A: An organization may verify such attestations and assertions either through self assessment or outside compliance reviews. Under the self assessment approach, such verification would have to indicate that an organization's published privacy policy is accurate, comprehensive, prominently displayed, completely implemented and accessible.* It would also need to indicate that its privacy policy conforms to the safe harbor principles; that consumers are informed of the consumer complaint resolution mechanisms through which complaints are handled; that it has in place procedures for disseminating its privacy policy to employees, training them in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically reviewing compliance with the above. A statement verifying the self assessment should be signed by a corporate officer or other authorized representative of the company at least once a year and provided as part of the documentation included in the annual renewal of the self certification process.
Where the organization has chosen outside compliance review, such reviews
may include without limitation auditing, random reviews, use of "decoys,"
or use of technology tools as appropriate to ensure that organizations
are adhering to their articulated privacy policies. A statement verifying
that an outside compliance review has been successfully completed should
be signed either by the reviewer or by the corporate officer or other authorized
representative of the company at least once a year and provided as part
of the documentation included in the annual renewal of the self certification
process.
*The European Commission believes that these criteria should also apply
in the case of outside compliance review and that the procedures for their
implementation should be further specified.