Editor’s note: The is the second of a two-part series. Click here to read the first part.
The Privacy Shield self-certification program was approved by the European Commission as an “adequate” data management framework for U.S.-based companies to follow to enable cross-border data transfer of GDPR-covered data. While becoming Privacy Shield certified might seem like the golden ticket to a U.S. company, there are a couple of nuances that should be clear. Privacy Shield is directed at U.S. companies that serve as processors for an EU company, not for a U.S. company that is the controller of the data from the covered persons. This means a U.S.-based company that transacts directly with EU-covered persons cannot assume compliance with GDPR, or General Data Protection Regulation, simply by being Privacy Shield certified.
Another nuance worth noting is Privacy Shield is only available to companies the Federal Trade Commission or U.S. Department of Transportation has jurisdiction over. A number of U.S. banks, financial-services companies, telecommunication companies and others do not currently have a method to certify under Privacy Shield.
Lastly, continuing litigation within the EU is constantly challenging the validity of Privacy Shield. When GDPR goes into enforcement, there can be no guarantees which way the European Commission or European Court of Justice will swing on whether Privacy Shield remains an adequate method for cross-border data transfer.
The EU has the power to enact and enforce laws such as the GDPR, and it has the power to pursue cross-border companies, including international companies interacting with EU persons. It is important to note member states can further define the GDPR principles, which means understanding member-state specifics is relevant. These interpretations are still in the early phases of being formalized and will require proactive awareness to ensure adequate compliance.
The EU maintains its right as a government and authoritative body for a company that has an established branch or representatives in the EU. For U.S.-based companies that do not have any established branches or representatives in the EU, enforcement gets more complicated.
The EU Authority Agenda (Data Protection Advisory Board) has been clear the May 2018 deadline is not an all-or-nothing compliance expectation for which any organization found with gaps will be issued fines of 20 million euros ($24.6 million) or 4 percent of global revenue, whichever is greater. While it is impossible to say without precedent, we expect the hefty fines will be reserved for organizations identified as intentionally negligent or that experience a security breach that causes personal damage to protected EU persons.
An outside provider can assist with assessing and analyzing the applicability of GDPR, including which parts may apply. The first step is to establish what data you are collecting, where it is coming from and where it is going (both internally and externally). From there, organizations should re-evaluate their data against the new criteria and determine whether they still have a legal basis to collect and process that information. This could mean data needs to be purged from the systems and recollected in a lawful manner.
Once these initial two steps have been completed, compliance can be addressed through a risk-based remediation roadmap against the frameworks’ attributes. Understanding and interpreting risks requires technical understanding and judgment based on information security practices. Being able to gather timely evidence for compliance also requires the establishment of formal policies and metrics.
Michelle White is a GDPR lead specialist and member of the IT Risk & Security Services group at CBIZ & MHM New England, with offices in Providence, Boston and nationwide.