Audit and Assurance

Expand all | Collapse all

EU-US Privacy Shield Framework

  • 1.  EU-US Privacy Shield Framework

    Posted 06 Aug, 2019 19:00
    Is anyone familiar with the EU-US Privacy Shield Framework and can provide direction on audit and controls?  I gather they have 7 principals, but the language seems very general when compared to ISO, NIST and GDPR standards.

    They Privacy Shield website also indicates members are "self-certified" with monitoring and enforcement by FTC and the US Department of Commerce.  Does this mean they issue a oversight report similar perhaps to CFPB, FFIEC, OCC, etc... or is there a 3rd party certification after the fact such as with ISO or FIPS?

    Any direction or insight would be greatly appreciated.

    Felipe Reyes
    IT Security Analyst

  • 2.  RE: EU-US Privacy Shield Framework

    Posted 07 Aug, 2019 21:50
    I am by no means a Privacy Shield expert but I will add my 2 cents.

    Because PS is privacy framework and not a security framework, it is not going to list specific control requirements like other security frameworks such as NIST and ISO.  It is self-certifying with an annual self recertification.  When you self-certify, you will have to submit several pieces of information and then the U.S. Department of Commerce's International Trade Administration (ITA) will review the application for approval.

    This link (#3) talks about the ITA's monitoring activities.  It seems like it is ad hoc at their discretion if something comes to their attention about PS violations at a specific organization.

    Are you being required to be PS compliant?  If not, you may want to consider a SOC 2 audit that includes the Privacy category.  The SOC 2 audit would provide an independent 3rd party report that shows customers you have security and privacy controls in place.

    Also, I would definitely reach out to your legal counsel for their advice as they should be familiar with the requirements and can determine if it is right for your organization.

    Troy Fine
    Schneider Downs

  • 3.  RE: EU-US Privacy Shield Framework

    Posted 22 Aug, 2019 10:05

    My apologies for the delayed reply.  Thank you both for  your responses.  Some good information that leads me in the right direction to EU-US privacy shield.  I appreciate the assistance.

    Felipe Reyes
    IT Security Analyst

  • 4.  RE: EU-US Privacy Shield Framework

    Posted 14 Aug, 2019 14:18
    @Felipe Reyes,

    Apologies for my late reply - I've been on holidays.  There is some good information with links to further information here

    Per the document "i
    n the first step, European businesses can only share personal data with a U.S. based company if the transfer will benefit from a legal basis (i.e. if it complies with national law implementing articles 7 and 8 of the EC Directive 95/46/EC). Moreover, all other general requirements from EU data protection
    law towards the data transfer/s need to be met (e.g. purpose limitation, proportionality, quality, information obligations towards data subjects).

    Best Regards,


    Ian Cooke
    Audit & Assurance Topic Leader
    ISACA Journal Columnist