Here are 3 Misconceptions about Privacy Shield and the facts you should know.
1. I missed the deadline to certify for Privacy Shield.
Although the deadline to qualify for the onward transfer requirements grace period ended September 30th, it is not too late to certify. While there is no deadline to self-certify, if you have clients and/or employees in Europe, you will need to make use of one of the recognized transfer mechanisms to process that data outside of Europe.
In addition to these regulatory obligations, your company may start to face pressure from clients or business partners to get the certification. Just as many companies required their suppliers and partners to be Safe Harbor certified, expectations around Privacy Shield are likely to be the same. Privacy Shield provides a visible way for companies to demonstrate their compliance with EU data transfer rules.
2. The grace period for onward transfer covered the bulk of Privacy Shield requirements.
Onward transfer is only one of many Privacy Shield requirements. Companies still have to ensure all of the other requirements are met, such as: notice, choice, security, data integrity & purpose limitation, access, recourse, and enforcement & liability. So while you missed the grace period, it only addressed one portion of the overall requirements.
3. Privacy Shield is only for my customer data.
If you have employees in the EU, you also need to consider Privacy Shield for your HR data. This is a separate certification which you can add at any time to your existing listing with the Department of Commerce. Currently, over 300 companies are on the Privacy Shield list, many of which are using this approach to facilitate compliance with customer and HR data requirements.