Renewal Season: 5 Tips to Ensure a Smooth Data Privacy Framework Process

May 16, 2024 by Victoria Akosile, Deputy Director, Privacy Operations, BBB National Programs

Unlike solar eclipses, blue moons, and other rare celestial activity, an annual occurrence for U.S. companies that engage in transatlantic digital data flows under the Data Privacy Framework Program (DPF) is recertifying with the U.S. Department of Commerce. 

Recertifying serves as a way for companies to annually assess and account for how they handle and process personal data that originates in the EU, U.K., and/or Switzerland. For U.S.-based entities who offer services in those countries, an approved and adequate mechanism must be in place to facilitate the transfer of data due to a provision in the E.U.’s privacy regulation, the GDPR. (Learn more about why.)

Renewing organizations must assess their eligibility to ensure they still qualify to participate. Three key requirements to confirm eligibility are:

  1. Ensuring your organization is a U.S-based entity. 
  2. Whether your organization processes data from the EU, U.K., and/or Switzerland to the U.S.
  3. If your organization is under the investigatory and enforcement powers of the Federal Trade Commission or the Department of Transportation.

 

It is recommended to confirm eligibility each year before renewing to ensure that your organization qualifies to be a participant in the program. While renewals may often be seen simply as “business as usual,” there are some important things to keep in mind to ensure a smooth process from start to finish. 

As the longest-running Independent Recourse Mechanism (IRM), BBB National Programs is here to help with some tips and best practices for recertification. 

 

Checklist: Renewing DPF Certifications

  1. Make sure your policy has the required DPF-specific language. The Department of Commerce requires that specific language be included for companies to demonstrate their compliance. A sample adherence statement is available on the department’s website. Those companies not including this DPF-specific language in their privacy policy may experience delays in recertification.
  2. Include clear distinctions for different privacy rights under different laws. Adherence to the DPF may not be the only disclosure included or referenced in a privacy policy. Depending on where a company operates, multiple sections covering different data privacy requirements specific to those jurisdictions might be included. Rights and responsibilities specific to the DPF should be separated, drawing special attention to consumer rights. While some of them may overlap, including the rights under GDPR and various U.S. state laws, it is important they are clear and distinct from one another.
  3. If you cover human resources (HR) data, include clear instructions for complaint submission. When covering HR data under DPF, it is important to include a complaint submission process and information on the appropriate Data Protection Authority where complaints can be handled. U.S.-based IRMs are unable to handle complaints involving HR data. For more information on processing requirements for HR data, see the supplemental principles.

 

In addition, keep in mind two troubleshooting tips when navigating the website and interfacing with the official certification platform:

  • If you are missing the “Recertify” button when logged in. Some applicants recertifying have found that their account credentials do not match the Department of Commerce database, causing an error. For companies currently participating in BBB National Programs’ Data Privacy Framework Services, please let us know if you have experienced this issue and our team will support with troubleshooting.
  • If you are receiving an error message that account credentials do not match with ITA database. The Department of Commerce has let us know that this message could appear for a few reasons. One of the most common is related to staff turnover. If the person who set up the account is no longer with the company, the account may require validation. Again, for BBB National Programs participants, we are here to help. Reach out to your account manager for assistance. 

 

Not sure where to get started with renewing or applying for the DPF Program? Need support troubleshooting the process? Whether you are a current BBB National Programs DPF Services participant or not, send us an email at euprivacy@bbbnp.org and our team will do our best to help. 

Suggested Articles

Blog

Old MacDonald Had an Engagement Farm: Lessons Learned from FTC v. NGL

Capturing user engagement is the foundation of internet commerce. And while the incentives to prompt greater engagement are certainly understandable, the recent NGL Labs case from the FTC raises important questions about the ethical and legal ramifications when companies try to artificially generate engagement among their userbase.
Read more
Blog

Independence Day Edition: CBPR Framework Offers “Checks & Balances”

Going, Going, Gone Global, a webinar on the CBPR Global Forum, delved into how privacy impacts businesses’ brand reputation and builds trust with key stakeholders, discussed the purpose of the Global CBPR, and its value to Global Forum members.
Read more
Blog

Industry Self-Regulation: Part of the Solution for Governing Generative AI

The spotlight on generative AI remains bright. The benefits and risks continue to be ever-present in the minds of business and political leaders. No matter the timing or the setting, the creation of transparency, accountability, and collaboration among stakeholders is key to successful industry self-regulation as is the importance of setting standards and best practices.
Read more
Blog

The Demise of “Chevron Deference”: Who Will Fill the Regulatory Gaps?

The Supreme Court's 1984 ruling in Chevron v. NRDC held that courts should defer to federal agencies’ interpretations of ambiguous federal laws so long as those interpretations are reasonable. So given the court’s decision to overturn it, where does that leave companies that want a level playing field and perhaps even to raise the bar, instead of racing to the bottom?
Read more