Cyber Risk Advisory

The benefits of using the new Data Privacy Framework

Dylan Roberts

Consultant, Strategy, Privacy, and Risk

Fb2a38d5 671b 4e6c 846c 05b486486eeb Coalfire Main Image Blog Data Privacy Framework 800x420 FINAL

After the Schrems II ruling by the Court of Justice of the European Union, legal cross-border transfers of personal data from the EU to the U.S. became a key issue for U.S. businesses. After years of negotiations with the EU, the EU and U.S. have developed and agreed upon an adequate system for cross-border transfers of personal data. This new mechanism, the Data Privacy Framework (DPF), can be used by organizations of various sizes and industries to guide privacy program management.

Key takeaways:

  • The new Data Privacy Framework (DPF) introduced by the Department of Commerce provides organizations with methods to legally transfer personal data between the EU and U.S.
  • The DPF provides clear, thorough guidelines for privacy requirements for cross-border transfers.
  • Organizations can use the DPF for guidance on holistic privacy program management and operational guidance for multiple laws.

The basics of the DPF

It is more accurate to describe the Data Privacy Framework as Data Privacy Framework(s) as there are separate frameworks for the EU, UK, and Switzerland. However, there are seven key principles that remain consistent across each framework. These principles are:

  1. Notice
  2. Choice
  3. Accountability for Onward Transfer
  4. Security
  5. Data Integrity and Purpose Limitation
  6. Access
  7. Recourse, Enforcement, and Liability

The DPF includes high-level yet clear and concise descriptions to meet requirements based on each principle. Additionally, the DPF allows for self-certification via an internal audit process.

Organizations are required to perform a review of their privacy practices, and upon determination that they meet DPF requirements, can register as compliant with the Department of Commerce’s International Trade Administration (ITA). By registering with the ITA, organizations can provide their customers with an assurance mechanism for privacy compliance. 

Using the DPF to guide privacy program management

The GDPR functions as one of the most stringent and complete privacy laws in the world due to the rights extended to individuals and the required mechanisms organizations must maintain to ensure compliance with the law.

As most of the GDPR’s requirements overlap with (and many times exceed) the requirements of other privacy laws, the DPF—which has been created to meet the transfer required by the GDPR—can be used for privacy program guidance to comply with multiple privacy laws. Privacy professionals will also recognize the similarity of the DPF requirements with principles established in the APEC Privacy Framework.

Due to the consistency of DPF requirements with generally accepted best practices, organizations can use the DPF principles to create a streamlined privacy program. As DPF principles align with industry standards, organizations can acquire and develop talent that has applicable knowledge that can be applied to a holistic compliance program, integrating other GRC functions with privacy.

Leveraging the DPF for operational guidance

Unlike other frameworks, the DPF provides guidance on operational compliance, an area where many organizations struggle.

For example, the DPF’s Notice requirement provides the description of 13 items that must be included in privacy notices. While the language of the requirements is descriptive rather than prescriptive, it allows for different adaptable approaches dependent on the capabilities and responsibilities of different organizations.

Organizations can use various security and privacy mechanisms to fulfill each requirement, so long as the DPF requirements are directly addressed. Due to its modularity, the DPF can be retrofitted into existing privacy programs or used as the basis for developing privacy programs. The principles of the DPF can be supplemented with guidance from the European Data Protection Board (EDPB) to create a comprehensive controls-based framework. This allows for easier internal auditing and adaptability of operational controls.

Where Coalfire can help

Organizations may need assistance in developing or maintaining their privacy program.

With a dedicated team of subject-matter experts in both information security and data privacy, Coalfire helps organizations to create holistic privacy programs by streamlining information security and data privacy offerings.

Coalfire offers support from gap identification through remediation by performing combined information security and privacy gap assessments, developing policies and procedures, and providing guidance to aid organizations in building mature and sustainable privacy programs.

The DPF is a streamlined method for organizations to comply with cross-border privacy requirements.

Additionally, the easy-to-understand nature of the DPF can be leveraged to develop and maintain a cohesive privacy program. By providing organizations with a self-certification process, the ITA has provided a framework that helps organization maintain accountability with GDPR requirements.

As organizations in the U.S. have previously struggled with GDPR compliance, the DPF is a great tool that can be leveraged by organizations of all sizes that have struggled with understanding and implementing European privacy requirements.