Your organisation's self-certification to Privacy Shield has been finalised. The battle lines are drawn, the personal data that your organisation receives from the EU is tucked safely behind the Shield.
Job done, time to put your feet up, right? Not quite!
Once certified, organisations have ongoing obligations to adhere to Privacy Shield Principles.
Practical steps that you should take
So what does the battle plan look like? Here are some the practical steps that you will need to take:
- Implement appropriate policies and procedures to help you to achieve compliance in practice and to demonstrate such compliance e.g. Data Protection Policy, Information Security Policy, Access Policy, Complaints Handling Procedure, Retention Policy;
- Train US employees on how to handle personal data received from the EU in accordance with Privacy Shield Principles and have a documented employee training policy in place;
- Keep records on the implementation of Privacy Shield Principles in practice;
- Check that you have contracts in place with any third parties to whom you transfer personal data and that the contracts contain provisions that meet the requirements of the Accountability for Onward Transfer Principle. Organisations that self-certified before 30 September 2016 have a 9 month grace period to put the relevant contracts in place;
- Don't forget to re-affirm your commitment to apply the Privacy Shield Principles to the Department of Commerce (DoC) on an annual basis;
- If you have chosen self-assessment as a means of verifying compliance with Privacy Shield Principles, conduct an annual compliance audit and retain evidence of the outcome of such audit. If you are using a third party assessment service, then ensure arrangements are in place for such third parties to carry out the audit prior to recertification each year;
- If your independent dispute resolution body is an EU data protection authority, consider whether increased scrutiny by EU Data Protection Authorities (DPAs) may mean taking stock of your compliance under EU laws.
What are the consequences if organisations fail to comply?
- Complaints are likely to be escalated to your selected independent recourse mechanism – i.e. a private sector dispute resolution body or a national DPA.
- The designated independent dispute resolution body could require the non-compliant organisation to:
- make public the instances of non-compliance with its obligations;
- delete data;
- pay individuals compensation for losses they incur due to non-compliance; or
- make injunctive awards.
- The FTC, Department of Transportation, and any other statutory body recognised by the EU will have investigatory and enforcement powers to ensure compliance with the Privacy Shield.
- The DoC may remove an organisation from the Privacy Shield list if it persistently fails to comply with the Principles. Organisations would then need to stop processing the relevant data, and return or delete personal information they received under the Privacy Shield or provide adequate protection for the information by another authorised means.
- For residual claims, the Shield's binding arbitration panel will have the power to impose individual-specific equitable relief (such as access, correction, deletion or return of personal data). Individuals will be able to seek judicial review and enforcement of arbitral decisions before the federal district court.