GDPR and the Privacy Shield Agreement

PHI Exposed Due to Phishing Attack

As the GDPR will be enforced on May 5, 2018, people wonder how it compares and works in relation to other privacy and security laws such as the Privacy Shield. The GDPR will impose strict protection of the personal data of citizens in the European Union (EU). Currently, the existing legal safeguards and frameworks in the United States are not on the same level that is required by the EU and the GDPR. The implication of this is that US-based businesses and organizations will not be allowed to process data from the EU. But with the Privacy Shield agreement, US-based organizations are given the chance to prove that they have data protection procedures in place that are of high enough standards allowing them the privilege of processing data from the EU.

The Privacy Shield agreement replaced the Safe Harbour agreement, which existed between the United States and the European Union for the purpose of regulating how US companies can export and handle the personal data of EU citizens. If US companies meet the criteria of the Privacy Shield agreement, they are allowed to receive, process, store, and transfer EU data in a way that is GDPR compliant. But the following elements must be in place before US companies can meet the Privacy Shield agreement criteria.

  • US entities are obligated to provide stronger data protection when handling data related to EU-based individuals
  • Personal data must processed and used only for limited defined goals. There must be no general access or use permitted.
  • EU citizens are protected from harm and can seek compensation, indemnity or damages.
  • The Privacy Shied will be reviewed annually by the EU and the US to check viability and purpose.

There is no way to compare the Privacy Shield and the GDPR. But both have the same overall aim and that is to protect the data of people in the EU.