When GDPR was enacted, the way multinational groups of companies operated had to change to ensure adequate levels of data protection and security were observed when transferring personal data internationally between company groups. To comply with data protection regulations (both the EU Directive 1995 and the GDPR), many multinational groups of companies have adopted binding corporate rules (BCRs) as a solution for compliantly transferring personal data within their group. Although already used by many organizations as a mechanism for data transfer, now that BCRs have been brought in line with the GDPR, its popularity is growing.
By adopting binding corporate rules, not only can data be lawfully transferred from an EU country to one outside of the EU, a third country (a country that would not usually be legally required to provide the same level of protection as is mandatory in the EU), but company groups can benefit in other ways too. So, with BCRs, data export between global company groups can continue securely and compliantly, and organizations can improve their security culture throughout their group simultaneously.
Global data transfer before and after GDPR
Multinational groups of companies rely on the transfer of data from EU countries to others outside of the EU for multiple reasons and day to day business depends on this. So, the requirement to maintain the efficient and secure flow of data is important and is a priority for these companies.
The GDPR, however, prohibits the transfer of personal data to countries outside of the EU. Even before GDPR, the EU Data Protection Directive of 1995, only allowed the transfer of personal data outside of the EU when an adequate level of protection could be guaranteed in the destination country. The GDPR mirrors this as well. Both the 1995 Directive and now the GDPR provide for transfers to happen safely, but the GDPR contains further transfer mechanisms or advancements on previous ones as well.
Transfer mechanisms like an EU adequacy decision agreed appropriate safeguards, statutory exceptions (consent and contractual obligations) remain. Still, the GDPR includes accredited certifications, approved industry codes of conduct and binding corporate rules as alternatives to support data flow outside of the EU. BCRs did exist as part of the 1995 Directive, but changes have been made, and the GDPR now endorses BCRs as a valid basis for international data transfer for both data controllers and data processors.
GDPR brings changes to existing BCR practices
GDPR defines BCRs as “personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.”
Although binding corporate rules were part of the Directive of 1995, and the concept remains unchanged, GDPR has made some significant changes to it that are most advantageous to organizations wishing to use BCRs as a data transfer mechanism.
- Previously, BCRs were earmarked for data controllers. Now, under GDPR, data processors can establish BCRs as well. Specific requirements exist for each.
- Guidelines are updated for BCRs for controllers and BCRs for processors to show the criteria to be addressed in the BCRs. It clarifies what must form part of the BCR and what must be given to the supervisory authority as part of the BCR application.
- Extensions have been made for a group of applicants. Before, BCRs applied to groups of undertakings only. Now, groups of enterprises engaged in joint economic activities can use them too.
- The minimum requirements have been expanded to include further detail such as the contact details of each member of the group, the description of the principles of privacy by design and by default, the data subjects’ rights, information obligations and the details of the people responsible for maintaining training and compliance procedures. Further clarification exists.
Why binding corporate rules are important
Binding corporate rules function well as a transfer mechanism for companies with complex international structures. They remove the need to create and justify contracts for every single entity — which could result in thousands of contracts. Instead, BCRs allow for a single set of transfer rules to be developed, reviewed and approved. So, groups of companies or a group of undertakings or organizations involved in a multiparty economic activity, like franchises or joint ventures find BCRs invaluable.
BCRs are legally binding, enforceable, and are approved by the data protection authority. They reflect the data protection principles and data subjects’ rights. By gaining the approval of a competent data protection authority, BCRs demonstrate the organization’s competency with regards to security and proper handling of personal information and shows that the organization takes data protection seriously and can effectively and compliantly govern their information across their group of companies.
The organization can increase awareness of data protection and privacy requirements across their organization. An approved and effectively implemented BCR ensures a fitting data protection governance plan with uniform processes are applied across the organization. This improves the quality and maturity of data security and data management across the group.
BCRs are a favored transfer mechanism as it offers flexibility and once approved and implemented, the administrative burden is considerably reduced.
Suggested 7 step process to follow
For a group of companies that need to transfer personal data from one or more EU jurisdictions to destinations outside of the EU for processing, a suggested process is as follows:
Step 1: Always, first, find out if the EU confirms the destination as one with “adequate level of protection” — in other words, if an adequacy decision exists for the country in question. If not, other appropriate safeguards must be considered.
Step 2: If binding corporate rules is the safeguard of choice, the process to follow needs to be in line with GDPR. Although companies may have relied on BCRs before GDPR, changes to the process have been made, and companies should be up to date with these and make the necessary revisions to maintain compliance with GDPR.
Step 3: Decide on the type of BCR required. Two BCR types can be applied for and approved under the GDPR: one for a data controller (used by a group entity to transfer data that they have responsibility for) and one for a data processor (used by entities acting as processors for other controllers). Application guidelines exist for each and it is important to determine which application is required as the requirements for each differ.
Step 4: Determine the scope of the BCR. Decide on the personal data that the BCR will cover (all personal data or a particular set of data) and which members of the group will sign up to it (all members of the group or only some of the companies). Specify the structure and contact details of all entities participating in the BCRs. Specify the transfers, the type of data, the data subjects and the countries involved. What data is being transferred to where? All of this needs to be determined as it must be specified in the BCR application.
Step 5: Choose a lead authority for the BCR. A supervisory authority needs to be chosen to act as a single point of contact with the applicant organization. The selected lead must be justified by the organization, making the application. The application must be sent to the supervisory authority who can accept or decline to be the BCR lead after discussing the application with all supervisory authorities involved.
The lead could be a supervisory authority in an EU country where one of the companies is based. This could be the head office, but not necessarily. The review and authorization of the BCRs may involve more than one EU supervisory authority. This depends on whether multiple EU countries are affected (a group has companies in more than one EU country where data is transferred from, and those companies are also signing up to the BCRs).
Step 6: Create an intracompany code of conduct (BCRs) that functions within the group of companies whenever personal data is transferred between the groups EU entities and non-EU entities.
This should address the measures to take and rules the companies must follow to safeguard the information when processing personal information, including cross-border data transfers.
Both the company sending the data, as well as the receiver of the data must sign up to the BCRs group document.
Creating of the BCRs will need the buy-in and commitment from executives, so this support should be gained before making the BCR application. A team is necessary to develop, manage, and implement the BCR. This is vital for an efficient process.
The BCRs should incorporate the following to comply with the specific requirements:
- The structure and contact details of the group of undertakings engaged in a joint economic activity.
- The data transfers to take place, the categories of personal data, the type of processing, the purposes for processing, the data subjects impacted, the third countries involved.
- Demonstrate legally binding nature internally and externally.
- Application of the data protection principles as laid out in the GDPR.
- The rights of the data subjects and how they can exercise their rights and the process to follow to lodge a complaint with the supervisory authority if they wish.
- Procedures to maintain the effectiveness of the methods laid out to protect data and uphold the rules and maintain compliance (training, audits, etc.).
- The acceptance of the controller or processor of the EU member state of liability for any breaches of the BCR by any member concerned outside of the EU.
- How the information included in the BCR is provided to the data subjects.
- Outline of compliance procedures: methods for demonstrating compliance with the BCR (audits), methods for corrective actions to protect data subjects’ rights. Reporting procedures. Methods to record updates/changes made to the BCR and to inform the supervisory authority of these. Methods for communicating with and reporting to the supervisory authority to ensure compliance by the group and its members.
- Must show transparency has been provided against the GDPR requirements.
- Accountability: Every entity must be able to demonstrate that it complies.
The length of the application and implementation process will take depends on many aspects of the organization. The resources and expertise available, as well as the maturity level of data protection and data management strategies existing in the organization. After all, the BCR depends on the implementation of policies, procedures, and training — all integral to these data governance strategies.
Step 7: Once approval is obtained, the BCR must be appropriately implemented across the group. Binding corporate rules must be communicated and implemented, and responsibilities handed out across those involved so that the BCR is attainable and in good time. A practical and enforceable communication plan, implementation plan, training plan, and monitoring and reporting plan are all necessary to adopt the group policy effectively.
BCRs: More than just a data transfer mechanism
Although the ideal transfer mechanism remains an EU adequacy decision, this is when the EU has essentially whitelisted a country or territory as offering an “adequate level of protection” for personal data — a decision confirmed by the commission. In this case, data transfers to these areas are generally allowed without issues. However, when an adequacy decision is not available, the EU approved safeguards are necessary and important.
Binding corporate rules fall into this category and are a popular choice for many multinational groups of companies, especially since BCRs have been updated to align with the GDPR.
Additional to its function as a transfer mechanism. BCRs offer multiple benefits to company groups. It’s a way to formalize and publicize the group’s data protection management program. To demonstrate to regulators, employees, customers, and partners that the organization takes accountability for the security of personal information and allows transparency by disclosing how it handles data within the group. It puts everyone on the same page! Further to compliance, BCRs help to promote a culture of secure and responsible data usage across the group.
Featured image: Shutterstock / TechGenix photo illustration
More GDPR Preparation articles
- CCPA and GDPR: Similarities and differences you must know
- Online lead generation, conversion, and retargeting in the age of GDPR
- GDPR’s privacy by design: An opportunity, not a burden
- Warning! 5 GDPR mistakes you must avoid
- Compliance confusion: What does GDPR mean for mobile data?