Let’s take a closer look at what the decision to self-certify under the DPF means for your company. In terms of costs, other then the applicable fees, you need to consider administrative and organizational costs aimed at ensuring accountability while implementing mechanisms to allow data subjects the exercise of their rights.  We are providing you below with a list of requirements for you to consider and weigh. These costs will need to be considered together with considerations regarding your line of business and the categories of personal data you usually process, the periodicity of your transfers and other considerations. We will walk you through those further below.

Are you eligible for the DPF program?

First of all, let’s make sure you are eligible to self-certify under the DPF. Organizations must meet the following criteria to be eligible for the DPF program:

  • The company should be a US legal entity;
  • The company should be under the control of either the Federal Trade Commission (FTC) or the US Department of Transportation (DOT).

Certain companies are ineligible for the DPF program:

  • Most banks, federal credit unions, and savings & loan institutions;
  • Telecommunications companies;
  • Labor associations and most non-profit organizations;
  • Most companies involved in packer and stockyard activities;
  • The FTC’s jurisdiction over insurance activities is limited, so some insurance companies may not be eligible;
  • Other organizations that do not fall under the jurisdiction of the FTC or the DOT.

Steps towards your DPF certification

Once confirmed that your company is eligible for self-certification, allow me to describe the steps you will need to take to self-certify. We have divided such steps into preparatory measures, organizational measures, accountability and transparency measures and payment and have included some information regarding each of them so that you can weigh the cost of implementing them against the benefit of being one of the companies self-certified under the DPF.

Preparatory measures

  1. Choose an independent recourse mechanism by which each individual’s complaints and disputes can be investigated and expeditiously resolved. This step will entail the conclusion of contracts and potentially the payment of fees;
  2. Whenever processing HR data or if you decide not to choose an independent recourse mechanism as described above, your company will need to commit to cooperating and complying with EU data protection authorities‘ advice. This requirement entails not only complying with specific advice provided to your company but also monitoring trends and remaining vigilant regarding regulatory news.
  3. For onward transfers consider the cost of entering into contracts with business partners and/or service providers to which the data is to be transferred where specific obligations regarding the protection of data for onward transfers in line with the GDPR are contemplated.
  4. Designate a DPF compliance contact.

Organizational measures

  1. Establish a process to allow individuals to access their personal data (“access”) and to opt-out of the disclosure of personal data to third parties and to the use of personal data for purposes different than those for which it was collected (“choice”).
  2. If you process sensitive data, you shall allow data subjects to opt-in to the disclosure of such data to third parties and to its use for purposes different than those for which it was collected (some exceptions apply).
  3. Set retention periods to delete personal data after the purpose sought is accomplished. This step entails having an operational data retention policy and schedule with retention periods in place.
  4. Limit the processing of personal data to that relevant for the purposes of processing (data minimization).
  5. Set up a process to renew your self-certification every year. This step may entail an audit or data protection assessment.

Accountability and Transparency

Your company’s privacy policy shall contain:

  1. A declaration of your commitment to comply with the DPF Principles.
  2. A link to the U.S. Department of Commerce’s DPF program website.
  3. A link to the relevant website or complaint submission form of the independent recourse mechanisms chosen to investigate individual complaints brought under the DPF Principles.
  4. A commitment to binding arbitration in case of residual claims.
  5. Information for individuals on the right of access to their personal data, the requirement to disclose personal data in response to a lawful request by public authorities, information about the enforcement authority that has jurisdiction over the participating organization’s compliance with the DPF Principles, and information regarding your company’s liability in cases of onward transfers of GDPR data.

Payment: Pay all necessary fees and contributions as follows

  1. Contribution to the DPF Arbitral Fund Fee: between US $250 and $10.000 (depending on your company’s annual revenue).
  2. Annual fee to the United States Council for International Business (USCIB): US $50
  3. Annual fee for the International Trade Administration (ITA): between US $250 and $4.875 (depending on your company’s annual revenue).
  4. Other costs to be considered, for example, auditors, renewal of certification, among others.

Other factors to consider to decide whether to self-certify under the  DPF

Financial and organizational costs are however, not the only consideration to be bore in mind when considering a self-certification. Since signing Standard Contractual Clauses and concluding a simplified Transfer Impact Assessment, in line with the EDPB’s opinion quoted above, is an acceptable and equally compliant option, the decision to self-certify your company under the DPF shall be made considering primarily the actual value that a self-certification would entail.  When considering such value or benefit I consider of outmost importance to weigh three factors: a) your line of business; b) the categories of personal data that you process; and, c) the periodicity of your transfers and the number of business partners involved.

Your line of business is of utmost importance for this assessment because it will determine the context and expectations of your business partners in terms of your status as a self-certified company.  Pharmaceutical and health-care organizations, companies providing HR services, financial institutions processing GDPR data in the US and in general companies processing special categories of personal data in the sense of Arts. 9 and 10 GDPR should consider a self-certification. The data categories processed, as well as your line of business should inform your decision to self-certify as your European business partners will expect you to be self-certified based on the types of data they are transferring to you, the context of the transfer and the purposes for which you’re processing those data categories. In other words, your European business partners may trust a self-certified company more than one that isn’t and such consideration may become a comparative advantage for your company.

Let’s suppose for a minute that your line of business or the personal data categories that you process would not, in principle, drive you in the direction of self-certifying, should you assume then that a self-certification is not for you?  I would say so, unless the periodicity of your data transfers and the number of parties involved make it difficult to conclude Standard Contractual Clauses with some ease.  Here is where our third consideration comes into play, namely, the periodicity of data transfers and the number of business partners involved. Considering that the process of self-certification entails financial and organizational costs, I advise my clients to consider such costs against the cost of negotiating and concluding Standard Contractual Clauses with each and every one of their applicable business partners. Even in the presence of a simplified Transfer Impact Assessment, the conclusion of Standard Contractual Clauses will entail at least a minimum and at most a considerable effort every time such contract needs to be concluded, you will therefore need to do the math and decide whether the costs of self-certifying outweigh those of negotiating and concluding Standard Contractual Clauses with your business partners.

As you can see from the above, three are the main considerations to be bore in mind when deciding whether to opt for a self-certification under the DPF: a) your line of business; b) the data categories that you process and the purpose of such processing and c) the periodicity of your transfers and the number of parties involved, which will provide an idea of the cost of concluding standard contractual clauses every time you process GDPR data.

Conclusion

  • Since both a self-certification under the DPF and the use of Standard Contractual Clauses + Transfer Impact Assessment ensure – under the current circumstances – a lawful transfer of GDPR personal data to the US, companies will need to consider reputational as well as practical factors in order to make a well-informed decision.
  • Among the factors to be considered, we believe that companies should pay attention to the administrative and organizational costs as well as the fees to be paid for self-certification and to weigh those costs and administrative expenses against the benefit of being one of the self-certified companies in terms of reputation and ease or automatism, if you will, of transfers under the DPF.
  • Other than the costs involved, the line of business, the data categories processed and the context of such processing as well as the periodicity of the transfers and the number of actors involved should inform companies’ decision to self-certify.
  • Whatever decision you make, consider having a fallback mechanism in case the DPF is invalidated. Consider also the administrative and organizational costs of falling back on your fallback mechanism and how cumbersome the transition will be
  • If you are still unsure, give us a call, we’ll help you decide!

| | , | , , , , , , ,