Getting GDPR compliant faster through Privacy Shield
Last edited:
While my previous article was entirely dedicated to TO-DOs getting your company GDPR compliant, this one talks about a shortcut to that compliance through first implementing Privacy Shield. Especially if your company is registered in the US.
Now, your business is in the US, but you still process (or plan to do so 🤔) personal data belonging to EU citizens: acquire the Privacy Shield Framework compliance first. As a bonus, it’s also just a shortcut to GDPR.
PSF regulates how data from the European Union (and Switzerland) can be stored and processed in the US. Understanding PSF is way easier than GDPR: they have got all the certification rules published on their website.
Here is the list of 8 TODOs to get certified by EU-US Privacy Shield:
1. Understand and describe the personal data flows in your system
You need to determine which personal data you collect and store, or at least plan to store, in the future. Things ranging from credentials and payment details, to data received directly from users, including your site behavior analytics. All of this needs to be accounted for, both onsite and on third-party services you’re using. This means the entire data pipeline.
2. Update Privacy Policies
Create a separate Privacy Shield Notice page and link to it in your Privacy Policy. All revisions need to be published before applying for certification.
The Privacy Shield Notice should cover every item on this notice. In short, it requires:
- The above link to the notice page.
- A description of types of personal data you collect 🗒️
- A list of affiliated organizations that also uphold Privacy Shield standards.
- A declaration of intent to comply with Privacy Shield and only collect pertinent personal information.
- Where to direct complaints and how to follow up on any and all issues.
- To which third parties you transfer collected personal information.
- That users can get access to their information, and that in the event you modify the use of their information, users will be given a choice on how they wish to proceed.
Examples: Privacy Shield Notice and Privacy Policy.
3. Revise third-party contracts
Double-check that all third-party services handling the personal information you’ve collected are also certified.
You need to be certain that any third-party service you’re using, is either certified itself, or is required by contract to operate by Privacy Shield standards. Start by going over the list outlined in Point 1. Chances are you won’t need to do anything.
4. Sign up for an independent recourse mechanism
Enlist the services of an independent organization that will arbitrate in conflicts with users you weren’t able to resolve yourself.
You need to determine and enter into a contract with an organization that will independently resolve any conflicts you couldn’t hash out with a user. You can use European organizations, here is an example. The http://privacyshield.uscib.org/ company is among the most economical ones, it will set you back just $50