ARCHIVED CONTENT
You are viewing ARCHIVED CONTENT released online between 1 April 2010 and 24 August 2018 or content that has been selectively archived and is no longer active. Content in this archive is NOT UPDATED, and links may not function.Extract from article by Mindi Giftos and Andrew Schlidt
Should my organization sign up? Certification is completely voluntary and can provide important protection. It is a good option for many U.S. companies as it can, in some instances, be relatively easy to implement and comply with compared to other compliance alternatives, such as Binding Corporate Rules and Model Contracts, which can be more complex, expensive, and time-consuming to establish.
However, certification is not a mere formality without potential exposure. Once a company self-certifies, the Privacy Shield requirements will become enforceable against that company under U.S. law. For that reason, certification should be done only after a company can ensure ongoing compliance with the Privacy Shield requirements. Further, many have called the validity of the Privacy Shield into question, so it remains subject to uncertainty and potential future revision.
Ultimately, there are a number of factors that should be considered in deciding whether to proceed with certification under the Privacy Shield, such as company size, global footprint, business needs, data flows, existence of other data transfer compliance mechanisms in place, sophistication of current contracts and vendor management systems, sophistication of current privacy programs, and corporate structure. More information on the Privacy Shield may be found at the U.S. Department of Commerce’s website, www.privacyshield.gov.
Read the complete article at Should my company self-certify under the EU–US privacy shield?