The Federal Trade Commission has settled with five more companies for failing to meet their obligations under the European Union-U.S. Privacy Shield, which is meant to provide companies a road map to compliance with the EU’s General Data Protection Regulation, applicable to the data handling of any company doing business in EU countries.
The FTC also suggested three takeaways that companies should glean from the dozens of Privacy Shield cases the agency has brought:
1. While the shield is voluntary, the FTC will aggressively go after any participant who makes false statements or fails to live up to its requirements.
2. “Finish what you start,” the FTC said. Likening it to a golf swing, the agency said it’s all in the follow-through, meaning a company should not claim to be under the shield until it has completed its application and been certified by the Department of Commerce, which administers the shield.
3. Certification is not an end point, but the start of an ongoing obligation, including annual recertification. “To keep your company on the right side of the law, put a recertification reminder on your calendar now,” the FTC said. “(Yes, now.) Furthermore, if you decide at a later date not to participate, immediately change what you say on your website.”
There are also ongoing responsibilities about data collection, the agency added.
It is definitely in a company’s interest to be in compliance with the GDPR. The maximum fine for violations is 20 million euros or 4% of sales, whichever is greater.
