Rules on transferring personal data between the EU and the US don’t just apply to the social media and technology giants. If your organisation is a US legal entity, or an EU-based organisation with a US parent, and it sends personal data to the United States, you now have the option to participate in the EU-US Data Privacy Framework (DPF) programme. The decision is entirely voluntary, and organisations can self-certify to show compliance – but this process has some unexpected hurdles. In this blog, I’ll uncover the ‘hidden’ steps that could slow your progress, and I’ll share five steps to make the self-certification process easier.

For background, on July 10th, the European Commission adopted the adequacy decision for the EU-U.S. Data Privacy Framework (DPF). In effect, it concluded that the United States provides adequate protection for personal information transferred to it from the European Economic Area.

Organisations taking part in the DPF need to comply with a detailed set of privacy principles such as purpose limitation, data minimisation, and data retention. They also need to provide individuals with certain rights, such as the right to access their data and the right to object to its processing.

The certification process, in effect, validates their commitment to safeguarding personal data and respecting individuals’ privacy rights. To become certified and show compliance with the DPF, organisations need to provide comprehensive and detailed information about their privacy practices.

Once organisations have established if they fall under the framework’s remit, they need to choose how they will verify compliance. They have the choice of internal self-assessment or external compliance reviews. The US Department of Commerce oversees the certification journey.

Hidden obstacles blocking your compliance path

When carrying out some assessments for clients recently, I’ve noticed some elements of the process aren’t immediately obvious. Here’s a five-step checklist of what to do ahead of the self-certification process.

These five steps streamline the certification process, while ensuring you follow regulatory requirements. They also help to foster a proactive approach to data privacy and compliance.

Tip 1: Assess eligibility and framework options

Review your organisation’s eligibility for programmes (e.g., Federal Trade Commission or Department of Transport) under the DPF. You can choose between certifying for the EU-US DPF alone or consider extensions like the UK Extension (if applicable) or the Swiss-US DPF. Determine if your organisation is dealing with Human Resources (HR) related data or non-HR data. Some organisations will be handling both.

Tip 2: Update your privacy policies

Clearly outline your information handling practices and individual options in your privacy policy, and explicitly state that you adhere to DPF Principles in the privacy policy. Make sure the updated policy is easily accessible on your website for transparency. Explicitly state that your organisation adheres to DPF principles and include a hyperlink to the official programme website along with the link to your own active participation. It’s not uncommon for some organisations to have multiple privacy policies so, again, this step isn’t necessarily straightforward.

Tip 3: Establish an independent recourse mechanism

Register with the chosen independent recourse mechanism for example TrustArc. Fulfil any obligations by making necessary contributions to the arbitral fund mandated by the framework. You need to register with that entity and pay the fee in advance. Some organisations miss this step, and it can stall their progress.

Tip 4: Implement verification procedures

Ensure compliance with DPF Principles. If dealing with HR data commit to cooperate in investigations to comply with the advice of competent EU authorities in such cases register with HR EU Data Protection Authorities (DPAs) paying the requisite US$50 annual fee and arbitration fee. The EU DPA panel fee is payable to the United States Council for International Business (USCIB).Your privacy notice needs to include a link to that dispute resolution mechanism. This needs to be part of a general update of privacy policies to show compliance with the EU-US DPF.

Tip 5: Certification and proactive approach

Be careful not to say you are registered to the framework before uploading all of the information to the DPF to review. Wait for the DPF team to confirm everything is in order before claiming you participate in the programme.

Once that’s done, it’s up to you to align your privacy practices, demonstrate commitment, and ensure continued adherence to regulatory requirements.

Certification under the EU-US DPF isn’t just about enabling legal data transfers and proper flow of data. It signifies a commitment to privacy, fostering trust. By complying with the DPF, you’re showing your customers and stakeholders that you’re proactive about safeguarding the privacy and security of sensitive information.

In effect, you’re demonstrating you’re dedicated to transparency, accountability, and proactive data protection. In an increasingly interconnected and global world, this approach will strengthen the partnerships you have across continents.

When going through the self-certification process, take your time, and do everything thoroughly. If you’re in doubt, seek the help of an external independent consultant that can advise you on your path.

Clíona Perrick is a Data Protection Consultant with BH Consulting.