As we face more and more questions with regards to the General Data Protection Regulation (GDPR) and its impact in the EU and on companies outside the EU, we continue to procure clients with relevant assistance. In this piece, we focus on the US and its agreement with the EU to build a framework that allows for the transfer of data to adequate countries, meaning countries recognized as having a similar standard of data privacy protection. To be eligible, US companies must join into the US Privacy Shield. We describe what this entails and what this means.
The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. On July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law.
The Privacy Shield program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables U.S.-based organizations to join the Privacy Shield Framework in order to benefit from the adequacy determinations (view here). To join the Privacy Shield Framework, a U.S.-based organization will be required to self-certify to the Department of Commerce and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law.
In order to apply for the Privacy Shield, one needs to create an account and then provide the following information:
1. U.S. Organisation Information
a. Name
b. Address
2. Two Contacts
a. Organization Contact: Provide a contact office and individual within your organisation for the handling of complaints, access requests, and any other issues concerning your organisation’s compliance with the Privacy Shield Framework.
b. Organization Corporate Officer: Similar to Organisation Contact
3. Organisation Characteristics
a. Annual revenue
b. Number of employees
c. Organisation’s industry
4. List US subsidies and entities that are also covered by the Privacy Shield
5. Privacy Policies
Note regarding privacy policies applicable to personal data other than human resources data:
If your organization has a public website, provide the relevant web address where the privacy policy is available.
If your organization does not have a public website, provide information regarding where the privacy policy is available for viewing by the general public and upload a copy of the relevant privacy policy, which will be made available on the Privacy Shield website.
Note regarding privacy policies applicable to human resources data:
Although an organization is not required to make available to the general public the relevant privacy policy for HR, it must provide information regarding where the privacy policy is available for viewing by affected employees and provide a copy of that privacy policy to the Department of Commerce by uploading a copy of that policy. The uploaded copy of that privacy policy will not be made available on the Privacy Shield website.
6. Pay the Application Fee and Submit
The Application Fee is $250.
An overview of the Privacy Shield Framework can be found here.
All organizations interested in self-certifying to the EU-U.S. Privacy Shield Framework should review the requirements in their entirety. To assist in that effort, Commerce’s Privacy Shield Team has compiled resources and addressed frequently asked questions, which can be viewed here.
Organisations that wish to self-certify under the framework can do so here.
The GDPR is much bigger than a lot of people realise, its scope covers almost everything you do. If you haven’t yet made sure that your Firm’s policies and procedures are compliant with the GDPR, the time to do so is now. We offer EU representative services to non-EU firms, enabling proactive GDPR compliance with little to no interruption. EuroRep will be your Representative in all European member states, and the point of contact for customers and authorities in the EU regarding privacy. We have a long history of data privacy expertise and work openly with specialised consultants to ensure our client’s peace of mind. Click here to learn more about EuroRep.
If you need further assistance with the GDPR, we’ve also created a practical, all-encompassing Impact Assessment tool to help you evaluate your GDPR compliance and recognise areas that represent a higher risk of non-compliance. We’ve also created Template Policies, which you can customise independently to make sure your Firm’s policies are aligned with the GDPR requirements. These policies can be stored and any changes audit-trailed within Laven’s Digital Compliance Assistant (DCA) software. To purchase our GDPR tools, click here to visit our online shop.
For further information about the GDPR and our services, contact us here.
