Frameworks FAQ
Join IA

Data Privacy Framework

The DPF helps organizations comply with international data protection requirements when transferring personal data between the U.S. and other regions. Our FAQ explains membership eligibility, enrollment steps, and how the program supports compliance with global privacy standards.

Those U.S. organizations already self-certified under the Privacy Shield can immediately begin relying on the new framework for EU-U.S. data transfers as soon as they update their privacy policies. The same is true for Swiss-U.S. transfers starting July 17, 2023.

U.S. based organizations that self-certified their commitment to comply with the EU-U.S. Privacy Shield Framework Principles must comply with the EU-U.S. DPF Principles by updating their privacy policies by October 10, 2023.

If your company is still a member of IA and based in the U.S., will need to submit an application to the new framework and follow the steps to self-certify. This process is very similar to the process to self-certify to Privacy Shield.

If your company is currently enrolled in Privacy Shield and you have updated your policy to reflect the requirements of the DPF, starting July 17, 2023 you will need to apply for the UK Extension to the DPF for U.K.-U.S. data transfers. You cannot add the UK Extension to the EU-U.S. DPF without an updated Insights Association DPF Application.

All new IA DPF Services Program applicants will need to specify on their application whether they are self-certifying to the EU-U.S. DPF, the EU-U.S DPF with the UK Extension to the EU-U.S DPF, the Swiss-U.S DPF or all three. Organizations that wish to participate in the UK Extension to the EU-U.S. DPF must also participate in the EU-U.S. DPF.

*Note: Companies may not begin relying on the UK Extension to the EU-U.S. DPF to receive personal data transfers from the United Kingdom (and Gibraltar) before the date that the United Kingdom’s anticipated adequacy regulations implementing the data bridge for the UK Extension to the EU-U.S. DPF enter into force. As that date is announced, IA will communicate the information to current program participants and membership.

Organizations that self-certified their commitment to comply with the Swiss-U.S. Privacy Shield Framework Principles must comply with the Swiss-U.S. DPF Principles, including by updating their privacy policies by October 17, 2023. Those organizations do not need to make a separate, initial self-certification submission to participate in the Swiss-U.S. DPF.

*Note: Companies may not begin relying on the Swiss-U.S. DPF to receive personal data transfers from Switzerland until the date of entry into force of the Swiss Federal Administration’s anticipated recognition of adequacy for the Swiss-U.S. DPF. As that date is announced, IA will communicate the information to current program participants and membership.

The Annual Fee for IA's DPF Services Program is based on an organization's annual revenue:

Organization Annual Revenue Annual Fee
$1 million or less $600
$1-5 million $850
$5,000,001-$15 million $1,250
$15,000,001-$50 million $1,750
$50,000,001-$100 million$2,250
Over $100 million$2,750

Please note: The IA DPF Services Program is only open to IA corporate members. If you are unsure of your member status, or would like to learn more about IA Membership, click here.

Separately. You must register with the Department of Commerce in addition to enrolling in the Insights Association DPF Services Program. This is done by creating an online account at www.dataprivacyframework.gov. You must pay the DoC fee directly to Commerce and it is separate from the fee paid to the Insights Association for the dispute resolution services provided through the Insights Association DPF Services Program. 

Failure to pay both the IA application fee and the DoC fee will result in an incomplete self-certication status that could risk exposure should a data subject complaint arise.

It typically takes the Insights Association between 2-3 days (depending on how quickly material is provided) to review your company's privacy policy. It will likely take 2-4 weeks, on average, to hear back from the DPF reviewer at the DoC working on your application and policy.

You will have to:       

  1. Be a company member of the Insights Association (or have applied and have no apparent obstacles to membership)      
  2. Submit the application to the Insights Association DPF Services Program found here      
  3. Ensure that all relevant privacy policies are in compliance with the Framework(s) – There are a couple ways we can do this - we will send you a checklist and/or you send to us all relevant privacy policies for review and they will be returned with necessary changes indicated.      
  4. Once your privacy policies are approved and you are accepted into our program you go on to www.dataprivacyframework.gov and register. The DoC will review your posted policies and check with the Insights Association to confirm your participation. If all is in order they will register you.

Yes. It is the member company’s responsibility to pay into the Arbitral Fund. This fee is outside of the Insights Association annual program fee. More information, and the payment portal, can be found here

First, contact Juliana Wood for guidance on your specific situation. Next, review the info on IA's Information for EU/Swiss Citizens to file a complaint page. Within that page there is an embedded link that will take you to the DPF complaint page, which contains additional information. Each case will be different, and the good news is that market research and insights companies have had zero formal complaints from overseas data subjects in the 5+ years since the GDPR went into effect.

The DoC will monitor any false claims of EU-U.S. DPF participation or the improper use of the EU-U.S. DPF certification mark. In particular, the DoC will on an ongoing basis verify that organisations that

(i) withdraw from participation in the EU-U.S. DPF,

(ii) fail to complete the annual re-certification (i.e. either started, but failed to complete the annual re-certification process in a timely manner or did not even start the annual re-certification process),

(iii) are removed as a participant, notably for “persistent failure to comply,” or

(iv) fail to complete an initial certification (i.e. started, but failed to complete the initial certification process in a timely manner), remove from any relevant published privacy policy references to the EU-U.S. DPF that imply that the organisation actively participates in the Framework.

The DoC will also conduct internet searches to identify references to the EU-U.S. DPF in organisations’ privacy policies, including to identify false claims by organisations that never participated in the EU-U.S. DPF. Where the DoC finds that references to the EU-U.S. DPF have not been removed or are improperly used, it will inform the organisation about a possible referral to the FTC/DoT. If an organisation fails to respond satisfactorily, the DoC will refer the matter to the relevant agency for potential enforcement action or other relevant U.S. enforcement authorities. 

Beyond those annual fees, the only additional fees would arise if you receive a complaint that persists to the arbitration stage.

For any other questions not represented here, please contact Juliana Wood, IA's DPF Services Program manager.

Contact Us

  • Back to top