Renewal Season: 5 Tips to Ensure a Smooth Data Privacy Framework Process

May 16, 2024 by Victoria Akosile, Deputy Director, Privacy Operations, BBB National Programs

Unlike solar eclipses, blue moons, and other rare celestial activity, an annual occurrence for U.S. companies that engage in transatlantic digital data flows under the Data Privacy Framework Program (DPF) is recertifying with the U.S. Department of Commerce. 

Recertifying serves as a way for companies to annually assess and account for how they handle and process personal data that originates in the EU, U.K., and/or Switzerland. For U.S.-based entities who offer services in those countries, an approved and adequate mechanism must be in place to facilitate the transfer of data due to a provision in the E.U.’s privacy regulation, the GDPR. (Learn more about why.)

Renewing organizations must assess their eligibility to ensure they still qualify to participate. Three key requirements to confirm eligibility are:

  1. Ensuring your organization is a U.S-based entity. 
  2. Whether your organization processes data from the EU, U.K., and/or Switzerland to the U.S.
  3. If your organization is under the investigatory and enforcement powers of the Federal Trade Commission or the Department of Transportation.

 

It is recommended to confirm eligibility each year before renewing to ensure that your organization qualifies to be a participant in the program. While renewals may often be seen simply as “business as usual,” there are some important things to keep in mind to ensure a smooth process from start to finish. 

As the longest-running Independent Recourse Mechanism (IRM), BBB National Programs is here to help with some tips and best practices for recertification. 

 

Checklist: Renewing DPF Certifications

  1. Make sure your policy has the required DPF-specific language. The Department of Commerce requires that specific language be included for companies to demonstrate their compliance. A sample adherence statement is available on the department’s website. Those companies not including this DPF-specific language in their privacy policy may experience delays in recertification.
  2. Include clear distinctions for different privacy rights under different laws. Adherence to the DPF may not be the only disclosure included or referenced in a privacy policy. Depending on where a company operates, multiple sections covering different data privacy requirements specific to those jurisdictions might be included. Rights and responsibilities specific to the DPF should be separated, drawing special attention to consumer rights. While some of them may overlap, including the rights under GDPR and various U.S. state laws, it is important they are clear and distinct from one another.
  3. If you cover human resources (HR) data, include clear instructions for complaint submission. When covering HR data under DPF, it is important to include a complaint submission process and information on the appropriate Data Protection Authority where complaints can be handled. U.S.-based IRMs are unable to handle complaints involving HR data. For more information on processing requirements for HR data, see the supplemental principles.

 

In addition, keep in mind two troubleshooting tips when navigating the website and interfacing with the official certification platform:

  • If you are missing the “Recertify” button when logged in. Some applicants recertifying have found that their account credentials do not match the Department of Commerce database, causing an error. For companies currently participating in BBB National Programs’ Data Privacy Framework Services, please let us know if you have experienced this issue and our team will support with troubleshooting.
  • If you are receiving an error message that account credentials do not match with ITA database. The Department of Commerce has let us know that this message could appear for a few reasons. One of the most common is related to staff turnover. If the person who set up the account is no longer with the company, the account may require validation. Again, for BBB National Programs participants, we are here to help. Reach out to your account manager for assistance. 

 

Not sure where to get started with renewing or applying for the DPF Program? Need support troubleshooting the process? Whether you are a current BBB National Programs DPF Services participant or not, send us an email at [email protected] and our team will do our best to help. 

Suggested Articles

Blog

What You Missed at NAD 2024: The Global Future of Ad Law

If you missed NAD 2024: Charting the Global Future of Ad Law last month, here is a glimpse of the discussions from the NAD team, leading advertising law lawyers, academics, regulators, and experts from around the world.
Read more
Blog

Industry Self-Regulation Will Shine Post-Chevron

In its landmark decision in Relentless Inc. v. U.S. Department of Commerce and Loper Bright Enterprises v. Raimondo, the U.S. Supreme Court has fundamentally reshaped the landscape of regulatory governance in the U.S. And in the wake of the ruling, the implications for industry self-regulation loom large.
Read more
Blog

What to Know About New Jersey’s Lemon Law

While most cars run smoothly off the lot, it’s important to understand your rights if you find yourself with a potential “lemon” parked in your driveway. New Jersey's Lemon Law protects consumers of new vehicles from persistent defects.
Read more
Blog

U.S. Supreme Court Impact: Judicial Power at Work, Industry Self-Regulation in Play

The U.S. Supreme Court decision, Loper Bright Enterprises v. Raimondo, marked a pivotal shift in administrative law by overturning the Chevron deference doctrine and will have a long-term impact. The ruling also presents a unique opportunity for industries to fill regulatory gaps in a manner that enhances consumer trust.
Read more