Audit and Assurance

Expand all | Collapse all

EU-US Privacy Shield Framework

  • 1.  EU-US Privacy Shield Framework

    Posted 06 Aug, 2019 19:00
    Is anyone familiar with the EU-US Privacy Shield Framework and can provide direction on audit and controls?  I gather they have 7 principals, but the language seems very general when compared to ISO, NIST and GDPR standards.

    They Privacy Shield website also indicates members are "self-certified" with monitoring and enforcement by FTC and the US Department of Commerce.  Does this mean they issue a oversight report similar perhaps to CFPB, FFIEC, OCC, etc... or is there a 3rd party certification after the fact such as with ISO or FIPS?

    Any direction or insight would be greatly appreciated.

    ------------------------------
    Felipe Reyes
    IT Security Analyst
    ------------------------------


  • 2.  RE: EU-US Privacy Shield Framework

    Posted 07 Aug, 2019 21:50
    I am by no means a Privacy Shield expert but I will add my 2 cents.

    Because PS is privacy framework and not a security framework, it is not going to list specific control requirements like other security frameworks such as NIST and ISO.  It is self-certifying with an annual self recertification.  When you self-certify, you will have to submit several pieces of information and then the U.S. Department of Commerce's International Trade Administration (ITA) will review the application for approval.

    This link (#3) https://www.privacyshield.gov/article?id=Administration-of-Privacy-Shield talks about the ITA's monitoring activities.  It seems like it is ad hoc at their discretion if something comes to their attention about PS violations at a specific organization.

    Are you being required to be PS compliant?  If not, you may want to consider a SOC 2 audit that includes the Privacy category.  The SOC 2 audit would provide an independent 3rd party report that shows customers you have security and privacy controls in place.

    Also, I would definitely reach out to your legal counsel for their advice as they should be familiar with the requirements and can determine if it is right for your organization.


    ------------------------------
    Troy Fine
    Manager
    Schneider Downs
    ------------------------------



  • 3.  RE: EU-US Privacy Shield Framework

    Posted 22 Aug, 2019 10:05
    ​Ian/Troy,

    My apologies for the delayed reply.  Thank you both for  your responses.  Some good information that leads me in the right direction to EU-US privacy shield.  I appreciate the assistance.

    ------------------------------
    Felipe Reyes
    IT Security Analyst
    ------------------------------



  • 4.  RE: EU-US Privacy Shield Framework

    Online Forum Topic Leader
    Posted 14 Aug, 2019 14:18
    @Felipe Reyes,

    Apologies for my late reply - I've been on holidays.  There is some good information with links to further information here https://iapp.org/media/pdf/resource_center/WP29-Shield-FAQ-EUBusinesses.pdf

    Per the document "i
    n the first step, European businesses can only share personal data with a U.S. based company if the transfer will benefit from a legal basis (i.e. if it complies with national law implementing articles 7 and 8 of the EC Directive 95/46/EC). Moreover, all other general requirements from EU data protection
    law towards the data transfer/s need to be met (e.g. purpose limitation, proportionality, quality, information obligations towards data subjects).

    Best Regards,

    Ian


    ------------------------------
    Ian Cooke
    Audit & Assurance Topic Leader
    ISACA Journal Columnist
    ------------------------------