By Cyber Collective Partner Noris Ismail, Managing Director of Data Privacy at Ankura.
Binding corporate rules (BCRs) are an effective mechanism used by multinational corporations to make intra-organizational transfers of personal data across borders in compliance with data protection laws.
Data can be transferred safely from the European Economic Area/European Union to countries that do not provide an adequate level of protection within the same corporate group.
So far, 132 companies have obtained approved BCRs, which allow them to not only simplify cross border data flows, but also synchronise and simplify data management and governance processes globally and embed a privacy culture.
Given the comprehensiveness of the internal code of conduct required and the demanding approval process, BCRs have gained a reputation for being the “gold standard” for data protection.
A key question for privacy professionals now, is the role of BCRs under the General Data Protection Regulation (GDPR), as an alternative to other data transfer mechanisms, such as standard contractual clauses.
One of the key values arising from the use of BCRs is avoiding the burden of trying to keep company agreements that govern data transfers up to date and compliant in a changing privacy landscape.
The BCR process is not, however, the best solution for every company, given the time and cost associated with implementation and obtaining approval.
It requires companies to have a mature and detailed privacy programme in place, based on key data protection principles. One of the benefits of this is that the rules can be tailored to the particular needs of a given corporation, considering their organization’s data flows, and how personal data is processed.
Once in place, these rules are legally binding and enforced by every member of the corporate group, including their employees, and expressly provide enforceable rights to data subjects. They also include tools to boost effectiveness, such as training, audit and complaints handling.
It goes without saying that BCRs are undoubtedly a powerful tool to demonstrate data protection compliance to subjects, clients, partners and supervisory authorities; while consequently mitigating potential audit requests and ultimately liability for non-compliance.
BCRs are also useful for organizations that have massive data transfers with numerous affiliates located worldwide. A business strategy geared towards global expansion is therefore a powerful driver for adopting BCRs.
Although BCRs cover all types of information transferred within a multinational group, it is possible to differentiate between personal data and other categories of data outside the scope of the GDPR, which do not need to follow the same stringent requirements, allowing for a greater flexibility of data flows within the corporate group.
The flexibility provided with facilitating international data transfers within a corporate group is valuable, especially for multinationals with a digital strategy where data has become a commodity.
Those companies who have chosen to use BCRs to overcome the challenges related to international data transfers cannot be complacent.
BCRs approved prior to the advent of the GDPR will need to be adjusted to ensure they are compliant with the new requirements set out in the GDPR.
European Commission guidance on BCRs, some time ago, stressed that businesses with approved BCRs should update them in line with the new GDPR requirements.
Another thorny question that has arisen is whether BCRs approved by supervisory authorities in the European Union need to go through the process again under the supervision of the Information Commissioner’s Office.
The European Data Protection Board has not yet issued any guidance and there is consequently a lack of clarity on this issue. Data Protection Officers, General Counsel, and other stakeholders in these companies need to, therefore, stay engaged with Data Protection Authorities and seek guidance.
Companies that have the UK regulator as their Data Protection Authority will also need to review their BCRs in the light of Brexit.
For companies without BCRs, in the event of a no-adequacy finding for the UK post-Brexit, a legal mechanism for data transfers will be needed.
In addition, other lead authorities will need to be considered to take advantage of the "one stop shop" mechanism and for any new BCRs.
Given the increasingly complex privacy landscape, multi-nationals must now navigate the maze of laws globally and, especially as privacy regimes in Asia evolve, BCRs are emerging as a potential silver bullet for managing multiple new privacy regimes around the world.