A Beginners Guide to Self-Certify with Privacy Shield

A few weeks ago, we posted a little more comprehensive view on our path to SOC2 attestation. If you’re just starting out on that journey yourself, peep that post for a bird’s eye view on the process thus far for us.

We’ve continued to work through the process and wanted to share a little more detail around a few facets of what we’re doing. Specifically our GDPR readiness.

While the end goal here is to self certify with the EU-US Privacy Shield Framework, you’ll need an Independent Recourse Mechanism (IRM) in place before you can apply. We chose to go with the International Centre for Dispute Resolution/American Arbitration Association as our representative.

The process was pretty straightforward and relatively painless. To register with AAA, you’ll need to fill out this registration form and submit it via email to Alyssa Montano.

Once your form has been reviewed, you’ll be sent an invoice to pay the registration fee based on your company’s yearly sales numbers.

Big bank or little bank?

If this is your first time registering, you’ll also need to contribute to the general arbitral fund as laid out on the Privacy Shield website

Show me the money

You can pay this directly by going to the AAA website and paying via credit card based on the revenue scheduled outlined here

Even more money?

Once you’ve submitted all forms and payments to AAA, your company should then appear on their list of companies on their site. Look for the EU-U.S. and Swiss-U.S. Privacy Shield Programs List of Companies on the right.

OK, now you’ve got your IRM set up, you can now go about your initial order of business of self certifying with Privacy Shield. Luckily for you, they’ve done a pretty good job of how to work through the process on their website. But to save you some time, here are the items you’ll need to fill out the application:

  • Independent Recourse Mechanism (if you followed above, congrats, you’ve got this covered)
  • an updated draft of your public privacy policy which contains specific language regarding your company’s participation in Privacy Shield and which IRM you’ve chosen

    A note here, it must be a draft of your privacy policy with the updated language. You can post it publicly once you’ve cleared the Privacy Shield application process and only then
  • a named representative within your company to handle all inbound regarding Privacy Shield and their contact info

A point to remember here is that these are specific items need to apply to self certify with Privacy Shield, not what is needed to actually comply with the program. You’ll need to review the framework and make sure you’re actually able to meet all requirements (preferably before saying you actually do).

Once you’ve got all your ducks in a row, go ahead and apply and be ready to pay the corresponding fee based on this revenue schedule.

Wait, another fee?

But it should be straightforward for you because you’ve read this blog and you’ve got all your supporting docs ready to roll.

Please drop us a line on how your application process is going!