Soon companies that self-certified with the Department of Commerce (DOC) last fall before the September 30, 2016 deadline will have the 9 month “grace period” come to a close. The grace period was given to these companies so that they could ensure that all of their third party vendors met the Accountability for Onward Transfer principle. The grace period ends soon, meaning that the deadline is fast approaching.
The Privacy Shield Accountability for Onward Transfer principle, Section II, 3.b., states:
To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; (iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.
In sum, maintaining your Privacy Shield certification by adhering to the Accountability for Onward Transfer principle requires a lot of due diligence. When your company has a relationship with a third party vendor involving the transferring personal information to that vendor, your company has to ensure that the vendor will process personal information in a manner consistent with your company’s obligations under the Principle. Your company’s contract with the vendor also has to state that the data your company transfers to it can only be used for limited and specified purposes. What’s more, vendors acting as agents have to cease and take steps to remediate unauthorized processing.
For most companies, this is a lot of work that is quite time consuming; the initial grace period concession was given in light of the time it may take a company to comply with this principle. For example, a few of the hundred vendors that a typical mid-sized business uses are: a marketing automation system, a customer relationship management system, an administrative services system, and a payroll system. Larger organizations may use thousands of vendors.
How will companies adhere to this principle? One option is to compile a large spreadsheet and call, email, or meet with internal business or process owners. Though this option is cost effective in terms of dollars, it is not cost effective in terms of time, productivity, and data integrity. Technology solutions to automate the process and provide an easily accessible digital repository may have up-front costs. However, long term savings in terms of time, productivity, and maintaining data integrity will far outweigh initial up-front costs.
If you have any questions about the requirements of this Principle, contact us.
Last week TRUSTe held a webinar “Privacy Shield Self-Certification – What’s Next?” as part of its Privacy Insight Series. If you missed the webinar you can still sign up to receive the on-demand recording and the slides.
Our speakers, David Fowler, Chief Privacy & Digital Compliance Officer, Act-On Software; Amanda Gratchner, Global Privacy Counsel, NAVEX Global; and K Royal, Senior Privacy Consultant at TRUSTe discussed several different ways to enhance everything from your policies to your Privacy Impact Assessments by leveraging your Privacy Shield Certification. They also discussed how to use the Certification toward compliance with other frameworks, such as the EU General Data Protection Regulation (EU GDPR).
Here are three practical tips our speakers shared:
- Create a Uniform Destruction and Retention Policy.
When conducting your data mapping and inventory exercise, pay special attention to destruction and retention policies so that any replicated data is treated the same.
2. Simplify Privacy Policies.
Eliminate any policies with grandiose language that cannot be enforced. Make re-certifying next year easier by fine tuning your policy as the organization changes.
3. Better Manage Vendors.
Feed subcontractor audit methodology to into your PIAs so that your privacy program becomes an overarching framework covering the entire data lifecycle.
TRUSTe delivers solutions to help your organization meet Privacy Shield requirements, and many others, such as the EU GDPR.
Last month the United States Department of Commerce and Switzerland’s Federal Council declared that the new Swiss-US Privacy Shield Framework will be the successor to the Swiss-US Safe Harbor framework. The Swiss-US Safe Harbor framework was declared invalid in October 2015 following the European Union Court of Justice’s decision that the EU-US Safe Harbor was an inadequate legal mechanism for personal data transfers to the US. Since then, officials have drafted the new framework to ensure that the Swiss-US Privacy Shield Framework improves upon the U.S.- Swiss Safe Harbor framework by including stricter data protection principles. These include enhanced requirements around notice, onward transfers and data retention, improved management of the framework by US authorities, and new mechanisms for individuals to obtain recourse for violations.
While the replacement occurred immediately, the Department of Commerce will begin accepting certifications on April 12, 2017 so that organizations have time to review the new Swiss-US Privacy Shield Principles.
The mechanism for personal data transfers from member countries of the European Economic Area (EEA) is the EU-US Privacy Shield, and because Switzerland is not a member of the EEA, Swiss and US officials developed this separate agreement. Although the two agreements are separate, the Swiss-US Privacy Shield framework parallels the EU-US Privacy Shield framework in many ways. The Federal Council stated that “the fact that the two frameworks are similar is highly significant, as it guarantees the same general conditions for persons and businesses in Switzerland and the EU/EEA area in relation to trans-Atlantic data flows.”
While the two agreements are similar in many ways, there are still some areas where the two agreements vary. Organizations should not assume that certification for EU-US Privacy Shield translates directly to certification for Swiss-US Privacy Shield. An assessment and verification should be conducted for an organization’s privacy posture against the new Swiss-US framework.
TRUSTe has assessment and verification solutions. As of February 2017, TRUSTe has helped over 350 companies with their EU-US Privacy Shield needs, and plans to provide Swiss-US assessments as well. To find out more, contact us.
We would like to thank all of our blog subscribers and visitors for a great 2016. This year has had many monumental privacy events, from the EU General Data Protection Regulation (GDPR) being adopted to EU-US Privacy Shield being finalized. TRUSTe was there as your trusted privacy advisor throughout the changes, and here are the top three blog posts of the year:
1. EU GDPR Series: Tips on Privacy Compliance
This series gives the background on the EU GDPR, the path to compliance, and practical implementation steps for each phase of your program. Each individual post contains best practices, tips, and examples of how to implement a GDPR Privacy Program.
2. Three Part Series: The Privacy Leader as Business Enabler
TRUSTe General Counsel & Chief Data Governance Officer Hilary Wandall wrote a three part series about navigating the ever-changing privacy terrain in order to help business teams manage data responsibly and effectively.
3. Key Takeaways from Building a Privacy Governance Program Webinar
In this webinar Michelle Fleury, Sr. Director of Supply Chain Operations at Cisco, and Patrick Curry, Director of Privacy and Compliance at McKesson US discuss how to build a privacy governance program. The blog post contains steps to get your privacy program started.
We look forward to even more exciting developments in 2017!
K Royal, CIPP/US, CIPP/E, Sr. Privacy Consultant
Companies need a privacy partner, not just a privacy consultant. This is a concept that I have learned with our clients while being a part of the consulting team at TRUSTe. Having been a privacy officer (both as an attorney and a non-attorney) in several industries – healthcare, medical devices, emerging technology and with clients ranging from local government to national, from financial to education in the global realm and specifically within the US sectors – I cannot say that I have seen it all, but I have seen a whole lot of it. No one person can possibly be an expert in all areas of privacy/data protection. However, at TRUSTe we have a team, tools and methodology that can, and that is what is critical to our customers.
Companies need a privacy partner. They need a team that can not only can assess them for the European Union (“EU”) General Data Protection Regulation (“GDPR”) readiness, but can also review their EU/US Privacy Shield compliance needs or review cross border transfer mechanisms in general, such as Binding Corporate Rules (“BCRs”) or Cross Border Privacy Rules (“CBPRs”) in the Asia Pacific. And then, map that to their GDPR requirements or even further, to their HIPAA compliance in the US and even support framework questions, whether HiTrust, the International Organization for Standardization (“ISO”), or the National Institute of Standards and Technology (“NIST”) – or other framework. Further, a privacy partner can review the legal requirements, assess policy application, understand implementation constraints and flexibility, and adjust approach based on client expectations, level of maturity, industry standing, and future considerations.
Being able to partner in this way with companies is a professionally satisfying experience. Every client is different and requires a different set of knowledge, skills, and mindset. At times clients may come to us with one need – to assess Privacy Shield readiness (and over 500 companies have approached TRUSTe for this), but realize during that time that they have multiple needs that are identified and have not been addressed or they simply click with the team and TRUSTe approach and engage us as a partner in several more areas. In that case, are we a serial partner?
I have found that typically we become an ongoing privacy partner. Perhaps we start by building a Privacy Impact Assessment (“PIA”) for EU data use, and then expand that assessment to PIAs for other areas, such as HIPAA in the US, or other geographic-specific needs. It is made possible by keeping the needs of the customer in mind – sure, we’re only building a PIA for HIPAA, but if we add in certain gating questions, then you can use one initial PIA to divert to specific PIAs based on region (or even down to a state) and the personal information involved. We have the technical expertise to build that into the process.
And it’s not all about people. TRUSTe tools make it easier for me to do my job. I also get to help design some of the tools given my industry knowledge. For example, most companies desperately need a data inventory done – we can do it. Also, companies will insist to me that they have no unnecessary cookies on their websites – we can run a test for cookies. But beyond that, companies can use our technology to enhance their own capabilities, such as using our Assessment Manager platform to run their Privacy Impact Assessments (which are required under several privacy regimes).
The really valuable aspect from all of this is that we are not about a single consultant, we are TRUSTe. I have little experience in FERPA, but if the customer I am working with has a FERPA element, I can tap a colleague. As a partner, we engage in frank conversations with the company and truly function as a partner, not as a generic consultant. We have your best interests at heart and look to develop that ongoing relationship that works to your benefit.
Why do companies need a privacy partner? To serve in an ongoing role that tackles the heavy lifting, listens carefully, provides a heads up on overlapping issues in order to fill several requirements with one action, watches for duplication, foresees possibilities for expansion, and is open and frank in addressing who you are as a company, with your needs, constraints, flexibility, timing, maturing, standing, and drivers. We’re not selling you a product (although we can); we are offering you a cost-effective, widely experienced, highly efficient, privacy partner.