Global trends of Binding Corporate Rules

29 May 2019

By Cyber Collective Partner Noris Ismail, Managing Director of Data Privacy at Ankura.

Binding corporate rules (BCRs) are an effective mechanism used by multinational corporations to make intra-organizational transfers of personal data across borders in compliance with data protection laws

Data can be transferred safely from the European Economic Area/European Union to countries that do not provide an adequate level of protection within the same corporate group.

So far, 132 companies have obtained approved BCRs, which allow them to not only simplify cross border data flows, but also synchronise and simplify data management and governance processes globally and embed a privacy culture.

Given the comprehensiveness of the internal code of conduct required and the demanding approval process, BCRs have gained a reputation for being the “gold standard” for data protection. 

A key question for privacy professionals now, is the role of BCRs under the General Data Protection Regulation (GDPR), as an alternative to other data transfer mechanisms, such as standard contractual clauses.

One of the key values arising from the use of BCRs is avoiding the burden of trying to keep company agreements that govern data transfers up to date and compliant in a changing privacy landscape. 

The BCR process is not, however, the best solution for every company, given the time and cost associated with implementation and obtaining approval.

It requires companies to have a mature and detailed privacy programme in place, based on key data protection principles. One of the benefits of this is that the rules can be tailored to the particular needs of a given corporation, considering their organization’s data flows, and how personal data is processed. 

Once in place, these rules are legally binding and enforced by every member of the corporate group, including their employees, and expressly provide enforceable rights to data subjects. They also include tools to boost effectiveness, such as training, audit and complaints handling.

It goes without saying that BCRs are undoubtedly a powerful tool to demonstrate data protection compliance to subjects, clients, partners and supervisory authorities; while consequently mitigating potential audit requests and ultimately liability for non-compliance.

BCRs are also useful for organizations that have massive data transfers with numerous affiliates located worldwide. A business strategy geared towards global expansion is therefore a powerful driver for adopting BCRs.

Sign up to our latest  News & Insights

Although BCRs cover all types of information transferred within a multinational group, it is possible to differentiate between personal data and other categories of data outside the scope of the GDPR, which do not need to follow the same stringent requirements, allowing for a greater flexibility of data flows within the corporate group. 

The flexibility provided with facilitating international data transfers within a corporate group is valuable, especially for multinationals with a digital strategy where data has become a commodity.

Those companies who have chosen to use BCRs to overcome the challenges related to international data transfers cannot be complacent. 

BCRs approved prior to the advent of the GDPR will need to be adjusted to ensure they are compliant with the new requirements set out in the GDPR. 

European Commission guidance on BCRs, some time ago, stressed that businesses with approved BCRs should update them in line with the new GDPR requirements.

Another thorny question that has arisen is whether BCRs approved by supervisory authorities in the European Union need to go through the process again under the supervision of the Information Commissioner’s Office.

The European Data Protection Board has not yet issued any guidance and there is consequently a lack of clarity on this issue. Data Protection Officers, General Counsel, and other stakeholders in these companies need to, therefore, stay engaged with Data Protection Authorities and seek guidance.

Companies that have the UK regulator as their Data Protection Authority will also need to review their BCRs in the light of Brexit

For companies without BCRs, in the event of a no-adequacy finding for the UK post-Brexit, a legal mechanism for data transfers will be needed. 

In addition, other lead authorities will need to be considered to take advantage of the "one stop shop" mechanism and for any new BCRs.

Given the increasingly complex privacy landscape, multi-nationals must now navigate the maze of laws globally and, especially as privacy regimes in Asia evolve, BCRs are emerging as a potential silver bullet for managing multiple new privacy regimes around the world.



  • Sarah StephensSarah Stephens

    As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.

    Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.

    Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.

    For further information or to learn more about cyber insurance, contact Sarah Stephens, Head of Cyber, on +44 (0)20 8108 9541.

  • For more articles like this, download our Cyber Decoder

    Share this article