What is the EU-US privacy shield?
The EU-US Privacy Shield is a set of regulations where when implemented correctly, participating U.S. companies are considered to have adequate data protection to be compliant with GDPR, and can, therefore, facilitate the transfer of EU data to and from the USA. The EU-US Privacy Shield’s predecessor, the Safe Harbour Framework, was not considered by the EU to provide sufficiently strict data protection for their citizens.
If you are based in the USA, your firm is also liable if your website has a form or any tracking mechanisms that EU citizens are able to access. Although the Privacy Shield is entirely voluntary and self-certifiable, once an organization publicly commits to compliance, it is enforceable under U.S. law and your firm must self-certify annually to be considered compliant.
There are two categories of data transfer under the EU-US Privacy Shield, HR related data and non-HR data. HR related data refers to employee data and privacy policies, while non-HR data will affect, for example, your information on prospects and clients, and may trigger revisions of your privacy and opt-in or opt-out policies.
So how does the EU-US Privacy Shield fit with GDPR?
According to the EU-US Privacy Shield, to ensure that your firm is meeting all requirements, you “must include robust mechanisms for assuring compliance with the Principles of GDPR, recourse for individuals who are affected by non-compliance with the Principles of GDPR, and consequences for the organization when the GDPR Principles are not followed (for example when your organisation suffers a Data Breach).”
Being self-certified under the EU-US Privacy Shield can give your company a jump start on fulfilling GDPR standards but will not by itself guarantee total GDPR compliance, we will guide you through any additional steps involved as these can differ depending upon exactly the type and volume of personal data you handle. It is also important to note that the EU-US Privacy Shield will be revisited every year and could change, so it is important that you sign up with our annual support service to ensure you can stay current with all of the updates.
What are the benefits of the EU-US privacy shield?
Some of the benefits of joining the Privacy Shield, according to the International Trade Administration, include:
All Member States of the EU are consistent with the European Commission’s GDPR finding of “adequacy”.
EU Member State requirements for prior approval of data transfers are automatically waived or approved, so organizations don’t need to seek approval.
Compliance requirements are clear.
The Privacy Shield Framework is self-assessment process is cost effective. This is especially useful for small to mid-sized firms.
While the EU-US Privacy Shield does offer some formal protection and can be a useful framework or tool for GDPR compliance, please do remember to check with Ensurety what other measures you may also need to implement.
We have successfully guided a number of organizations through the EU-US privacy shield process - see the testimonial video from one of our customers, Datafox, below: