Organizations that choose to certify by October 1, 2016, will benefit from a nine-month leniency period
With the recent approval of the EU-US Privacy Shield transatlantic data transfer pact, approximately 4,500 companies must contend with a new set of requirements and issues to ensure compliance.
Starting August 1, US companies may begin to submit self-certifications to the EU-US Privacy Shield framework at www.privacyshield.gov. Previously certified companies under the predecessor framework (Safe Harbor, which was invalidated in October 2015) are well-positioned to certify with Privacy Shield.
1Annexes to the Commission Implementing Decision re: the EU-US Privacy Shield – Annex IV, page 61
Privacy Shield overview, risks, and compliance
The new EU-US Privacy Shield pact requires companies to report cyberattacks and incidents where data has been breached.
Privacy Shield adds new fundamental and procedural requirements that may compel companies to adopt and implement new internal policies and procedures prior to certification, including:
- data retention procedures
The pact also mandates that all EU-member states (including the UK for now) work closer together on network and information security, specifically to lock down critical national infrastructure.
Finally, companies should plan on additional compliance scrutiny from US regulators in enforcing Privacy Shield, even after leaving the program. In contrast to Safe Harbor provisions, once a company is certified under Privacy Shield, it must delete any information collected under it or must continue to follow Privacy Shield’s principles to safeguard it.
Bottom line: What to do now
- Start early. The Department of Commerce has provided an incentive for US companies to certify quickly. Those that certify within two months, by October 1, 2016, will benefit from a nine-month leniency period around aligning third-party contracts with the new requirements for onward transfers.
- Conduct a compliance readiness assessment to understand the changes and new requirements to data transfer processes and oversight and how the changes will impact your current data transfer process. Companies that certify compliance with the Privacy Shield principles and fail to comply are subject to enforcement by the US Department of Transportation or Federal Trade Commission for engaging in unfair or deceptive trade practices. The program requires procedures in place for verifying compliance.
- Develop a new data transfer compliance strategy with prioritized requirements, data management procedures, and resource training.
- Closely monitor developments related to the EU-US Privacy Shield implementation, its requirements, oversight, and enforcement details as specific impacts continue to emerge.
For more information on the new Privacy Shield certification process, moving from Safe Harbor to Privacy Shield, or understanding your readiness for compliance, contact Baker Tilly’s cybersecurity and information technology risk practice.