The European Union-United States (EU-U.S.) Privacy Shield framework was designed by the U.S. Department of Commerce and European Commission to provide companies in both countries with a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the U.S. during transatlantic commerce. At the center of this new framework are enhanced requirements for companies to:
- Fully disclose their data privacy and protection practices
- Provide transparency, choice and consent to their customers
- Implement safeguards and controls around the collection, holding, protection, and transfer of personal data.
While the current fate of the Privacy Shield is still in flux (as EU Data Protection Agencies recently expressed concerns about whether it is “strong enough” to fully protect the privacy of EU citizens), it’s likely that it will come into effect if not in its current form, then one that is even stronger. As is, Privacy Shield does impose some enhanced and even new obligations of which organizations must become aware. This post will focus on the concept of “Notice.”
What does Notice mean under the Privacy Shield framework?
The definition of a “Privacy Notice” is: “A statement made to a data subject that describes how the organization collects, uses, retains, and discloses personal information.” (Reference(s) in IAPP Certification Textbooks: F16; US16-18, 37; G95-97, 100) Privacy Shield participants must provide individuals, in clear and conspicuous language, with notice of:
- The organization’s participation in Privacy Shield
- The type of data collected
- The purposes for which the data is collected
Individuals also must be informed of:
- Any third parties to which their data will be transferred
- The requirement to disclose personal information in response to lawful request by public authorities
- Which enforcement authority has jurisdiction over the organization’s compliance with the framework
- The organization’s liability in cases of onward transfer of data to third parties
What does this mean for you?
How do you create policies that actually reflect what your organization does? It requires your privacy team to understand not only a day in the life of their business counterparts, but also how data is collected, created, and flows within and outside of the organization. Whether data is generated by and within your organization or collected from a third party (customer, vendor, partner, other), the only way you can effectively protect it is by understanding it. What is the data? Does it contain customer information, employee information, intellectual property, sensitive communications, personally identifiable information (PII), protected health information (PHI), or financial data? This list goes on quite extensively. Of course, all companies create and hold sensitive data. There is nothing wrong with it at all. But only once you know what it is, where it is, who can access it, and who has accessed it can you make decisions about where it should live. Start by taking the time to understand what kinds of data your business handles and uses as well as how your co-workers are using your internal systems in their day-to-day jobs. Understanding the “day in the life” of your colleagues will help you understand why and how they need to handle protected data in the course of their daily work. The time you invest in understanding their requirements will pay off in spades as you will be able to craft solutions that meet their needs and your obligations. Privacy and security risk management intersect with other data lifecycle management programs within your company. Combining these related areas will allow you to better optimize resources and risk management for information assets to support responsible, ethical, and lawful collection, use, sharing, maintenance, and disposition of information.
To better integrate privacy and security with your ongoing data management practices and build the right policy, I recommend keeping these five considerations in mind:
- Contemplate how data is created or collected by your company. You should think about excessive collection, how you will provide notice (to individuals) about that collection, provide them with appropriate levels of choice, and keep appropriate record of that collection and creation.
- Think about how you are going to use and maintain this data. Here you should consider inappropriate access, ensure that individuals choices are being properly honored, address concerns around a potential new use or even misuse, consider how to address concerns around breach, and also ensure that you are properly retaining the data for records management purposes.
- Consider who (and with whom) this data is going to be shared. You should take into account data sovereignty requirements and cross-border restrictions along with inappropriate, unauthorized, or excessive sharing.
- Know that all data has an appropriate disposition period. You should keep data for as long as you are required to do so for records management, statutory, regulatory or compliance requirements, and ensure you are not inadvertently disposing of it. At the same time, as long as you have sensitive data, you run the risk of breach.
- Understanding the difference between what can be shared and what should be shared is always the key. A good program must continually assess and review who needs access to what types of information. Privacy pros should then work with their IT counterparts to automate controls around their enterprise systems to make it easier for employees to do the right thing than the wrong thing or simply neglect the consequences of their actions. Once you’ve implemented your plan, be sure that you maintain regular and ongoing assessments.
Trust is something that businesses must work to establish with their customers every day. Once lost, it is very difficult to regain. Consumers have the power to applaud companies that provide proper attention to these matters on their web sites with their purchasing power, and by supporting brands that they respect. At the end of the day, Privacy Shield in some measure is helping to make this mandatory by insisting that participating organizations maintain transparency with their customers about their data protection practices. Notice is the first step in that process.
To learn more about how you can prepare for the Privacy Shield framework, sign up for our EU-US Privacy Shield Guide. Get additional resources – including white papers and exclusive blog posts – to make sure your organization is on the right track.