Preparing for GDPR: How to signal your intent to comply
Self-certification with Privacy Shield is just one way that companies can show that they intend to comply with the sweeping legislation.
As the May 2018 deadline for the General Data Protection Regulation (GDPR) inches into view, many US companies — multinationals, in particular — are taking steps to make sure that they are in compliance with the legislation’s requirements and limitations.
But how do customers, partners and investors know which companies to trust?
There are several different ways a company can signal that data privacy is an important priority and show that they intend to comply with the law.
In fact, Article 42 of the GDPR (General Data Protection Regulation) calls explicitly for “the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.”
Of course, GDPR is an EU (European Union) law, but its implications are far-reaching. Since it covers EU citizens’ data no matter where it travels and the transfer of this data to other jurisdictions, global US companies must also comply.
Simply put, Privacy Shield is an agreement that governs the transatlantic transfer of data between the EU and the US. It was adopted in 2016 as a replacement for the less restrictive Safe Harbour agreement. By self-certifying, US companies are essentially making a promise that they will follow EU data privacy laws while receiving EU data.
Jessica B. Lee, a lawyer in advanced media and technology practice at Loeb & Loeb, said that companies who certify with Privacy Shield are showing that they are using best data practices.
“As the GDPR enforcement deadline approaches, we are seeing an uptick in interest in Privacy Shield certification,” Lee said. “For companies with clients who are based in the EU or have consumer data from individuals in the EU, the Privacy Shield serves the functional purpose of allowing for cross-border data transfers, but it also serves as a marketing tool. Companies subject to the GDPR are examining their vendors to ensure that their privacy practices are in line with the GDPR’s requirements. Having a valid Privacy Shield certification can help a company sell itself as a trusted vendor. Privacy Shield certification is not a minor undertaking. The incentive to self-certify won’t come from the ease of self-certification, but rather the ability to receive data from the EU and the marketing value.”
The US Department of Commerce runs Privacy Shield, and it’s enforced by the Federal Trade Commission.
Binding Corporate Rules (BCRs) and codes of conduct
BCRs are global policies and procedures a company prepares that apply to the handling of data both internally and externally. They were created by the EU as an alternative to Safe Harbour.
Eduardo Ustaran is a partner in the global Privacy and Cybersecurity practice at Hogan Lovells. He told me that like Privacy Shield, BCRs are essentially a framework of rules.
“It’s another mechanism to allow those transfers of data to be lawful,” Ustaran said.
This process can be onerous because controllers will need to go through a detailed approval process, but BCRs are seen as the gold standard of compliance, Ustaran said.
A code of conduct is another legal tool governing the transfer of data.
Article 40 of the GDPR calls for codes of conduct, essentially a set of best practices that act as a framework.
An example of this is the European Cloud Infrastructure Service Providers in Europe (CISPE) Code of Conduct. CISPE offers “trust marks” or badges that show membership. Amazon Web Services is a member.
What do accountants have to do with GDPR compliance? The American Institute of CPAs (AICPA) has created the Service Organizational Controls (SOC) to reflect accountant-led audits of a variety of compliance issues, basically internal control reports that provide the type of information users need to assess and address the risks associated with outsourced services.
An SOC 2 report focuses on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality and privacy of a system, according to the SSAE-16. Undergoing an SOC audit is yet another way that a company can show its commitment to GDPR.
It’s best to be prepared
No one really knows what will happen come May, but many large US companies are getting in gear by updating their processes and guidelines. By leveraging these certifications, contracts and codes, they can demonstrate those efforts to others.