PRIVACY SHIELD GRACE PERIOD IS ENDING, ARE YOU

READY?
A C C OU N TAB ILI TY F OR O NW AR D TR AN SF ER , EU US P RIV A C Y SH I ELD ,
PRIVACY SHIELD, VENDOR MANAGEMENT

March 20, 2017

Soon companies that self-certified with the Department of Commerce (DOC) last fall before the September 30,
2016 deadline will have the 9 month grace period come to a close. The grace period was given to these
companies so that they could ensure that all of their third-party vendors met the Accountability for Onward
Transfer principle. The grace period ends soon, meaning that the deadline is fast approaching.

The Privacy Shield Accountability for Onward Transfer principle, Section II, 3.b., states:

To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such
data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at
least the same level of privacy protection as is required by the Principles; (iii) take reasonable and
appropriate steps to ensure that the agent effectively processes the personal information transferred
in a manner consistent with the organizations obligations under the Principles; (iv) require the agent
to notify the organization if it makes a determination that it can no longer meet its obligation to
provide the same level of protection as is required by the Principles; (v) upon notice, including under
(iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi)
provide a summary or a representative copy of the relevant privacy provisions of its contract with
that agent to the Department upon request.

PRIVACY MANAGEMENT SOLUTIONS

CONTACT US US: 888.878.7830 EU: +44 (0)203 078 6495 | www.truste.com TRUSTe Inc., 2017
In sum, maintaining your Privacy Shield certification by adhering to the Accountability for Onward Transfer
principle requires a lot of due diligence. When your company has a relationship with a third-party vendor
involving the transferring personal information to that vendor, your company has to ensure that the vendor will
process personal information in a manner consistent with your companys obligations under the Principle. Your
companys contract with the vendor also has to state that the data your company transfers to it can only be
used for limited and specified purposes. Whats more, vendors acting as agents have to cease and take steps to
remediate unauthorized processing.

For most companies, this is a lot of work that is quite time consuming; the initial grace period concession was
given in light of the time it may take a company to comply with this principle. For example, a few of the hundred
vendors that a typical mid-sized business uses are: a marketing automation system, a customer relationship
management system, an administrative services system, and a payroll system. Larger organizations may use
thousands of vendors.

How will companies adhere to this principle? One option is to compile a large spreadsheet and call, email, or
meet with internal business or process owners. Though this option is cost effective in terms of dollars, it is not
cost effective in terms of time, productivity, and data integrity. Technology solutions to automate the process
and provide an easily accessible digital repository may have up-front costs. However, long term savings in terms
of time, productivity, and maintaining data integrity will far outweigh initial up-front costs.

If you have any questions about the requirements of this Principle, contact us.

For the latest privacy news & information, visit truste.com/blog.

PRIVACY MANAGEMENT SOLUTIONS

CONTACT US US: 888.878.7830 EU: +44 (0)203 078 6495 | www.truste.com TRUSTe Inc., 2017