Soon companies that self-certified with the Department of Commerce (DOC) last fall before the September 30, 2016 deadline will have the 9 month “grace period” come to a close. The grace period was given to these companies so that they could ensure that all of their third party vendors met the Accountability for Onward Transfer principle. The grace period ends soon, meaning that the deadline is fast approaching.
The Privacy Shield Accountability for Onward Transfer principle, Section II, 3.b., states:
To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; (iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.
In sum, maintaining your Privacy Shield certification by adhering to the Accountability for Onward Transfer principle requires a lot of due diligence. When your company has a relationship with a third party vendor involving the transferring personal information to that vendor, your company has to ensure that the vendor will process personal information in a manner consistent with your company’s obligations under the Principle. Your company’s contract with the vendor also has to state that the data your company transfers to it can only be used for limited and specified purposes. What’s more, vendors acting as agents have to cease and take steps to remediate unauthorized processing.
For most companies, this is a lot of work that is quite time consuming; the initial grace period concession was given in light of the time it may take a company to comply with this principle. For example, a few of the hundred vendors that a typical mid-sized business uses are: a marketing automation system, a customer relationship management system, an administrative services system, and a payroll system. Larger organizations may use thousands of vendors.
How will companies adhere to this principle? One option is to compile a large spreadsheet and call, email, or meet with internal business or process owners. Though this option is cost effective in terms of dollars, it is not cost effective in terms of time, productivity, and data integrity. Technology solutions to automate the process and provide an easily accessible digital repository may have up-front costs. However, long term savings in terms of time, productivity, and maintaining data integrity will far outweigh initial up-front costs.
If you have any questions about the requirements of this Principle, contact us.