Does every US Based Company need one?
Let’s reverse a few steps and remind ourselves! The GDPR is a set of legislation put into place in the European Union in 2018.
The Privacy Shield, which was introduced in 2016, is basically an agreement between the US and the EU permitting the transfer of personal data from the EU to the US.
This is because the GDPR requires organisations to take extra care if organisations transfer personal data out of the EU. Basically third countries must have adequate data protection measures.
The EU has list of countries that it considers ‘adequate’. Unfortunately the list does not comprise of the US.
The Privacy Shield enables the US organisations to show they have adequate protection therefore facilitating the transfer of information.
How do you get the Privacy Shield
It a process which enables self-certification. It can be complex and lengthy.
Are there similarities between the Privacy Shield and the GDPR?
Article 5 of the GDPR states the key principles namely: processing of personal data must be: lawful, fair and transparent, must be processed for a specific legitimate purpose, comply with data minimisation, accuracy, storage limitation, confidentiality and integrity. The Privacy Shield has a similar requirements and makes it clear that US companies must have a ‘Notice’ setting out the purpose of processing. It also makes it clear that the public must be aware of the policies of the US based company and that there should be a link allowing the public to view the certification.
Is the Privacy Shield Sufficient?
This will depend upon whether the US based company is a data controller or a processor. Therefore the US based company may find gaps in the Privacy Shield and will need to carefully consider any extra requirements under the GDPR. Amongst others, the data controller must be able to demonstrate that it can respond to the enhanced rights of data subjects within the prescribed time-limits. If processing is likely to result in a high risk to the rights and freedoms of individuals then, then it must conduct a Data Protection Impact Assessment.
Furthermore, ensure that there is a system to establish ‘privacy by design’ and ‘privacy by default’ in order to minimise risks. Set up systems in place to detect, report and mitigate breaches and amongst many other things have central records in place.
So the simple answer is that the Privacy Shield may not be enough.
How much does the Privacy Shield cost?
There are different levels of fees depending upon the size of the company.
The department of commerce sets the fees. Fees as of 2016 are set below
| $0 to $5 million | $250 |
| Over $5 million to $25 million | $650 |
| Over $25 million to $500 million | $1,000 |
| Over $500 million to $5 billion | $2,500 |
| Over $5 billion | $3,250 |
Join the Free GDPR Compliance Webinar: https://gdprcomply.net/register
GDPR Online Courses : https://gdpr-comply.com/online/
