Doing Business in the EU? Get Behind the Privacy Shield

March 3, 2017

The EU-U.S. Privacy Shield Framework is here to stay.

By Dan Schroeder, partner-in-charge of Information Assurance

Despite reports to the contrary early this year, the presidential executive order that limited privacy rights of non-citizens did not negate Privacy Shield. For one thing, the Privacy Shield agreement, which took effect this summer, governs data sharing for commercial transactions and not for law enforcement purposes.

But the confusion over whether Trump tanked Privacy Shield underscores an important point: While administrative regimes and their regulations come and go, the fiduciary responsibility to protect sensitive data through sound privacy and security risk management practices remains.

It’s simply the right thing to do—especially for businesses that process the personal data of European citizens. Europeans will never turn a blind eye to privacy practices, and willingness to comply with stringent data protection standards has become a term of doing business.

With the EU-U.S. Privacy Shield Framework, U.S.-based businesses finally have a detailed roadmap to do what their European customers and business partners have been expecting all along.

Privacy Shield Core Principles

  • Notice
  • Choice
  • Accountability for onward transfer
  • Security
  • Data integrity and purpose limitation
  • Access
  • Recourse, enforcement and liability

The Privacy Shield Principles, like their predecessor Safe Harbor Privacy Principles, represent the fundamentals of privacy risk management. However, unlike the high-level Safe Harbor Principles, the Privacy Shield Principles are supported by granular definitions that provide a clear roadmap of how to achieve these principles. These are the specific requirements that, if deployed and adhered to, are components of a strong privacy risk management program.

The principle of Notice, for example, includes more than a dozen bullet points on precisely what should be included in a privacy notice. These requirements range from the very fact that the business participates in Privacy Shield to the organization’s liability when it transfers personal information to third parties.

How to Get Privacy Risk Management Right

Privacy risk management should not be seen as a check-the-box exercise. Fulfilling consumers’ expectations of privacy protections requires a more complete approach—one that not only represents robust compliance with Privacy Shield and other data protection standards but that also protects the organization from a potential breach that could irreparably damage its reputation and competitive standing.

The roadmap to this practical, defensible approach already exists.

  1. It begins with understanding the comprehensive life cycle and flow of all data potentially subject to EU data protection requirements.
  2. It progresses to a thorough assessment of the risks to that data, which then leads to definition of a set of criteria (i.e., control requirements). The Privacy Shield Principles provide a solid baseline that can be expanded to include other regulatory and contractual requirements.
  3. Next, is the assessment of existing controls, to identify gaps between the control requirements and the existing controls, and remediate those gaps to mitigate privacy related risk.
  4. This foundational work sets the stage for ongoing monitoring and reporting, allowing the organization (or an independent party) to confirm deployment of those controls.

Independent Certification Fortifies Privacy Shield

Following the roadmap above, the organization now is in a position to confidently report on the effectiveness of its data protection practices. Privacy Shield allows either self-certification or an outside compliance review.

One of the problems with Safe Harbor was that it lacked a clearly defined set of criteria, and self-certification became very subjective. Many companies claimed to have established comprehensive privacy and security practices, without really exercising the due diligence necessary to support those claims, and more importantly protect their business reputation.

Organizations that are found by the Federal Trade Commission to have made deceptive statements regarding their privacy practices are subject to sanctions. In 2012, Google agreed to pay a $22.5 million civil penalty to settle FTC charges that it misrepresented its use of cookies.

Given what is at stake, we recommend businesses that do business in Europe fortify their Privacy Shield compliance with independent verification by a third party with privacy and security credentials.

Obtaining this independent evidence provides a higher level of assurance that:

  • Privacy and security practices designed for Privacy Shield compliance are in fact deployed and operating effectively;
  • Certification is complete, accurate, and has a defensible basis for establishment of privacy risk management practices to support the Privacy Shield Principles; and
  • The Privacy Shield Principles are integrated into a comprehensive privacy and security risk management program.

For more information on Privacy Shield, contact Dan Schroeder at dan.schroeder@aprio.com.

Recent Articles

About the Author

Dan Schroeder

As a Partner of Aprio’s Information Assurance Services team, Dan applies his over 25 years of experience in IT, operational and risk management functions to provide guidance on cybersecurity and privacy risk management strategies to the CISOs, CIOs and Internal Counsel of domestic and international technology-based businesses. In addition to helping clients establish, monitor and maintain effective information security and privacy risk management programs, Dan specializes in providing risk assessments and attestation services to address PCI, ISO, CMMC, FedRAMP and other leading privacy and security protocols.


Stay informed with Aprio.

Get industry news and leading insights delivered straight to your inbox.

Stay informed with Aprio. Subscribe now.