My last blog post provided an overview of the new General Data Protection Regulation (“GDPR”) rules for the protection of personal data when capturing, storing, or processing personal data originating from individuals in the European Union (“EU”).
If you missed that post, you can read it by clicking here.
In addition to the GDPR, it’s also important for U.S. businesses to be aware of the EU Privacy Shield requirements. The GDPR is a comprehensive law designed to control the transfer and use of personally identifiable information in general. The Privacy Shield is concerned with only one specific aspect of data protection; namely the transfer of personal data from the EU to the U.S.
The privacy laws in Europe are much more protective of personal data than the laws of the U.S. and the Privacy Shield is an agreement that binds participants to specific rules and procedures that must be followed in order to lawfully transfer personal data from the EU to the US.
Before you dive into the details below, remember that many of your service providers are likely well aware of the Privacy Shield requirements and can help you successfully reach compliance so be sure and talk to your account representative to get details on what they are doing.
What are the requirements for Privacy Shield?
The Privacy Shield framework has seven points, all of which are shown below. This is going to be a lot to take in, but it’s not as daunting as it seems if you just take it one step at a time.
You are responsible to notify individuals about:
- Your participation in the Privacy Shield framework;
- The type of personal data being collected;
- How you will use the personal data collected;
- Third parties that you may share their personal data with;
- Their rights to access their personal data;
- Ways they can limit the use and disclosure of their personal data; and
- Ways they can resolve problems with the collection, use, or processing of their personal data.
You must provide “clear, conspicuous, and readily available mechanisms” for individual to opt out of the disclosure of their personal data to third parties, or use of the data for a purpose other than what it was collected for.
You are required to ensure that all third-party contracts state that personal data “may only be processed for limited and specified purposes consistent with” the consent of the individual. Should anything happen to the personal data you collected, you are on the hook, even if the problem is the fault of your service providers.
You are expected to “take reasonable and appropriate measures” to secure personal data against “loss, misuse and unauthorized access, disclosure, alteration and destruction.” If you follow industry best practices, you should be fine.
The Privacy Shield requires that you must limit collection of personal data to only relevant information and ensure that personal data on file is “reliable for its intended use, accurate, complete and current.”
The Privacy Shield requires that individuals have the ability to access their personal data, along with the ability to correct it, amend it or even delete it.
Under the Privacy Shield, you must provide detailed procedures for recourse and dispute resolution. These procedures need to be implemented thoroughly and you will need to have an verifiable process for handling complaints.
You can read more about the Privacy Shield framework at the Commerce Department Website.
Remember – Be Smart. Be Legal.
Disclaimer – Yes, I’m a lawyer, but I’m not your lawyer. All information in this post is provided for educational purposes only and should not be considered legal advice for any specific person or any specific situation.