Renewal Season: 5 Tips to Ensure a Smooth Data Privacy Framework Process

May 16, 2024 by Victoria Akosile, Deputy Director, Privacy Operations, BBB National Programs

Unlike solar eclipses, blue moons, and other rare celestial activity, an annual occurrence for U.S. companies that engage in transatlantic digital data flows under the Data Privacy Framework Program (DPF) is recertifying with the U.S. Department of Commerce. 

Recertifying serves as a way for companies to annually assess and account for how they handle and process personal data that originates in the EU, U.K., and/or Switzerland. For U.S.-based entities who offer services in those countries, an approved and adequate mechanism must be in place to facilitate the transfer of data due to a provision in the E.U.’s privacy regulation, the GDPR. (Learn more about why.)

Renewing organizations must assess their eligibility to ensure they still qualify to participate. Three key requirements to confirm eligibility are:

  1. Ensuring your organization is a U.S-based entity. 
  2. Whether your organization processes data from the EU, U.K., and/or Switzerland to the U.S.
  3. If your organization is under the investigatory and enforcement powers of the Federal Trade Commission or the Department of Transportation.

 

It is recommended to confirm eligibility each year before renewing to ensure that your organization qualifies to be a participant in the program. While renewals may often be seen simply as “business as usual,” there are some important things to keep in mind to ensure a smooth process from start to finish. 

As the longest-running Independent Recourse Mechanism (IRM), BBB National Programs is here to help with some tips and best practices for recertification. 

 

Checklist: Renewing DPF Certifications

  1. Make sure your policy has the required DPF-specific language. The Department of Commerce requires that specific language be included for companies to demonstrate their compliance. A sample adherence statement is available on the department’s website. Those companies not including this DPF-specific language in their privacy policy may experience delays in recertification.
  2. Include clear distinctions for different privacy rights under different laws. Adherence to the DPF may not be the only disclosure included or referenced in a privacy policy. Depending on where a company operates, multiple sections covering different data privacy requirements specific to those jurisdictions might be included. Rights and responsibilities specific to the DPF should be separated, drawing special attention to consumer rights. While some of them may overlap, including the rights under GDPR and various U.S. state laws, it is important they are clear and distinct from one another.
  3. If you cover human resources (HR) data, include clear instructions for complaint submission. When covering HR data under DPF, it is important to include a complaint submission process and information on the appropriate Data Protection Authority where complaints can be handled. U.S.-based IRMs are unable to handle complaints involving HR data. For more information on processing requirements for HR data, see the supplemental principles.

 

In addition, keep in mind two troubleshooting tips when navigating the website and interfacing with the official certification platform:

  • If you are missing the “Recertify” button when logged in. Some applicants recertifying have found that their account credentials do not match the Department of Commerce database, causing an error. For companies currently participating in BBB National Programs’ Data Privacy Framework Services, please let us know if you have experienced this issue and our team will support with troubleshooting.
  • If you are receiving an error message that account credentials do not match with ITA database. The Department of Commerce has let us know that this message could appear for a few reasons. One of the most common is related to staff turnover. If the person who set up the account is no longer with the company, the account may require validation. Again, for BBB National Programs participants, we are here to help. Reach out to your account manager for assistance. 

 

Not sure where to get started with renewing or applying for the DPF Program? Need support troubleshooting the process? Whether you are a current BBB National Programs DPF Services participant or not, send us an email at euprivacy@bbbnp.org and our team will do our best to help. 

Suggested Articles

Blog

How Will Customers Know They Can Trust Your Business?

When customers trust you, they are more likely to do business with you. It is well past time for business leaders to “galvanize around trust and transparency.” When it comes to enhancing consumer trust, responsible business and nonprofit organizations can – and must – lead the way.
Read more
Blog

What to Know About California’s Lemon Law

Buying a new car should be exciting, not stressful, but the fear of ending up with a “lemon” – a car that’s more trouble than it’s worth – is on the rise. While purchasing a car with unfixable defects is uncommon, it is important to know what to do if you face persistent issues and suspect your car is a lemon.
Read more
Blog

Warning: Use Caution with AI in the Children’s Space

Children are engaging with various forms of artificial intelligence (AI), a technology that can provide significant benefits that can be accompanied by a series of risks. The Children’s Advertising Review Unit compliance warning regarding the use of AI in practices directed to children reminds industry of its special responsibilities to children.
Read more
Blog

Continuing to Evolve: the 10s, 20s, and the Future of CARU

The confluence of social media, apps, and digital advertising in the 2010s and 2020s generated new issues that inspired multiple revisions to CARU's Guidelines as well as compliance warnings to address new platforms breaking onto the scene.
Read more