July 13, 2017

Last Updated on January 18, 2024

In my data privacy practice, I’m finding many organizations are still unclear about the purpose and ramifications of the new EU-US Privacy Shield and the EU’s General Data Protection Regulation (GDPR), and how they are meant to work together. These instruments define how data on EU citizens must be held and transported. Therefore, understanding and complying with them is critical to any entity doing business in and/or with the EU or processing data on EU citizens in any form.

GDPR vs. the EU-US Privacy Shield

Like its name says, the GDPR is a regulation; i.e., a law with associated compliance requirements. Its general intent is to modernize and standardize data protection practices within the EU. Noncompliance with the GDPR can mean massive financial penalties (up to 20 million euros or 4% of a firm’s global gross revenue), as well as lost opportunities.
One of the requirements within the GDPR intends to ensure countries outside the EU that receive EU data have adequate data protection laws. The EU does not currently deem the US to have adequate data protection laws. Privacy Shield, along with the Safe Harbor provisions it superseded as of Q3 2016, is an agreement between the US and the EU. In a nutshell, Privacy Shield functions as a workaround to provide a legal basis for the transfer of EU citizens’ personal data to and from the US.
Entities that participate in the Privacy Shield agreement are considered to fulfill the EU’s data protection requirements. Privacy Shield defines a framework for transatlantic data flows that requires US businesses to strongly protect EU citizens’ personal data. It also sets up extra monitoring and enforcement by the US Department of Commerce and the Federal Trade Commission (FTC). In particular, it stipulates limitations and requirements for oversight on access to EU data, puts added focus on organizational transparency, and creates a dispute resolution pathway for EU citizens who file complaints. Overall, Privacy Shield is a lot more demanding than Safe Harbor was.
As such, compliance with Privacy Shield (which involves “self-certification” and verification) will take added strategic planning on the part of many US entities. For example, many will need to update their privacy policies, as most US companies’ current policies are too general to be acceptable. For companies that currently have no privacy policy, doing business in the EU could require changes not just to information systems but to the corporate culture itself.

How to Minimize Your Risk

Failure to comply with Privacy Shield can mean exclusion from doing business with the EU. To ensure ongoing compliance, most larger firms will need to hire a dedicated data protection officer, as the GDPR mandates. SMBs may be better able to outsource this function.
What’s all this going to cost? Outside of running afoul of the legislation and incurring punitive fines, the GDPR and Privacy Shield might actually save some cost and complexity around complying with EU data protection regulations, because they rationalize the effort across all EU nations. Formerly, US firms doing business in the EU had to contend with country-specific regulations and often needed country-specific legal counsel.
On the other hand, GDPR and Privacy Shield explicitly make companies responsible for the data protection programs of all their third-party vendors. This is likely to result in added costs for firms that don’t have strong third-party risk management (TPRM) programs in place.
With full GDPR implementation less than a year away, affected US businesses need to be moving toward compliance now. To get up to speed quickly on Privacy Shield’s features, processes, and obligations, and determine how best to align your business practices with them, contact Pivot Point Security.