Something I’ve been spending a lot of work on this summer is creating management tools to help information security and privacy practitioners do their jobs more effectively and efficiently. In the past three months I’ve had over a dozen CISOs and CPOs call me and ask if I had specific types of tools to help them with their information security, privacy and compliance efforts and iniatives. One of the tools will help them with managing their programs and processes for, along with the many complex issues involved with, transferring personally identifiable information (PII) with any of the 27 European Union (EU) contries to the U.S. and other countries. One of the areas involved with tackling this issue is whether or not to participate in the Safe Harbor program.
So, I was very interested to read that the U.S. Commerce Department announced a new certification mark/seal for organizations to put on their websites to show that they have self-certified compliance with the Safe Harbor Framework requirements.
Before the availability of this certification seal/mark, you had to check the online list to see if a company participated in the program. The search process is a bit kludgy.
There are over 1,500 organizations participating in the EU Safe Harbor program; many, many more than just a few years ago.
It is important to understand that this is a *SELF CERTIFICATION* program. Under the program, organizations “certify” (I really don’t like the use of this word for this type of program) their compliance with the privacy principles required under the EU Data Protection Directive 95/46/EC.
If the U.S. Federal Trade Commision (FTC) discovers one of these self-certified organizations are not actually following the Safe Harbor program requirements, the FTC can bring enforcement action against the U.S. company. There can also be negative repurcussions from the EU countries. Note; to date the FTC has not yet exercised a formal action for non-compliance with the program.
The reported purpose of this new Safe Harbor certification mark/seal is to help consumers in European to quickly see if they are interacting with a Safe Harbor company.
It is interesting to also see that the Commerce Department is creating a similar Safe Harbor program for U.S. organizations to use for PII transfers between Asia Pacific (APEC) countries.
Often various BU leaders, lawyers, and even marketing heads, sign up for Safe Harbor without first speaking with the information security or privacy areas to see if the organization can even meet the requirements for which they are “self certifying” the organization.
Has someone signed up your organization for Safe Harbor without talking to information security or privacy areas? You wouldn’t want to be the first organization to which the FTC assigned penalties for not following the program requirements.
Tags: APEC, awareness and training, EU Data Protection Directive, FTC, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, safe harbor, security training