EU/USA flag Image Source Freeimages/szymon szymon and Pixabay/GeraltUltimate software has announced that it received EU-US privacy shield certification from US Department of Commerce. They were also awarded TRUSTe privacy certification which in some ways is a better gauge of their commitment to compliance.

Gaining Privacy Shield.

Adam Rogers, chief technology officer at Ultimate (Source LinkedIn)
Adam Rogers, chief technology officer at Ultimate

As a cloud based HCM vendor likely to store information on individuals from the EU within its US data centres this is an important announcement. Ultimate Software was already compliant with the Safe Harbor rules which was replaced by Privacy Shield. As with Safe Harbor the process for Privacy Shield process is mainly self-certification. There are seven steps to follow in the process and that includes ensuring that there is a third-party resolution process in place. TRUSTe are one of the companies that support that process but Ultimate chose to engage with TRUSTe at a deeper level.

This indicates that not only does Ultimate recognise the requirement to gain the certification but it shows that they wanted independent oversight to ensure they meet the standard. This will give a level of comfort to customers that may see the self-certification process as merely a rubber stamp. Easy to obtain, but if issues arise from data privacy, harder to actually resolve.

Adam Rogers, chief technology officer at Ultimate: “We are pleased to adopt the EU-U.S. Privacy Shield Framework to demonstrate our commitment to robust EU-U.S. cross-border privacy. Protecting our customers is our top priority, so we employ forward-thinking technologies, teams, tools, and processes to safeguard their data.”

The commitment to join the Privacy shield framework is voluntary. In some ways the only validation is the fee that is payable to the US Department of Commerce. Once certified, the requirements are enforceable under US law. So the TRUSTe certification makes sense in order to minimise the risk of exposure following any breach to Ultimate in the future.

TRUSTe privacy certification

To attain TRUSTe privacy certification Ultimate Software will have gone through a logical sequence of steps to ensure their procedures and policies were correct and in place. TRUSTe commences the engagement with a data collection phase. This examined the data privacy management practices for the Ultimate HCM application. It also includes tracking where the data is stored. Importantly it identifies who Ultimate shares the data with and the quality of the third-party agreements in place.

If data is passed for example through to other solutions such as third-party ERP solutions then the appropriate contract clauses and disclosures for Ultimate and its clients are checked. The data was collected using a combination of technology, document review and people interviews. Once collected a report is delivered that highlights the issues within data management policies  that need fixing. These issues are then resolved.

TRUSTe then helps to define the updated data management policies before certification is finally attained. What we were unable to identify is whether the certification actually expires or companies need re-certification after a period of time. TRUSTe offer a monitoring process as part of the certification offer and it may be this that ensure companies continue to adhere to best practice.

TRUSTe offers three levels of service to companies looking for Privacy shield compliance. The lowest is a dispute resolution package that offers the minimum requirement for self-certification. They also offer a assessment package. Ultmate took the highest level package which is verification and includes the ongoing monitoring.

Conclusion

Ultimate Software took a sensible step in undertaking not just the self-certification process for privacy shield but also the TRUSTe certification. For a company that already had Safe Harbor compliance this should not have been too onerous a process. For companies with European employees this announcement is potentially a differentiator for Ultimate. They are not the only one to have done so though. Workday announced their compliance back in August, barely a month after the original Privacy Shield announcement.

LEAVE A REPLY

Please enter your comment!
Please enter your name here