As a continuation from our previous post on the GDPR (Greater Data Protection Ruling) and its implications for U.S. based firms, it is important to keep in mind the EU-US Privacy Shield. Under both the GDPR and its predecessor, the EU doesn’t allow the transfer of data on its citizens outside of the country unless the country is deemed to have adequate data privacy laws. Unfortunately, the EU has deemed that the US does not have adequate data privacy laws, but organizations can navigate this by adhering to the EU-US Privacy Shield.
The EU-US Privacy Shield is a program where participating U.S. companies are considered to have adequate data protection, and can therefore facilitate the transfer of EU data. The EU-US Privacy Shield’s predecessor, the Safe Harbour Framework, was overhauled because the EU did not consider this agreement strict enough on data protection for their citizens. The GDPR protects the data of all EU citizens, regardless of whether they currently live in the EU.
Your firm is also liable if your website has a form or any tracking mechanisms that EU citizens are able to access. Although the Privacy Shield is entirely voluntary and self-certifiable, once an organization publicly commits to compliance, it is enforceable under U.S. law and your firm must self-certify annually to be considered compliant.
There are two categories of data transfer under the EU-US Privacy Shield, HR data and non-HR data. HR data refers to employee data and privacy policies, while non-HR data will affect your information on prospects and clients, and may trigger revisions of your privacy and opt-in or opt-out policies.
According to the EU-US Privacy Shield, to ensure that your firm is meeting all requirements, you “must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed.”
Being certified under the EU-US Privacy Shield can give your company a jump start on fulfilling the GDPR’s standards and also provides legal clarity and direction on the EU’s data protection laws, but will not guarantee total GDPR compliance. It is also important to note that the EU-US Privacy Shield will be revisited every year and could change, so it is important to have an assigned employee/person to stay current with all the updates.
Some of the benefits of joining the Privacy Shield, according to the International Trade Administration, include:
All Member States of the EU are consistent with the European Commission’s finding of “adequacy”.
EU Member State requirements for prior approval of data transfers are automatically waived or approved, so organizations don’t need to seek approval.
Compliance requirements and clear.
The Privacy Shield Framework is cost effective. This is especially useful for small to mid-sized firms.
While the EU-US Privacy Shield does offer some formal protection and can be a useful framework or tool for GDPR compliance, but is not all-encompassing. For true GDPR compliance, your organization needs to follow the strict guidelines.
For more information, checklists, and guielines on the GDPR and how it fits with the EU-US Privacy Shield, read our whitepaper, “The Deadline is Coming: What U.S. Based Firms Need to Know about the GDPR”. Using a third-party or vendor to assist your firm can alleviate a lot of the stress from your organization and will help remove the risk of getting the large fine (20 million euro, or 4% of global annual turnover) from GDPR non-compliance for an evaluation.
Contact Eze Castle Integration to ensure that your firm is compliant or for additional guidance.