A best-practice approach to gain Privacy Shield certification
March 2017 | EXPERT BRIEFING | DATA PRIVACY
Against a backdrop of domestic economic turbulence, organisations are increasingly looking to minimise risk and fuel growth by expanding their business operations overseas. Encouraged by continued customer demand for variety and value, and boosted by strong international currencies, favourable inter-country trade agreements and the need to maintain a competitive advantage, organisations are transforming themselves to take advantage of the borderless world of commerce. But overseas trading offers fresh challenges and a web of complexity, particularly when it comes to the regulatory environment.
Different countries, of course, operate within their own individual regulatory environments. Wherever they are located, organisations trading with consumers or businesses in those markets must still comply with their regulations. There are taxes to consider, as well as different standards and certifications relating to packaging and labelling and stringent regulations when it comes to the management and protection of the vast amounts of data moving across frontiers.
Data protection regulations are currently high on the global agenda, as we generate increasing amounts of personal data. Lawful cross-border data flows must be at the heart of every overseas business strategy, or businesses will face huge penalties for non-compliance. Conversely, safeguarding customer data and being transparent about the steps taken to achieve this support compliance, as well as generating trust and confidence in a brand. Research has shown that 66 percent of consumers buy products from a country outside their own. Personal data is crossing borders, and regulators are reacting to this.
Companies involved in transferring this data need to ensure an ‘adequate level’ of protection for this information, according to the DP Directive 8th Principle, and there are several data transfer solutions to achieve this adequacy. Some firms may elect to integrate EU standard contractual clauses into their agreements as their framework. Others may look to different solutions for their framework, such as binding corporate rules or BCRs. The frameworks selected will vary according to the nature, operations and practices of the business.
One particular mechanism, which is available for a firm’s data management strategy, is the EU-US and Swiss-US Privacy Shield. It effectively replaces Safe Harbour, under which US firms could self-certify that they complied with EU data protection regulations. It simplifies data transfers, and protects the rights of people in the EU whose data is transferred to the US businesses choose whether or not to self-certify and comply with the Privacy Shield principles, but if they do, the commitment is enforced under US law.
Businesses need to take a close, considered look at their data strategies, and act in a swift and measured way to ensure the appropriate storage and adequate protection of customer data to comply with different local laws.
There are a number of steps which businesses should take to ensure that they achieve Privacy Shield certification. First, you should take a thorough look at the personal data generated by and managed within your business, whether cloud-based or stored on internal servers. This is the point at which your organisation can use the PIA process to validate your own internal processes and build work papers as well as making updates to policies and statements. You could use this as a chance to really ‘know your customers’ – identifying, locating and connecting data sets, highlighting patterns and unearthing trends.
Second, you must also consider how you share this data within and outside your organisation.
Third, you must identify whether any of this data travels unnecessarily between the EU and the US and if it does, minimise this.
Fifth, you should use the opportunity to audit, refresh and integrate technologies, processes and systems to ensure a cohesive, collaborative approach.
Sixth, make an effort to educate staff on the importance of data accuracy, security and privacy, and the critical parts they have to play in the data protection programme.
Seventh, empower staff to take end-to-end ownership of customer queries surrounding data, and equip them with the tools and knowledge to do so. Part of Privacy Shield certification is to identify a key contact within an organisation to answer queries, complaints and access requests, so staff empowerment will ensure you have this contact and respond in a timely manner.
Eighth, take steps to ensure partners and suppliers will not share EU citizens’ data outside the US, unless it is with adequate protection.
Ninth, encourage and continue to identify ways of demonstrating transparency and compliance.
Tenth , consider ways to develop a compliance-focused culture of integrity, with a structure that ensures agility and a responsiveness to change in both regulation and customer expectations.
Following the 10 recommendations above, the application process is relatively straightforward. Businesses need to submit external and internal facing privacy statements or policies and other supporting documentation, then wait for review by the International Trade Administration (ITA). Once you have completed your submission, it may help to build extra time into your planning, as it can take several months for applications to be reviews and approved. It is also a good idea to continue to monitor developments within the framework as it is subject to annual review and potential revisions.
Keeping up with the pace of regulatory change is challenging for companies large and small. But achieving robust compliance benefits clients and employees alike. There is a proven link between business performance and best-practice compliance, as research shows that more compliant firms enjoy greater total shareholder return. When it comes to the Privacy Shield, taking an integrated approach, staying agile and focusing on the customer experience demonstrates best practice and transparency, as well as boosting collaboration and building customer trust.
Raymond Umerley is chief data protection officer at Pitney Bowes. He can be contacted by email at: firstname.lastname@example.org.
© Financier Worldwide