise language. This is achieved by explaining how your organization does the following:
Compliance with the Privacy Shield Principles, this includes:
- How the organization handles information and,
- The choices that are available to individuals relevant to the use or disclosure of their personal data.
- What practices are used relevant to the use or disclosure of an individual’s personal data?
- How is each of the relevant Principles being complied with, especially the Notice Principle?
For a full overview of the EU US Privacy Shield principles check out our article here.
Specific mention of Privacy Shield compliance:
There are specific requirements for the publicly available version of the organization’s Privacy Shield Privacy Policy to:
- Clearly state the organization’s commitment to adhere to the principles of the Privacy Shield.
- Include a working hyperlink to the website of the US Privacy Shield; https://www.privacyshield.gov/
- Wait until given notification of a completed submission before stating its participation in Privacy Shield.
Independent Recourse Mechanism
The external group or body to which the organization will refer unresolved complaints arising from Privacy Shield compliance must be clearly named and the correct hyperlink included in the online version of the Privacy Policy.
Indicate the correct and accessible location of the relevant privacy policies
When submitting the application for Privacy Shield self-certification your organization’s Privacy Policy must already be in effect, that is, the date of its coming into force must be verified before the date of submission for self-certification. Additionally, there are separate requirements for privacy policies relevant to HR data and non-HR data;
- HR data: the privacy policy is not required to be publically available but it must be easily accessible to affected employees; on the organization’s website or at another location.
- Non-HR data: the privacy policy must be publically available on the organization’s website or another location.
It is important to note that the location of the Privacy Policy must be openly stated and that access to the policy must be made easily and readily available to affected employees and individuals.
3. Identify the Independent Recourse Mechanism
Before applying for self-certification there is a requirement for the organization to name and register with, the Independent Recourse Mechanism; the external body which will be responsible for investigating any unresolved claims or complaints against the organization relevant to the Privacy Shield. The services of this investigative dispute resolution must be free of cost to the individual.
Any registration or membership by the organization to a private recourse mechanism will be verified by the Department of Commerce before the confirmation of successful self-certification.
Some of the Independent Recourse Mechanisms provided by private sector programs which are acceptable under the Privacy Shield are:
- Council of Better Business Bureaus (BBB),
- TRUSTe,
- American Arbitration Association (AAA),
- JAMS and,
- DMA, a division of the ANA
Where the organization is processing HR data of employees (both past and present) or has decided to work with the EU Data Protection Authorities (DPA’s) it must make a declaration in its self-certification submission that it will:
Commit to cooperate with the DPA’s regarding the Recourse, Enforcement and Liability Principle under the EU US Privacy Shield; (full list of principles found here)
- Where a complaint is brought under the Privacy Shield, it will cooperate with any investigation and resolution proposed by the DPA’s;
- Comply with any advice or measures proposed by the DPA’s to improve the organization’s compliance with the Privacy Shield Principles, including measures for the benefit of individuals affected by non-compliance, and
- Provide the DPA’s with written confirmation of the organization’s fulfillment of the above measures.
- Pay the annual fee of $50 to the United States Council for International Business, (USCIB).
4. Pay the fee for the Binding Arbitration Mechanism
The Binding Arbitration Mechanism allows for an EU data subject to invoke binding arbitration in circumstances where complaints remain unresolved and the costs for the arbitration of unresolved complaints are covered by the collective fees.
The Department of Commerce has nominated the International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA) as the mechanism in this case and the fee can be paid online.
5. Verification Mechanism
Whether self-certified or if using a third-party external verifier for your organization’s compliance with Privacy Shield, there must be a mechanism in place which shows the following:
- Follow-up procedures to check that the statements made about Privacy Shield are true and that practices are in fact implemented in accordance with the Privacy Shield Principles.
- Attestations and assertions made in reference to the Recourse, Enforcement and Liability Principle must be verified through self-assessment or through an external compliance review.
- Verification of the privacy policy through self-assessment must indicate that the privacy policy is, or does, all of the following:
-
- Accurate
- Prominently displayed
- Accessible
- Comprehensive
- Completely implemented
- Conform to Privacy Shield principles
- Inform individuals of all methods available for making complaints
- State the contact details of the Independent Recourse Mechanisms
- Include procedures for the training and discipline of employees regarding Privacy Shield
- Include internal procedures for objective compliance reviews
A corporate officer or authorized organizational representative must sign a self-assessment verification annually. This document must also be made available to individuals or during an investigation into non-compliance.
Similarly, an outside compliance review must assess all of the above and may use any or all of the following methods:
- Auditing
- Random reviews
- Use of ‘decoys’
- Use of technological tools
A statement verifying the successful completion of an external review must be signed by the reviewer or authorized organizational representative annually. This document must also be made available to individuals or during an investigation into non-compliance.
All these records must be kept and made accessible to the investigating body in the case of a complaint.
6. Designate Contact
A Privacy Shield contact person is required within the organization such as the Chief Privacy Officer (CPO) or the authorized person within the organization that is responsible for the Privacy Shield self-certification.
This contact is responsible for handling all issues arising through the participation in the Privacy Shield and all complaints must receive a response within 45 days of receipt.
7. Review your Information
Lastly in order to make the EU privacy certification process as smooth as possible all the requisite information should be compiled and then reviewed before submission to the Department of Commerce. Inaccuracies or missing information will lead to delays in achieving the successful completion of the application process.
Closing Remarks
With this privacy shield self-certification checklist your road to compliance is just one decision away.
RSI Security is committed to delivering the best in cybersecurity services and understands the challenges that organizations face in the field of compliance. EU privacy shield certification does not have to be a headache, the better your organization can handle data privacy the better their customer relations will be in the long run.
A growing cyber-conscious market means more customers will be looking to organizations that handle their data properly. With RSI Security we can help you become that organization, book a Privacy Shield and GDPR consultation today!