Mark Pestronk
Q: Our largest corporate client is going out for bid, and we have to submit a proposal in two weeks. One of the request-for-proposal (RFP) questions asks whether we are "Safe Harbor Certified" to handle travel data of European travelers. What does that term mean, and is it possible to get such a certification in less than two weeks?
A: The European Union's protections for personal data are stricter than those of the U.S. By becoming Safe Harbor-certified, you are voluntarily agreeing to comply with the E.U. rules.
Compliance enables you to import personal data about citizens of the 28 E.U. countries. If you handle your account's E.U.-based employees' travel, or compile their travel data into management reports, you will need such data.
Under a program created in 2000 by the U.S. Department of Commerce and the E.U. Commission on Data Protection, U.S. businesses can self-certify their compliance by filling out a form at a Commerce website. Once you submit the form, you will be listed as compliant on that website.
However, before you can complete the form, you need to adopt a detailed privacy policy as well as an enforcement procedure, and you must publish the policy and procedure on your website. The policy must cover the "seven principles" of the program, which the U.S. Small Business Administration paraphrases as follows:
• Identify Data Collection Purposes. You must let individuals know your purpose for collecting or using their personal information. You must provide contact information for inquiries or complaints.
• Honor Opt In/Opt Out Decisions. You must give individuals the choice to opt out of information disclosure to a third party. You must give individuals an opt-in choice if you or a third party does not use the information for its original authorized purpose.
• Subject Third Parties to Same Principles. If you transfer consumer data to a third party, the third party must subject itself to Safe Harbor principles or the same level of privacy protection.
• Allow Access to Data. You must give individuals access to the data they provide. They generally should be able to correct, amend or delete information where it is inaccurate.
• Protect the Data. You should take reasonable steps to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction.
• Collect Only Relevant Data. The data you collect must be relevant to your purpose.
• Enforce These Principles. You must set up procedures to enforce Safe Harbor principles.
To comply with the last principle, you need to contract with a private organization in the U.S., such as the American Arbitration Association, that provides a forum for resolution of disputes when a consumer claims that you wrongly used his data.
As far as I can tell, you should be able to adopt all the program requirements and complete the online certification application in a day or so. Although there are consultants that can help you with the process, I know of no reason why you cannot do it all yourself well before your client's proposal deadline.
You can find a more detailed description of the program requirements in the Commerce Department's "Safe Harbor Workbook." You must recertify every year to renew your Safe Harbor listing.