If you have customers or employees in the European Union, you should look into signing up to operate under the US / EU Privacy Shield. Registration began this morning. It closes in two months.
Signing up means you self-certify you will be in compliance with tough privacy protection guidelines in exchange for a nine-month grace period to get ready. Then you have to recertify yearly. If you collect information about Europeans and don’t sign up, you are subject to enforcement in fact one way or the other, with no grace period.
American overall enforcement will be the job of the US Department of Commerce. Their information on the whole process is on the Privacy Shield Framework website. https://www.privacyshield.gov/welcome. Go to Requirements of Participation.
Privacy Shield negotiations went on for a while before it abruptly became a hurry up replacement for the EU Safe Harbor struck down last fall by a European court. Now Privacy Shield is under attack in Europe, but no matter what the outcome count on continual EU efforts to protect the privacy of their citizens aggressively.
Smaller manufacturers and retailers dealing directly with EU consumers will find compliance pretty challenging. One example is the complaint process.
Participating companies must have complaint forms and respond to consumer complaints in 45 days. And if the response doesn’t work, they must provide the consumer an “independent recourse mechanism” to resolve the dispute.
And the participating company must pay for everything regardless of outcome. TRUSTe, the Better Business Bureau, and the International Institute for Conflict Prevention and Resolution (CPR) are among those offering services.
Remedies and sanctions that could be imposed start with fixing the privacy issue, but go on to include public statements, loss of certification, and compensation to the consumer.
Signing up is truly a choice, and it should be informed. Staying informed about privacy protection obligations will remain an evolving process. Whether forced by legal developments or not, every company needs a privacy protection officer. Even if your size means that is a person with three or four other titles.