Don’t Hit Snooze on Privacy Shield

September 06, 2016

Why You Need to Register Early

If your US organization has access to private customer data for folks living in the European Union (EU), you are now required to comply with the new Privacy Shield regulations related to the use and treatment of personal data received from EU customers. The U.S. International Trade Administration (ITA)has worked closely with representatives from the EU to establish the new guidelines. In an effort to make it easier for early adopters to become compliant, an early registration grace period, which ends September 30, 2016, has been offered.

What does this grace period do for my organization?

Privacy Shield is very strict on organizations that share their EU customer data with third-party service providers. Companies that comply with Privacy Shield must also enter into contracts with their third-party services providers that will require the service provider to treat all EU customer data with the level of care stipulated by Privacy Shield. Meaning third-parties may only process EU customer data for limited and specified purposes consistent with the consent provided by the customer. This Privacy Shield requirement is known as the Onward Transfer principle and essentially ensures that third-party service providers are also complying with Privacy Shield.

You can imagine what a bear it will be for some organizations to update existing contracts or enter into new contracts with all of their third-party service providers, when many organizations have hundreds or even thousands of third-party vendors.

To make things a bit easier and to get companies moving quickly on the new Privacy Shield certification, the early registration program gives organizations that file their self-certification by September 30, 2016, a nine-month grace period to conform third-party contracts with the Onward Transfer requirements under Privacy Shield.

How can your organization take advantage of this grace period?

That part is simple — organizations that complete the self-certification by September 30, 2016 will automatically receive a nine month window to put the proper third-party contracts in place.

The grace period begins on the day the organization files its self-certification, and concludes nine months from that date. For example, if an organization files its Privacy Shield self-certification on September 30, 2016, it has until June 30, 2017 to update its third-party contracts.

Organizations that don’t file a self-certification by the early deadline (September 30, 2016) will be required to reach full compliance in regards to the Onward Transfer principle prior to certifying with Privacy Shield. That means they will have to update every single contract with third-party vendors before they can be considered compliant with Privacy Shield.

Ugh… Sounds like an even bigger bear. Organizations that have hundreds or even thousands of vendors will be required to re-negotiate each contract and ensure that their vendors are meeting Privacy Shield requirements.

The Onward Transfer principles will put significant pressure on service providers to comply with Privacy Shield, but will also limit the number of service providers or vendors that organizations will eventually be able to do business with.

Its going to be a tall task for legal teams, privacy and security officers, and compliance teams to put these contacts in place. Nine months may not even be enough time, but with the grace period being offered companies will at least be considered compliant during that period.

The task of enforcing Onward Transfer on vendors may end up feeling like an all out brawl. For organizations that need to be compliant with Privacy Shield it probably makes good sense to take advantage of the grace period being offered.

Getting Started

Really its going to take three things to take part in the Privacy Shield early registration offering: (1) your organization must be able to demonstrate compliance with the Privacy Shield principles (excluding the onward transfer principle),(2) your organization must file the self-certification by September 30, 2016, and (3) within the next nine months, your organization must update relevant third-party contracts to include the Privacy Shield requirements.

A simple way to get started with step one is to use the free Privacy Shield assessment tool provided by Whistic. Its a simple, step-by-step questionnaire that walks users through the Privacy Shield requirements.

Step two can also be accomplished through the Privacy Shield tool on Whistic. This is a paid service that can be used to submit to the DOC on an annual basis. Simply enter the required information and Whistic will take care of the rest.

Step three will require some negotiations with your organization’s vendors — which to be honest is outside the scope of Whistic’s offering. However, Whistic can help your vendors understand and become compliant with Privacy Shield. Simply send them a request to assess on the Privacy Shield assessment, or send them a link to

Need additional help?

The Department of Commerce (DOC) has issued a guide to self-certification.

And here’s another picture of a bear.

Whistic is an award winning risk assessment and analytics platform that makes it easy for companies to assess service providers or self assess against compliance and security standards (e.g. PCI, DSS). Headquartered in Orem, Utah at the heart of the Silicon Slopes, Whistic is the creator of the CrowdConfidence TM scoring algorithm that leverages the wisdom of crowds to assess the residual risk of sharing data with a vendor. Whistic was the recipient of the “Best Enterprise” award at the World’s Largest Startup Event: Launch Festival 2016.

For more information about Whistic, visit:

privacy privacy shield safe harbor european union standards

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.