EU Safe Harbor Compliance Checklist

If your business collects and transfers any EU citizen's personal information to the US, your organization needs privacy protection that meets the EU’s "adequacy" standard. The US Department of Commerce and the European Commission developed the US-EU Safe Harbor Framework so that US companies can self-certify and safely do business in the EU. While some companies go it alone, others, turn to privacy experts, recognized by the Department of Commerce, to accelerate the application process and maintain their compliance.

This checklist will help you determine if you need to be EU Safe Harbor certified and how to achieve it.

Does your business need to comply?
Any business with a website or mobile app that collects personal information (employee as well as customer data) from an EU citizen and transfers it to the US must comply. Cloud-based services and data processing companies with EU customers may need to self-certify with the EU Safe Harbor framework if they process personal information from the EU. Self-certification reduces the risk of fines, negative publicity and business disruptions.

Do your privacy practices meet EU adequacy standards?
EU Safe Harbor privacy principles are more stringent than US requirements, particularly in terms of privacy notices and choice. Privacy notices must include a physical address and phone number for inquiries or complaints. European citizens must have the choice to opt out and delete their personal information. Deletion requests must be honored within 30 days. Sensitive information requires an opt in or affirmative choice if it is disclosed to a third party.

Do you have 3rd party dispute resolution?
The EU Safe Harbor framework requires that companies retain a third party for dispute resolution related to privacy issues. It is not enough to respond internally to questions and concerns. Quick resolution that protects the business and responds to concerned customers is good for compliance and for business. Customers trust companies that address their concerns in a timely manner.

Are your partners compliant?
Any data passed from your website to a third party for processing (such as a data aggregator creating profiles or a shopping cart) must also comply with EU Safe Harbor principles. Before you choose a data processor or add a cloud-based service to your website, request verification of EU Safe Harbor compliance or look for a certified EU Safe Harbor seal on their website.

Is your business ready for self-certification?
To avoid back and forth with the Department of Commerce during self-certification, make sure your privacy policy and practices are ready. Third party privacy policy certifications that are recognized by the Department of Commerce provide guidance to accelerate the process and reduce risk of failure. Once self-certification is complete, continuous monitoring prevents unintended non-compliance.