Challenging Aspects of Privacy Shield

Now more than a month into Privacy Shield, the two most challenging aspects of Privacy Shield are timing and vendor management requirements.

Many organizations are deciding whether they should rush to self-certify for Privacy Shield, or whether they should wait another year.

If an organization urgently submits their application to the Department of Commerce by September 30, 2016, they are given a nine-month grace period in which to fully implement the requirements.

It has been indicated that Privacy Shield may be challenged in the EU courts, so many organizations have enacted alternative data protection mechanisms for EU data (contract clauses, etc.) and are waiting until there is more certainty to implement Privacy Shield.

The second most challenging aspect is that Privacy Shield requirements now apply to vendor agreements. Companies will have to begin revisiting and updating vendor agreements that involve the onward transfer of personal data. This can be problematic if the vendor decides to increase their prices while under review.

Renegotiating vendor contracts, especially with those that the business has developed a close relationship with over many years, is a time- and labor-intensive task, but the benefit of self-certifying sooner is having more time to bring existing vendor relationships into compliance.