The Privacy Shield program emerged as a result of the EU Court of Justice’s decision that the Safe Harbor program lacked sufficient data protection requirements and should be eliminated. Privacy Shield was developed as a more robust solution in governing the collection and use of customer information.
To participate in the Privacy Shield program, an organization outlines its policies and procedures to protect personally identifiable information (PII) and self-certifies them to a government entity. Privacy Shield does not take the place of privacy obligations that apply under U.S. or other country laws. As part of the program, participants are encouraged to collect only necessary PII from customers to provide needed services.
An organization has the option to extend its Privacy Shield program beyond customer data to include employee human resources data.
Per the official Privacy Shield website, “Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.”
- The types of data collected and why they are collecting the data.
- The organization’s commitment to following Privacy Shield principles.
- An “opt out” option or an ability to limit use of their PII.
- A recourse mechanism, free of charge, for any disputes or complaints and appropriate contact information. This includes the right to binding arbitration.
- The right of the customer to access their own PII.
- Parties with whom PII data is shared (e.g., any third-party companies) and why PII is shared, including liability in cases of onward transfer of data to third parties.
Protecting PII is a continually evolving process. As computer hackers become more proficient, an organization’s computer department must continually prepare to prevent a breach. Data in motion is data at risk. The transfer of PII via email or other electronic portals or methods is the point at which data is most vulnerable; therefore, it is critical to update controls for data in transit.
Privacy Shield is a voluntary program focused on protecting the storage and transfer of personal data while General Data Protection Regulation (GDPR) is a set of required laws regarding the transfer of data from the EU. One of the requirements is that data transfer must only happen to countries with sufficient data protection regulations. Since the EU list of approved countries does not list the U.S. as having sufficient data protection laws, participation in Privacy Shield allows companies to meet GDPR requirements.
The greatest benefit of Privacy Shield adherence is knowing you are doing everything possible to protect customer information. When sophisticated systems and a well-trained staff are united, they build a wall which deters hackers. In today’s environment, it is a given that criminals will try to infiltrate your systems and steal personal data. We owe it to our customers and communities to stay on the cutting edge of technology, physical security, and staff education. Privacy Shield provides the security framework to help you along the road to good corporate stewardship.
For more information, see https://www.privacyshield.gov.