Renewal Season: 5 Tips to Ensure a Smooth Data Privacy Framework Process

May 16, 2024 by Victoria Akosile, Deputy Director, Privacy Operations, BBB National Programs

Unlike solar eclipses, blue moons, and other rare celestial activity, an annual occurrence for U.S. companies that engage in transatlantic digital data flows under the Data Privacy Framework Program (DPF) is recertifying with the U.S. Department of Commerce. 

Recertifying serves as a way for companies to annually assess and account for how they handle and process personal data that originates in the EU, U.K., and/or Switzerland. For U.S.-based entities who offer services in those countries, an approved and adequate mechanism must be in place to facilitate the transfer of data due to a provision in the E.U.’s privacy regulation, the GDPR. (Learn more about why.)

Renewing organizations must assess their eligibility to ensure they still qualify to participate. Three key requirements to confirm eligibility are:

  1. Ensuring your organization is a U.S-based entity. 
  2. Whether your organization processes data from the EU, U.K., and/or Switzerland to the U.S.
  3. If your organization is under the investigatory and enforcement powers of the Federal Trade Commission or the Department of Transportation.

 

It is recommended to confirm eligibility each year before renewing to ensure that your organization qualifies to be a participant in the program. While renewals may often be seen simply as “business as usual,” there are some important things to keep in mind to ensure a smooth process from start to finish. 

As the longest-running Independent Recourse Mechanism (IRM), BBB National Programs is here to help with some tips and best practices for recertification. 

 

Checklist: Renewing DPF Certifications

  1. Make sure your policy has the required DPF-specific language. The Department of Commerce requires that specific language be included for companies to demonstrate their compliance. A sample adherence statement is available on the department’s website. Those companies not including this DPF-specific language in their privacy policy may experience delays in recertification.
  2. Include clear distinctions for different privacy rights under different laws. Adherence to the DPF may not be the only disclosure included or referenced in a privacy policy. Depending on where a company operates, multiple sections covering different data privacy requirements specific to those jurisdictions might be included. Rights and responsibilities specific to the DPF should be separated, drawing special attention to consumer rights. While some of them may overlap, including the rights under GDPR and various U.S. state laws, it is important they are clear and distinct from one another.
  3. If you cover human resources (HR) data, include clear instructions for complaint submission. When covering HR data under DPF, it is important to include a complaint submission process and information on the appropriate Data Protection Authority where complaints can be handled. U.S.-based IRMs are unable to handle complaints involving HR data. For more information on processing requirements for HR data, see the supplemental principles.

 

In addition, keep in mind two troubleshooting tips when navigating the website and interfacing with the official certification platform:

  • If you are missing the “Recertify” button when logged in. Some applicants recertifying have found that their account credentials do not match the Department of Commerce database, causing an error. For companies currently participating in BBB National Programs’ Data Privacy Framework Services, please let us know if you have experienced this issue and our team will support with troubleshooting.
  • If you are receiving an error message that account credentials do not match with ITA database. The Department of Commerce has let us know that this message could appear for a few reasons. One of the most common is related to staff turnover. If the person who set up the account is no longer with the company, the account may require validation. Again, for BBB National Programs participants, we are here to help. Reach out to your account manager for assistance. 

 

Not sure where to get started with renewing or applying for the DPF Program? Need support troubleshooting the process? Whether you are a current BBB National Programs DPF Services participant or not, send us an email at euprivacy@bbbnp.org and our team will do our best to help. 

Suggested Articles

Blog

CFBAI and CCAI Publish the 2023 Annual Report on Participant Compliance and Program Progress

BBB National Programs has released the Children’s Food and Beverage Advertising Initiative (CFBAI) and Children’s Confection Advertising Initiative (CCAI) 2023 Annual Report. The report notes excellent compliance by the 22 CFBAI participants and the six CCAI participants in 2023.
Read more
Blog

The Case for Teaching Industry Self-Regulation in Law, Business, and Public Policy Schools

Law schools, business schools, and public policy programs have a unique opportunity to shape the future of corporate behavior by teaching students the importance of soft law and independent industry self-regulation.
Read more
Blog

5 Missteps to Avoid When Applying or Recertifying to the DPF Program

Each year, participants in the DPF Program need to recertify with the Department of Commerce. To help companies navigate it, our Global Privacy Division has outlined five key recommendations to keep in mind to avoid common missteps with the process.
Read more
Blog

Sharing Holiday Cheer (but Not a Child’s Personal Information)

Not surprisingly, cell phones, connected toys, and toys advertised on social media top wish lists of kids everywhere. To help ensure your holiday shopping experiences are as safe as possible, the team at CARU put together some holiday tips.
Read more